Analyzing traffic patterns to detect infectious messages
First Claim
Patent Images
1. A method for classifying an electronic-mail message, the method comprising:
- storing a plurality of previously received messages in memory, wherein each previously received message is individually classified as suspicious, and wherein each suspicious classification is based on a probability of infection that is between a probability threshold for legitimate classification and a probability threshold for infectious classification;
receiving a message sent over a communication network; and
executing instructions stored in memory, wherein execution of the instructions by a processor;
determines that the received message is individually classified as suspicious based on the probability threshold and is similar to one or more of the previously received messages classified as suspicious messages,determines that a total number of similar suspicious messages has exceeded a predefined message threshold, wherein the total number of similar suspicious messages includes the received message and the one or more previously received and classified suspicious messages determined to be similar to the received message, andclassifies the received message as infectious when the predefined message threshold has been met by the total number of similar suspicious messages.
22 Assignments
0 Petitions
Accused Products
Abstract
Managing electronic messages comprises receiving a message, forwarding the message, determining that the forwarded message is infectious after the message has been forwarded and preventing the infectious forwarded message from spreading.
128 Citations
18 Claims
-
1. A method for classifying an electronic-mail message, the method comprising:
-
storing a plurality of previously received messages in memory, wherein each previously received message is individually classified as suspicious, and wherein each suspicious classification is based on a probability of infection that is between a probability threshold for legitimate classification and a probability threshold for infectious classification; receiving a message sent over a communication network; and executing instructions stored in memory, wherein execution of the instructions by a processor; determines that the received message is individually classified as suspicious based on the probability threshold and is similar to one or more of the previously received messages classified as suspicious messages, determines that a total number of similar suspicious messages has exceeded a predefined message threshold, wherein the total number of similar suspicious messages includes the received message and the one or more previously received and classified suspicious messages determined to be similar to the received message, and classifies the received message as infectious when the predefined message threshold has been met by the total number of similar suspicious messages. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for classifying an electronic-mail message, the system comprising:
-
memory for storing a plurality of previously received messages in memory, wherein each previously received message is individually classified as suspicious, and wherein each suspicious classification is based on a probability of infection that is between a probability threshold for legitimate classification and a probability threshold for infectious classification; a mail server for receiving a message sent over a communication network; and a network device coupled to the mail server, the network device including a processor for executing instructions stored in memory, wherein execution of the instructions by the processor; determines that the received message is individually classified as suspicious based on the probability threshold and is similar to one or more of the previously received messages classified as suspicious messages, determines that a total number of similar suspicious messages has exceeded a predefined message threshold, wherein the total number of similar suspicious messages includes the received message and the one or more previously received and classified suspicious messages determined to be similar to the received message, and classifies the received message as infectious when the predefined message threshold has been met by the total number of similar suspicious messages. - View Dependent Claims (10, 12, 13, 14, 15, 16, 17, 18)
-
-
11. A non-transitory computer-readable storage medium having embodied thereon a program, the program being executable by a processor to perform a method for classifying an electronic-mail message, the method comprising:
-
storing a plurality of previously received messages, wherein each previously received message is individually classified as suspicious, and wherein each suspicious classification is based on a probability of infection that is between a probability threshold for legitimate classification and a probability threshold for infectious classification; receiving a message sent over a communication network; determining that the received message is individually classified as suspicious based on the probability threshold and is similar to one or more of the previously received messages classified as suspicious messages; determining that a total number of similar suspicious messages has exceeded a predefined message threshold, wherein the total number of similar suspicious messages includes the received message and the one or more previously received and classified suspicious messages determined to be similar to the received message; and classifying the received message as infectious when the predefined message threshold has been met by the total number of similar suspicious messages.
-
Specification