Electronic message threat protection system for authorized users
First Claim
1. An electronic message threat protection system for authorized users comprising:
- a message transformation subsystem comprisinga message input module that receives an electronic message comprisinga sender information;
a recipient information; and
,a resource or a reference to said resource, wherein said resource or said reference to said resource comprises one or more of a link to a web page and a message attachment that comprises an attached file;
a reference rewriting module that replaces said resource or said reference to said resource with a protected reference to said resource, to form a protected message;
wherein said protected reference comprises one or more ofan encoded link to said web page comprising the link to said web page with an encoded path, anda converted protected attachment comprising an encoded file reference; and
,a message output module that forwards said protected message to a recipient corresponding with said recipient information;
an authorization subsystem configured to determine whether a user is an authorized user who is permitted to use said protected reference to access said resource; and
,a secure resource access subsystem configured to provide said authorized user with secure access to said resource via a security mechanism that mitigates one or more potential threats from said resource;
wherein the message input module, the reference rewriting module and the security mechanism are executable on a client or server computer or set of client or server computers;
whereinsaid recipient of said electronic message creates a copy of said protected reference;
use of said protected reference or of said copy of said protected reference by said user to access said resource automatically causessaid authorization subsystem to determine whether said user is said authorized user; and
,when said user is said authorized user, said secure resource access subsystem to provide said authorized user with said secure access to said resource via said security mechanism; and
,when said user is not said authorized user, said secure resource access subsystem to block access to said resource for said user; and
,whereinsaid secure resource access subsystem comprises a sandbox environment configured to open a sandboxed file;
said protected reference comprisesa proxy server address of a proxy server;
said encoded file reference to said sandboxed file, wherein said sandboxed file is a copy of said attached file in said sandbox environment;
said proxy server comprises or communicates withsaid authorization subsystem;
said secure resource access subsystem; and
,said proxy server is configured todecode said encoded file reference to obtain a reference to said sandboxed file; and
,open said sandboxed file in said sandbox environment.
5 Assignments
0 Petitions
Accused Products
Abstract
An electronic message threat protection system that incorporates user authorization to ensure that only authorized users receive the benefits of the system'"'"'s protection. The system protects against threats such as phishing attacks or malware embedded in attached files. References to resources in messages, such as links or attachments, are transformed into protected references that may for example insert a level of indirection between the user and the resource. Use of a protected reference triggers a user authorization check; if the user is an authorized user, the system provides access via a security mechanism that mitigates potential threats. Unauthorized users are denied access. A message recipient may deliberately or inadvertently distribute copies of the message or of the protected references; however, the authorization check ensures that recipients of the copies can only access resources via these copies if they are authorized users.
-
Citations
18 Claims
-
1. An electronic message threat protection system for authorized users comprising:
-
a message transformation subsystem comprising a message input module that receives an electronic message comprising a sender information; a recipient information; and
,a resource or a reference to said resource, wherein said resource or said reference to said resource comprises one or more of a link to a web page and a message attachment that comprises an attached file; a reference rewriting module that replaces said resource or said reference to said resource with a protected reference to said resource, to form a protected message; wherein said protected reference comprises one or more of an encoded link to said web page comprising the link to said web page with an encoded path, and a converted protected attachment comprising an encoded file reference; and
,a message output module that forwards said protected message to a recipient corresponding with said recipient information; an authorization subsystem configured to determine whether a user is an authorized user who is permitted to use said protected reference to access said resource; and
,a secure resource access subsystem configured to provide said authorized user with secure access to said resource via a security mechanism that mitigates one or more potential threats from said resource; wherein the message input module, the reference rewriting module and the security mechanism are executable on a client or server computer or set of client or server computers; wherein said recipient of said electronic message creates a copy of said protected reference; use of said protected reference or of said copy of said protected reference by said user to access said resource automatically causes said authorization subsystem to determine whether said user is said authorized user; and
,when said user is said authorized user, said secure resource access subsystem to provide said authorized user with said secure access to said resource via said security mechanism; and
,when said user is not said authorized user, said secure resource access subsystem to block access to said resource for said user; and
,wherein said secure resource access subsystem comprises a sandbox environment configured to open a sandboxed file; said protected reference comprises a proxy server address of a proxy server; said encoded file reference to said sandboxed file, wherein said sandboxed file is a copy of said attached file in said sandbox environment; said proxy server comprises or communicates with said authorization subsystem; said secure resource access subsystem; and
,said proxy server is configured to decode said encoded file reference to obtain a reference to said sandboxed file; and
,open said sandboxed file in said sandbox environment. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. An electronic message threat protection system for authorized users comprising
a proxy server; -
a message transformation subsystem comprising a message input module that receives an electronic message comprising a sender information; a recipient information; and
,a reference to a resource comprising a link to a web page; wherein said web page has a web page identity; a reference rewriting module that replaces said reference to a resource with a protected reference to said resource, to form a protected message, wherein said protected reference to said resource comprises a proxy server address of said proxy server; and
,an encoded link to said web page; and
,a message output module that forwards said protected message to a recipient corresponding with said recipient information; an authorization subsystem comprising a database comprising registered users; and registered user credentials for each of said registered users; wherein said registered user credentials comprise one or more of an Internet protocol (IP) address or IP address range; a password; a PIN; a one-time PIN or one-time password sent to said user; a biometric credential; a security token; a security certificate; a response to a challenge questions; single sign-on credentials from a single sign-on service; and
,cached valid credentials previously provided by said user and stored on a memory associated with said user; and
,a secure resource access subsystem comprising a whitelist of identities of web pages presumed to be secure; a blacklist of identities of web pages presumed to be malicious; and
,a policy for unknown web page identities comprising at least one of block unknown web pages; allow unknown web pages; and
,warn user of unknown web pages; wherein the message input module and the reference rewriting module are executable on a client or server computer or set of client or server computers; wherein said proxy server comprises or communicates with said authorization subsystem; and
,said secure resource access subsystem; said proxy server is configured to decode said encoded link to obtain said link to said web page; said recipient of said electronic message creates a copy of said protected reference; use of said protected reference or of said copy of said protected reference by said user to access said resource automatically causes said authorization subsystem to obtain user credentials from said user; and
,determine that said user is an authorized user when and only when said user credentials match said registered user credentials for a registered user in said database; when said user is said authorized user, said secure resource access subsystem to decode said encoded link to obtain said link to said web page; provide access to said web page when said web page identity is in said whitelist; block access to said web page when said web page identity is in said blacklist; and
,when said web page identity is not in said whitelist and is not in said blacklist, apply said policy for unknown web page identities; and
,when said user is not said authorized user, said secure resource access subsystem to block access to said web page for said user; and
,wherein said secure resource access subsystem comprises a sandbox environment configured to open a sandboxed file; said protected reference comprises said encoded file reference to said sandboxed file, wherein said sandboxed file is a copy of said attached file in said sandbox environment; said proxy server comprises or communicates with said authorization subsystem; said secure resource access subsystem; and
,said proxy server is configured to decode said encoded file reference to obtain a reference to said sandboxed file; and
,open said sandboxed file in said sandbox environment. - View Dependent Claims (18)
-
Specification