Analyzing traffic patterns to detect infectious messages

US 8,955,136 B2
Filed: 02/20/2012
Issued: 02/10/2015
Est. Priority Date: 07/13/2004
Status: Active Grant

First Claim

Patent Images

1. A method for classifying an electronic-mail message, the method comprising:

storing a plurality of previously received messages in memory, wherein each previously received message is individually classified as suspicious, and wherein each suspicious classification is based on a probability of infection that is between a probability threshold for legitimate classification and a probability threshold for infectious classification;

receiving a message sent over a communication network; and

executing instructions stored in memory, wherein execution of the instructions by a processor;

determines that the received message is individually classified as suspicious based on the probability threshold and is similar to one or more of the previously received messages classified as suspicious messages,determines that a total number of similar suspicious messages has exceeded a predefined message threshold, wherein the total number of similar suspicious messages includes the received message and the one or more previously received and classified suspicious messages determined to be similar to the received message, andclassifies the received message as infectious when the predefined message threshold has been met by the total number of similar suspicious messages.

View all claims

22 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Managing electronic messages comprises receiving a message, forwarding the message, determining that the forwarded message is infectious after the message has been forwarded and preventing the infectious forwarded message from spreading.

128 Citations

18 Claims

1. A method for classifying an electronic-mail message, the method comprising:
- storing a plurality of previously received messages in memory, wherein each previously received message is individually classified as suspicious, and wherein each suspicious classification is based on a probability of infection that is between a probability threshold for legitimate classification and a probability threshold for infectious classification;
  
  receiving a message sent over a communication network; and
  
  executing instructions stored in memory, wherein execution of the instructions by a processor;
  
  determines that the received message is individually classified as suspicious based on the probability threshold and is similar to one or more of the previously received messages classified as suspicious messages,determines that a total number of similar suspicious messages has exceeded a predefined message threshold, wherein the total number of similar suspicious messages includes the received message and the one or more previously received and classified suspicious messages determined to be similar to the received message, andclassifies the received message as infectious when the predefined message threshold has been met by the total number of similar suspicious messages.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising executing instructions by the processor to perform a traffic analysis on the received message to identify a traffic spike in the total number of similar suspicious messages that is consistent with a pattern of a virus outbreak.
  - 3. The method of claim 2, wherein the traffic analysis is analyzed on a global network level.
  - 4. The method of claim 2, wherein the traffic analysis is analyzed on a subnet of a local network.
  - 5. The method of claim 1, further comprising executing instructions by the processor to quarantine the message based on the infectious classification.
  - 6. The method of claim 1, further comprising executing instructions by the processor to delete the message based on the infectious classification.
  - 7. The method of claim 1, wherein the message includes an executable attachment having a file name and one or more of the suspicious messages have the same attachment and file name.
  - 8. The method of claim 1, further comprising executing instructions by the processor to report the received message classified as infectious to another user on the communications network to prevent the spread of the infectious message.

9. A system for classifying an electronic-mail message, the system comprising:
- memory for storing a plurality of previously received messages in memory, wherein each previously received message is individually classified as suspicious, and wherein each suspicious classification is based on a probability of infection that is between a probability threshold for legitimate classification and a probability threshold for infectious classification;
  
  a mail server for receiving a message sent over a communication network; and
  
  a network device coupled to the mail server, the network device including a processor for executing instructions stored in memory, wherein execution of the instructions by the processor;
  
  determines that the received message is individually classified as suspicious based on the probability threshold and is similar to one or more of the previously received messages classified as suspicious messages,determines that a total number of similar suspicious messages has exceeded a predefined message threshold, wherein the total number of similar suspicious messages includes the received message and the one or more previously received and classified suspicious messages determined to be similar to the received message, andclassifies the received message as infectious when the predefined message threshold has been met by the total number of similar suspicious messages.
- View Dependent Claims (10, 12, 13, 14, 15, 16, 17, 18)
- - 10. The system of claim 9, further comprising an infectious message detection mechanism stored in memory and executable by a processor to identify a virus associated with the infectious message.
  - 12. The system of claim 9, wherein the network device further performs a traffic analysis on the received message to identify a traffic spike in the total number of similar suspicious messages that is consistent with a pattern of a virus outbreak.
  - 13. The system of claim 12, wherein the traffic analysis is analyzed on a global network level.
  - 14. The system of claim 12, wherein the traffic analysis is analyzed on a subnet of a local network.
  - 15. The system of claim 9, wherein the network device quarantines the message based on the infectious classification.
  - 16. The system of claim 9, wherein the network device deletes the message based on the infectious classification.
  - 17. The system of claim 9, wherein the message includes an executable attachment having a file name and one or more of the suspicious messages have the same attachment and file name.
  - 18. The system of claim 9, wherein the network device reports the received message classified as infectious to another user on the communications network to prevent the spread of the infectious message.

11. A non-transitory computer-readable storage medium having embodied thereon a program, the program being executable by a processor to perform a method for classifying an electronic-mail message, the method comprising:
- storing a plurality of previously received messages, wherein each previously received message is individually classified as suspicious, and wherein each suspicious classification is based on a probability of infection that is between a probability threshold for legitimate classification and a probability threshold for infectious classification;
  
  receiving a message sent over a communication network;
  
  determining that the received message is individually classified as suspicious based on the probability threshold and is similar to one or more of the previously received messages classified as suspicious messages;
  
  determining that a total number of similar suspicious messages has exceeded a predefined message threshold, wherein the total number of similar suspicious messages includes the received message and the one or more previously received and classified suspicious messages determined to be similar to the received message; and
  
  classifying the received message as infectious when the predefined message threshold has been met by the total number of similar suspicious messages.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Quest Software, Inc.
Original Assignee
SonicWALL, Inc. (SonicWall Holdings Ltd.)
Inventors
Rihn, Jennifer, Oliver, Jonathan J.
Primary Examiner(s)
Benoit, Esther

Application Number

US13/400,548
Publication Number

US 20120151590A1
Time in Patent Office

1,086 Days
Field of Search

726/24
US Class Current

726/24
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

H04L 51/212   using filtering or selectiv...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Analyzing traffic patterns to detect infectious messages

First Claim

22 Assignments

0 Petitions

Accused Products

Abstract

128 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Analyzing traffic patterns to detect infectious messages

First Claim

22 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

128 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links