Systems, methods, and media protecting a digital data processing device from attack

US 9,544,322 B2
Filed: 08/31/2015
Issued: 01/10/2017
Est. Priority Date: 08/18/2005
Status: Active Grant

First Claim

Patent Images

1. A method for protecting a digital data processing device from attack, the method comprising:

receiving a first electronic mail;

sending the first electronic mail to a first computing device that opens at least a first attachment in the first electronic mail, determines whether anomalous behavior occurs subsequent to opening the first attachment, and generates feedback when anomalous behavior is determined to have occurred;

receiving a second electronic mail at a second computing device; and

based on the feedback;

determining that a second attachment in the second electronic mail matches the first attachment in the first electronic mail; and

in response to determining that the second attachment matches the first attachment, performing filtering on the second electronic mail.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In accordance with some embodiments of the disclosed subject matter, systems, methods, and media for protecting a digital data processing device from attack are provided. For example, in some embodiments, a method for protecting a digital data processing device from attach is provided, that includes, within a virtual environment; receiving at least one attachment to an electronic mail; and executing the al least one attachment; and based on the execution of the at least one attachment, determining whether anomalous behavior occurs.

Citations

21 Claims

1. A method for protecting a digital data processing device from attack, the method comprising:
- receiving a first electronic mail;
  
  sending the first electronic mail to a first computing device that opens at least a first attachment in the first electronic mail, determines whether anomalous behavior occurs subsequent to opening the first attachment, and generates feedback when anomalous behavior is determined to have occurred;
  
  receiving a second electronic mail at a second computing device; and
  
  based on the feedback;
  
  determining that a second attachment in the second electronic mail matches the first attachment in the first electronic mail; and
  
  in response to determining that the second attachment matches the first attachment, performing filtering on the second electronic mail.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the first computing device is a virtual machine.
  - 3. The method of claim 2, wherein the first computing device executes a mail user agent to receive the first electronic mail and open the first attachment.
  - 4. The method of claim 1, wherein the second computing device is a server executing a mail transport agent.
  - 5. The method of claim 1, wherein the first attachment is an executable attachment, and wherein opening the first attachment comprises causing the first computing device to execute the first attachment.
  - 6. The method of claim 1, wherein the first attachment is a hyperlink, and wherein opening the first attachment comprises causing the first computing device to select the first attachment, which causes the first computing device to request a document specified by the hyperlink.
  - 7. The method of claim 1, wherein determining that a second attachment in the second electronic mail matches the first attachment in the first electronic mail comprises determining that the second attachment is identical to the first attachment.

8. A system for protecting a digital data processing device from attack, the system comprising:
- at least one hardware processor that;
  
  receives a first electronic mail;
  
  sends the first electronic mail to a first computing device that opens at least a first attachment in the first electronic mail, determines whether anomalous behavior occurs subsequent to opening the first attachment, and generates feedback when anomalous behavior is determined to have occurred;
  
  receives a second electronic mail at a second computing device; and
  
  based on the feedback;
  
  determines that a second attachment in the second electronic mail matches the first attachment in the first electronic mail; and
  
  in response to determining that the second attachment matches the first attachment, performs filtering on the second electronic mail.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the first computing device is a virtual machine.
  - 10. The system of claim 9, wherein the first computing device executes a mail user agent to receive the first electronic mail and open the first attachment.
  - 11. The system of claim 8, wherein the second computing device is a server executing a mail transport agent.
  - 12. The system of claim 8, wherein the first attachment is an executable attachment, and wherein opening the first attachment comprises causing the first computing device to execute the first attachment.
  - 13. The system of claim 8, wherein the first attachment is a hyperlink, and wherein opening the first attachment comprises causing the first computing device to select the first attachment, which causes the first computing device to request a document specified by the hyperlink.
  - 14. The system of claim 8, wherein the determining that a second attachment in the second electronic mail matches the first attachment in the first electronic mail comprises determining that the second attachment is identical to the first attachment.

15. A non-transitory computer-readable medium containing computer executable instructions that, when executed by a processor, cause the processor to perform a method for protecting a digital data processing device from attack, the method comprising:
- receiving a first electronic mail;
  
  sending the first electronic mail to a first computing device that opens at least a first attachment in the first electronic mail, determines whether anomalous behavior occurs subsequent to opening the first attachment, and generates feedback when anomalous behavior is determined to have occurred;
  
  receiving a second electronic mail at a second computing device; and
  
  based on the feedback;
  
  determining that a second attachment in the second electronic mail matches the first attachment in the first electronic mail; and
  
  in response to determining that the second attachment matches the first attachment, performing filtering on the second electronic mail.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The non-transitory computer-readable medium of claim 15, wherein the first computing device is a virtual machine.
  - 17. The non-transitory computer-readable medium of claim 16, wherein the first computing device executes a mail user agent to receive the first electronic mail and open the first attachment.
  - 18. The non-transitory computer-readable medium of claim 15, wherein the second computing device is a server executing a mail transport agent.
  - 19. The non-transitory computer-readable medium of claim 15, wherein the first attachment is an executable attachment, and wherein opening the first attachment comprises causing the first computing device to execute the first attachment.
  - 20. The non-transitory computer-readable medium of claim 15, wherein the first attachment is a hyperlink, and wherein opening the first attachment comprises causing the first computing device to select the first attachment, which causes the first computing device to request a document specified by the hyperlink.
  - 21. The non-transitory computer-readable medium of claim 15, wherein determining that a second attachment in the second electronic mail matches the first attachment in the first electronic mail comprises determining that the second attachment is identical to the first attachment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Original Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Inventors
Sidiroglou, Stylianos, Keromytis, Angelos D., Stolfo, Salvatore J.
Primary Examiner(s)
Song, Hosuk

Application Number

US14/841,233
Publication Number

US 20150373041A1
Time in Patent Office

498 Days
Field of Search

726/1, 726 11- 15, 726 22- 24, 713/176, 713187-188
US Class Current

1/1
CPC Class Codes

H04L 51/08   Annexed information, e.g. a...

H04L 51/212   using filtering or selectiv...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1466   Active attacks involving in...

Systems, methods, and media protecting a digital data processing device from attack

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Systems, methods, and media protecting a digital data processing device from attack

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links