User reporting and automatic threat processing of suspicious email

US 9,223,971 B1
Filed: 01/28/2014
Issued: 12/29/2015
Est. Priority Date: 01/28/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

at an email client configured to execute on a host computer device, receiving one or more email messages in connection with a user account associated with an email address;

displaying the received one or more email messages and a user selectable icon to report suspicious email; and

receiving user selections of the icon and an associated suspicious email message among the received one or more email messages, and responsive to the selections, automatically performing suspicious email threat processing on the selected suspicious email message, the automatically performing including;

collecting information from the host computer device, the user account, and the email message, the information including a user account name, an Internet Protocol (IP) address of the host, a number of file attachments of the email and a name of each file attachment, and hyperlinks and Uniform Resource Locators (URLs) embedded in the email message;

determining an initial threat priority for the email message based on the collected information;

generating threat indicators based at least on each file attachment of the email message, if any;

determining malware, if any, in the email message based on the threat indicators and the collected information; and

creating an event ticket for the suspicious email message having fields populated based on the collected information, the initial threat priority, and the determined malware.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer device displays email messages received in connection with a user account and a user selectable icon to report suspicious email. The computer device receives user selections of the icon and an associated suspicious email message among the received email messages. Responsive to the selection, the computer device automatically collects information from the host, the user account, and the email message, determines an initial threat priority for the email message based on the collected information, generates threat indicators based at least on each file attachment of the email message, if any, determines malware, if any, in the email message based on the threat indicators, and creates an event ticket for the suspicious email message having fields populated based on the collected information, the initial threat priority, the threat indicators, and the determined malware.

26 Citations

View as Search Results

26 Claims

1. A method comprising:
- at an email client configured to execute on a host computer device, receiving one or more email messages in connection with a user account associated with an email address;
  
  displaying the received one or more email messages and a user selectable icon to report suspicious email; and
  
  receiving user selections of the icon and an associated suspicious email message among the received one or more email messages, and responsive to the selections, automatically performing suspicious email threat processing on the selected suspicious email message, the automatically performing including;
  
  collecting information from the host computer device, the user account, and the email message, the information including a user account name, an Internet Protocol (IP) address of the host, a number of file attachments of the email and a name of each file attachment, and hyperlinks and Uniform Resource Locators (URLs) embedded in the email message;
  
  determining an initial threat priority for the email message based on the collected information;
  
  generating threat indicators based at least on each file attachment of the email message, if any;
  
  determining malware, if any, in the email message based on the threat indicators and the collected information; and
  
  creating an event ticket for the suspicious email message having fields populated based on the collected information, the initial threat priority, and the determined malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the determining the initial threat priority includes:
    - pattern matching the information collected from the host computer device, the user account, and the email message against keywords divided among multiple groups of keywords ranked from a lowest to a highest threat priority; and
      
      setting the initial threat priority equal to one of the ranked threat priorities based on results of the pattern matching.
  - 3. The method of claim 2, wherein:
    - the generating threat indicators includes computing a hash value for each file attachment of the email message; and
      
      the determining malware includes searching one or more databases of malware based on the hash values.
  - 4. The method of claim 1, further comprising:
    - searching a list of user names including high priority and low priority user names based on a name associated with the user account; and
      
      determining a final threat priority for the email message based on the initial threat priority, the determined malware, and results of the searching a list of user names,wherein the creating an event ticket includes populating a threat severity field of the event ticket to indicate the final threat priority.
  - 5. The method of claim 4, wherein the creating further includes:
    - if the determined suspicious email threat severity is relatively high, populating a resolution status field of the event ticket to indicate that manual analysis of the email message is required to resolve the event ticket; and
      
      if the determined suspicious email threat severity is not relatively high, populating the resolution status field to indicate that the event ticket has been resolved automatically.
  - 6. The method of claim 5, wherein the creating includes populating further fields of the event ticket to indicate:
    - a subject line of the email message, an email sender name, a user account name, and an email address associated with the user account;
      
      results of the pattern matching, including keywords that matched the email message and the threat priority;
      
      Uniform Resource Locators (URLs) embedded in the email message; and
      
      names of file attachments of the email and hash values computed for the corresponding file attachments.
  - 7. The method of claim 1, wherein the collecting further includes collecting a fully qualified domain name (FQDN) from the host.
  - 8. The method of claim 1, further comprising:
    - creating a first analysis results email message including the collected information, the email message, and files attached to the email, if any;
      
      sending the first analysis results email message to a first predetermined email address;
      
      accessing the first analysis results email message from the first predetermined email address; and
      
      performing the determining a threat priority and the generating the threat indicators based on the accessed first analysis results email message.
  - 9. The method of claim 8, further comprising:
    - creating a second analysis results email message including contents of the first analysis results email message, the determined threat priority, and the determined threat indicators;
      
      sending the second analysis results email message to a second predetermined email address;
      
      accessing the second analysis results email message from the second predetermined email address; and
      
      performing the determining malware and the creating an event ticket based on the accessed second analysis results email message.

10. An apparatus comprising:
- a network interface unit configured to send and receive communications including email messages over a network; and
  
  a processor coupled to the network interface unit and the display, and configured to;
  
  receive at an email client one or more email messages in connection with a user account associated with an email address;
  
  display the received one or more email messages and a user selectable icon to report suspicious email; and
  
  receive user selections of the icon and an associated suspicious email message among the received one or more email messages, and responsive to the selections, automatically perform suspicious email threat processing on the selected suspicious email message, wherein the processor is further configured to;
  
  collect information from the apparatus, the user account, and the email message, the information including a user account name, an Internet Protocol (IP) address of the host, a number of file attachments of the email and a name of each file attachment, and hyperlinks and Uniform Resource Locators (URLs) embedded in the email message;
  
  determine an initial threat priority for the email message based on the collected information;
  
  generate threat indicators based at least on each file attachment of the email message, if any;
  
  determine malware, if any, in the email message based on the threat indicators; and
  
  create an event ticket for the suspicious email message having fields populated based on the collected information, the initial threat priority, the threat indicators, and the determined malware.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The apparatus of claim 10, wherein the processor configured to determine the initial threat priority is further configured to:
    - pattern match the information collected from the apparatus, the user account, and the email message against keywords divided among multiple groups of keywords ranked from a lowest to a highest threat priority; and
      
      set the initial threat priority equal to one of the ranked threat priorities based on results of the pattern matching.
  - 12. The apparatus of claim 11, wherein:
    - the processor configured to generate the threat indicators is further configured to compute a hash value for each file attachment of the email message; and
      
      the processor configured to determine the malware is further configured to search one or more databases of malware based on the hash values.
  - 13. The apparatus of claim 10, wherein the processor is further configured to:
    - search a list of user names including high priority and low priority user names based on a name associated with the user account; and
      
      determine a final threat priority for the email message based on the initial threat priority, the determined malware, and results of the searching a list of user names,wherein the processor configured to create the event ticket is further configured to populate a threat severity field of the event ticket to indicate the final threat priority.
  - 14. The apparatus of claim 13, wherein the processor is configured to create the event ticket by:
    - if the determined suspicious email threat severity is relatively high, populating a resolution status field of the event ticket to indicate that manual analysis of the email message is required to resolve the event ticket; and
      
      if the determined suspicious email threat severity is not relatively high, populating the resolution status field to indicate that the event ticket has been resolved automatically.
  - 15. The apparatus of claim 10, wherein the processor is further configured to:
    - create a first analysis results email message including the collected information, the email message, and files attached to the email, if any;
      
      send the first analysis results email message to a first predetermined email address; and
      
      access the first analysis email results message from the first predetermined email address,wherein the processor is configured to determine the initial threat priority and generate the threat indicators based on the accessed first analysis results email.
  - 16. The apparatus of claim 15, wherein the processor is further configured to:
    - create a second analysis results email message including contents of the first analysis email, the determined threat priority, and the determined threat indicators; and
      
      send the second analysis results email message to a second predetermined email address;
      
      access the second analysis results email message from the second predetermined email address,wherein the processor is configured to determine malware and create an event ticket based on the accessed second analysis results email.

17. A non-transitory processor readable medium storing instructions that,when executed by a processor, cause the processor to:
- at an email client configured to execute on a host computer device, receive one or more email messages in connection with a user account associated with an email address;
  
  display the received one or more email messages and a user selectable icon to report suspicious email; and
  
  receive user selections of the icon and an associated suspicious email message among the received email messages, and responsive to the selections, automatically perform suspicious email threat processing on the selected suspicious email message, the instructions to cause the processor to automatically perform including instructions to cause the processor to;
  
  collect information from the host computer device, the user account, and the email message, the information including a user account name, an Internet Protocol (IP) address of the host, a number of file attachments of the email and a name of each file attachment, and hyperlinks and Uniform Resource Locators (URLs) embedded in the email message;
  
  determine an initial threat priority for the email message based on the collected information;
  
  generate threat indicators based at least on each file attachment of the email message, if any;
  
  determine malware, if any, in the email message based on the threat indicators; and
  
  create an event ticket for the suspicious email message having fields populated based on the collected information, the initial threat priority, the threat indicators, and the determined malware.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The processor readable medium of claim 17, wherein the instructions include instructions to cause the processor to:
    - pattern match the information collected from the host computer device, the user account, and the email message against keywords divided among multiple groups of keywords ranked from a lowest to a highest threat priority; and
      
      set the initial threat priority equal to one of the ranked threat priorities based on results of the pattern matching.
  - 19. The processor readable medium of claim 18, wherein the instructions include instructions to cause the processor to:
    - compute a hash value for each file attachment of the email message; and
      
      search one or more databases of malware based on the hash values.
  - 20. The processor readable medium of claim 17, including further instructions to cause the processor to:
    - search a list of user names including high priority and low priority user names based on a name associated with the user account; and
      
      determine a final threat priority for the email message based on the initial threat priority, the determined malware, and results of the searching a list of user names,wherein the instructions to cause the processor to create an event ticket include instructions to cause the processor to populate a threat severity field of the event ticket to indicate the final threat priority.
  - 21. The processor readable medium of claim 20, wherein the instruction to cause the processor to create an event ticket further include instructions to cause the processor to:
    - if the determined suspicious email threat severity is relatively high, populate a resolution status field of the event ticket to indicate that manual analysis of the email message is required to resolve the event ticket; and
      
      if the determined suspicious email threat severity is not relatively high, populate the resolution status field to indicate that the event ticket has been resolved automatically.
  - 22. The processor readable medium of claim 17, including further instructions to cause the processor to:
    - create a first analysis results email message including the collected information, the email message, and files attached to the email, if any;
      
      send the first analysis results email message to a first predetermined email address;
      
      access the first analysis email results message from the first predetermined email address; and
      
      generate the threat indicators based on the accessed first analysis results email.
  - 23. The processor readable medium of claim 22, including further instructions to cause the processor to:
    - create a second analysis results email message including contents of the first analysis email, the determined threat priority, and the determined threat indicators;
      
      send the second analysis results email message to a second predetermined email address;
      
      access the second analysis results email message from the second predetermined email address; and
      
      determine the malware and create the event ticket based on the accessed second analysis results email.

24. A system comprising:
- a first computer device configured to;
  
  at an email client configured to execute on the first computer device, receive one or more email messages in connection with a user account associated with an email address;
  
  display the received one or more email messages and a user selectable icon to report suspicious email; and
  
  receive user selections of the icon and an associated suspicious email message among the received one or more email messages, and responsive to the selections, automatically perform suspicious email threat processing on the selected suspicious email message;
  
  collect information from the first computer device, the user account, and the email message, the information including a user account name, an Internet Protocol (IP) address of the host, a number of file attachments of the email and a name of each file attachment, and hyperlinks and Uniform Resource Locators (URLs) embedded in the email message;
  
  create a first analysis results email message including the collected information, the email message, and files attached to the email, if any; and
  
  send the first analysis results email message to a first predetermined email address.
- View Dependent Claims (25, 26)
- - 25. The system of claim 24, further comprising one or more second computer devices configured to:
    - access the first analysis results email message from the first predetermined email address;
      
      determine a threat priority based on the accessed first analysis results email message;
      
      generate the threat indicators based on the accessed first analysis results email message;
      
      create a second analysis results email message including contents of the first analysis results email message, the determined threat priority, and the generated threat indicators; and
      
      send the second analysis results email message to a second predetermined email address.
  - 26. The system of claim 25, wherein the one or more second computer devices are further configured to:
    - access the second analysis results email message from the second predetermined email address;
      
      determine malware, if any, in the email message based on the threat indicators in the second analysis results email;
      
      determine a final threat priority for the email message based at least on the initial threat priority and the determined malware; and
      
      create a human readable event ticket including the final threat priority and contents of the second analysis results email message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Harris Corporation (L3Harris Technologies, Inc.)
Original Assignee
Exelis Incorporated (L3Harris Technologies, Inc.)
Inventors
Bartolomie, Joshua G., Thomas, Vince, Stilwell, Kevin, Larson, Derek, Nitti, Tracy
Primary Examiner(s)
Lee, Jason
Assistant Examiner(s)
Lane, Gregory

Application Number

US14/166,210
Time in Patent Office

700 Days
Field of Search

726/23, 726/25, 707/767
US Class Current

1/1
CPC Class Codes

G06F 21/56   Computer malware detection ...

H04L 51/212   using filtering or selectiv...

H04L 63/1425   Traffic logging, e.g. anoma...

User reporting and automatic threat processing of suspicious email

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

26 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

User reporting and automatic threat processing of suspicious email

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links