Detecting relayed communications
First Claim
1. A method of determining whether a potential relay device is a relay device, the method comprising:
- receiving a communication from the potential relay device, the communication comprising a first information element and a second information element, wherein the potential relay device is an original source of said second information element;
identifying a feature of an original source of said first information element, the feature of the original source of said first information element including a device configuration status of the original source of said first information element, the device configuration status including an indication of a type of software installed on the original source of said first information element and an HTTP device type of the original source of said first information element;
identifying a feature of the potential relay device, the feature of the potential relay device including a device configuration status of the potential relay device, the device configuration status including an indication of a type of software installed on the potential relay device and an HTTP device type of the potential relay device; and
determining, using a relay detection system implemented at least in part in hardware, that the feature of the original source of said first information element of said first information element and the feature of the potential relay device are features unlikely to relate to a single device, said determining being indicative that the potential relay device is a relay device, based on an analysis of the type of software installed on and the HTTP device type of both the original source of said first information element and the potential relay device.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods, apparatus and computer readable code for determining whether a potential relay device is a relay device are provided herein. In some embodiments, first and second information elements are received from a potential relay device, which is an original source of the second information element. In order to determine whether the potential relay device is a relay device, it is determined whether a feature of an original source of the first information element and a feature of the potential relay device are features unlikely to relate to a single device, wherein a positive result of the determining is indicative that the potential relay device is a relay device. In an exemplary embodiment, a disclosed system includes an information element receiver and a feature incompatibility analyzer. Optionally, the disclosed system includes a feature discovery module, a parameter obtainer and a feature database.
-
Citations
42 Claims
-
1. A method of determining whether a potential relay device is a relay device, the method comprising:
-
receiving a communication from the potential relay device, the communication comprising a first information element and a second information element, wherein the potential relay device is an original source of said second information element; identifying a feature of an original source of said first information element, the feature of the original source of said first information element including a device configuration status of the original source of said first information element, the device configuration status including an indication of a type of software installed on the original source of said first information element and an HTTP device type of the original source of said first information element; identifying a feature of the potential relay device, the feature of the potential relay device including a device configuration status of the potential relay device, the device configuration status including an indication of a type of software installed on the potential relay device and an HTTP device type of the potential relay device; and determining, using a relay detection system implemented at least in part in hardware, that the feature of the original source of said first information element of said first information element and the feature of the potential relay device are features unlikely to relate to a single device, said determining being indicative that the potential relay device is a relay device, based on an analysis of the type of software installed on and the HTTP device type of both the original source of said first information element and the potential relay device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
-
-
32. A method of determining whether a potential relay device is a relay device, the method comprising:
-
receiving, from the potential relay device, a first information element and a second information element, wherein the potential relay device is an original source of said second information element; analyzing a configuration status of an original source of at least one of said first and said second information elements, said configuration status selected from the group consisting of an operating system type, an operating system version, a software type, an HTTP client type, an HTTP server type, an SMTP client type, an SMTP server type, a time setting, a clock setting, and a time zone setting; identifying a feature of an original source of said first information element, the feature of the original source of said first information element including a device configuration status of the original source of said first information element, the device configuration status including an indication of a type of software installed on the original source of said first information element and an HTTP device type of the original source of said first information element; identifying a feature of the potential relay device, the feature of the potential relay device including a device configuration status of the potential relay device, the device configuration status including an indication of a type of software installed on the potential relay device and an HTTP device type of the potential relay device; and determining, using a relay detection system, whether the feature of the original source of said first information element and the feature of the potential relay device are features unlikely to relate to a single device, based on an analysis of the type of software installed on and the HTTP device type of both the original source of said first information element and the potential relay device.
-
-
33. A method of determining whether a potential relay device is a relay device, the method comprising:
-
receiving, from the potential relay device, a first information element and a second information element, wherein the potential relay device is an original source of said second information element; analyzing, using a relay detection system, a feature related to communication performance of an original source of at least one of said first and said second information elements; identifying a feature of an original source of said first information element, the feature of the original source of said first information element including communication performance of the original source of said first information element, the feature of the original source of said first information element also including a device configuration status of the original source of said first information element, the device configuration status including an indication of a type of software installed on the original source of said first information element and an HTTP device type of the original source of said first information element; identifying a feature of the potential relay device, the feature of the potential relay device including communication performance of the potential relay device, the feature of the potential relay device also including a device configuration status of the potential relay device, the device configuration status including an indication of a type of software installed on the potential relay device and an HTTP device type of the potential relay device; and determining, using a relay detection system, whether the feature of the original source of said first information element of said first information element and the feature of the potential relay device are features unlikely to relate to a single device, based on an analysis of the type of software installed on and the HTTP device type of both the original source of said first information element and the potential relay device. - View Dependent Claims (34)
-
-
35. A method of determining whether a potential relay device is a relay device, the method comprising:
-
receiving, from the potential relay device, a first information element and a second information element; identifying a feature of an original source of said first information element, the feature of the original source of said first information element including a device configuration status of the original source of said first information element, the device configuration status including an indication of a type of software installed on the original source of said first information element and an HTTP device type of the original source of the first information element; identifying a feature of an original source of said second information element, the feature of the original source of said second information element including a device configuration status of the original source of said second information element, the device configuration status including an indication of a type of software installed on the original source of said second information element and an HTTP device type of the original source of the second information element; and determining, using a relay detection system, that the feature of the original source of said first information element and the feature of the original source of said second information element are features unlikely to relate to a single device, said determining being indicative that the potential relay device is a relay device, based on an analysis of the type of software installed on and the HTTP device type of both the original source of said first information element and the potential relay device.
-
-
36. A method of determining whether a potential relay device is a relay device, the method comprising:
-
identifying a feature of an original source of a first information element, the feature of the original source of said first information element including a device configuration status of the original source of said first information element, the device configuration status including an indication of a type of software installed on the original source of said first information element and an HTTP device type of the original source of said first information element; identifying a feature of the potential relay device that transmitted the first information element and a second information element, the potential relay device being the original source of the second information element, the feature of the potential relay device including a device configuration status of the potential relay device, the device configuration status including an indication of a type of software installed on the potential relay device and an HTTP device type of the potential relay device; and determining, using a relay detection system, whether a feature of an original source of a first information element and a feature of the potential relay device are features unlikely to relate to a single device, wherein a positive result of said determining is indicative that the potential relay device is a relay device, based on an analysis of the type of software installed on and the HTTP device type of both the original source of said first information element and the potential relay device.
-
-
37. A system, implemented at least in part in hardware, to determine whether a potential relay device is a relay device, the system comprising:
-
a processor; a feature database in data communication with the processor; an information element receiver, executable by the processor, to receive information elements from a plurality of devices including an information source device and the potential relay device; a feature discovery module, executable by the processor, to identify at least one of a feature of the information source device and a feature of the potential relay device, the feature of the information source device including a device configuration status of the information source device, the device configuration status including an indication of a type of software installed on the information source device and an HTTP device type of the information source device, the feature of the potential relay device including a device configuration status of the potential relay device, the device configuration status including an indication of a type of software installed on the potential relay device and an HTTP device type of the potential relay device; and a feature incompatibility analyzer, executable by the processor and in data communication with the feature database, to determine whether the feature of said information source device and the feature of the potential relay device are features unlikely to relate to a single device, based on an analysis of the type of software installed on and the HTTP device type of both the original source of said first information element and the potential relay device. - View Dependent Claims (38, 39, 40, 41)
-
-
42. A computer-readable non-transitory storage medium comprising instructions, which when executed by a computer cause the computer to:
-
receive, from the potential relay device, a first information element and a second information element, wherein the potential relay device is an original source of said second information element; identify a feature of an original source of said first information element, the feature of the original source of said first information element including a device configuration status of the original source of said first information element, the device configuration status including an indication of a type of software installed on the original source of said first information element and an HTTP device type of the original source of said first information element; identify a feature of said potential relay device, the feature of the potential relay device including a device configuration status of the potential relay device, the device configuration status including an indication of a type of software installed on the potential relay device and an HTTP device type of the potential relay device; and determine whether the feature of the original source of said first information element and the feature of said potential relay device are features unlikely to relate to a single device, wherein a positive result of said determining is indicative that said potential relay device is a relay device, based on an analysis of the type of software installed on and the HTTP device type of both the original source of said first information element and the potential relay device.
-
Specification