Malware detection system based on stored data

US 9,654,492 B2
Filed: 01/29/2016
Issued: 05/16/2017
Est. Priority Date: 09/15/2015
Status: Active Grant

First Claim

Patent Images

1. A malware detection system based on stored data, comprising:

a messaging system database comprising at least one or more computing devices for storing;

an archive of electronic messages, wherein said archive of electronic messages comprises electronic messages previously sent, received or drafted,a contacts list, andsummary data derived from said archive of electronic messages and said contacts list, wherein said summary data consolidates information from said message archive of electronic messages and said contacts list; and

,a message filter comprising a computer coupled to said messaging system database, and configured toreceive an electronic message comprising one or more message parts, said one or more message parts comprisinga sender information,one or more receivers information,a message contents,a subject line,one or more attachments,one or more links to websites,a message thread;

determine whether said electronic message represents a potential threat, based on an analysis ofsaid one or more message parts, andsaid messaging system database;

classify said electronic message as a potential threat when a length of time said sender has been in said contacts list is below a threshold value andclassify said electronic message as a potential threat when said electronic message asks said user to perform an action; and

,no previous message in said archive of electronic messages from the same sender as said electronic message requests said user to perform said action;

wherein when said electronic message represents a potential threat, perform one or more ofblock access to said electronic message or to one or more of said message parts; and

,transform said electronic message to provide a warning to a user who attempts to access said electronic message or attempts to access one or more of said one or more message parts,wherein said transform said electronic message to provide said warning comprises one or more ofinsert text or graphics warning about a potential threat into the subject line of said electronic message and into the message contents of said electronic message, and,transform a link to a website from said electronic message to a protected link, wherein clicking said protected link

shows a website warning to said user before connecting to said website, or

calculates a website maturity score, and if said website maturity score is below a threshold, displays a warning message to said user before connecting to said website, or

shows said website warning and calculates said website maturity score.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A malware detection system based on stored data that analyzes an electronic message for threats by comparing it to previously received messages in a message archive or to a contacts list. Threat protection rules may be generated dynamically based on the message and contacts history. A message that appears suspicious may be blocked, or the system may insert warnings to the receiver not to provide personal information without verifying the message. Threat checks may look for unknown senders, senders with identities that are similar to but not identical to previous senders or to known contacts, or senders that were added only recently as contacts. Links embedded in messages may be checked by comparing them to links previously received or to domain names of known contacts. The system may flag messages as potential threats if they contradict previous messages, or if they appear unusual compared to the patterns of previous messages.

64 Citations

View as Search Results

25 Claims

1. A malware detection system based on stored data, comprising:
- a messaging system database comprising at least one or more computing devices for storing;
  
  an archive of electronic messages, wherein said archive of electronic messages comprises electronic messages previously sent, received or drafted,a contacts list, andsummary data derived from said archive of electronic messages and said contacts list, wherein said summary data consolidates information from said message archive of electronic messages and said contacts list; and
  
  ,a message filter comprising a computer coupled to said messaging system database, and configured toreceive an electronic message comprising one or more message parts, said one or more message parts comprisinga sender information,one or more receivers information,a message contents,a subject line,one or more attachments,one or more links to websites,a message thread;
  
  determine whether said electronic message represents a potential threat, based on an analysis ofsaid one or more message parts, andsaid messaging system database;
  
  classify said electronic message as a potential threat when a length of time said sender has been in said contacts list is below a threshold value andclassify said electronic message as a potential threat when said electronic message asks said user to perform an action; and
  
  ,no previous message in said archive of electronic messages from the same sender as said electronic message requests said user to perform said action;
  
  wherein when said electronic message represents a potential threat, perform one or more ofblock access to said electronic message or to one or more of said message parts; and
  
  ,transform said electronic message to provide a warning to a user who attempts to access said electronic message or attempts to access one or more of said one or more message parts,wherein said transform said electronic message to provide said warning comprises one or more ofinsert text or graphics warning about a potential threat into the subject line of said electronic message and into the message contents of said electronic message, and,transform a link to a website from said electronic message to a protected link, wherein clicking said protected link
  
  shows a website warning to said user before connecting to said website, or
  
  calculates a website maturity score, and if said website maturity score is below a threshold, displays a warning message to said user before connecting to said website, or
  
  shows said website warning and calculates said website maturity score.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 2. The system of claim 1, wherein said determine whether said electronic message represents a potential threat is further based on an analysis of one or more external databases.
  - 3. The system of claim 1, wherein said determine whether said electronic message represents a potential threat comprisesclassify said electronic message as a potential threat if said archive of electronic messages does not contain a previous communication with said sender.
  - 4. The system of claim 1, wherein said determine whether said electronic message represents a potential threat comprisesclassify said electronic message as a potential threat if said sender does not appear in said contacts list.
  - 5. The system of claim 1, wherein said determine whether said electronic message represents a potential threat comprisesclassify said electronic message as a potential threat ifsaid sender has a sender identity that matches an identity of an entity in said contacts list;
    - andsaid entity in said contacts list is not associated with a known source of messages.
  - 6. The system of claim 5, wherein said entity in said contacts list is a distribution list.
  - 7. The system of claim 1, wherein said determine whether said electronic message represents a potential threat comprisesclassify said electronic message as a potential threat if said sender has a sender identity that is similar to, but not identical to, an identity of a person or organization in said contacts list.
  - 8. The system of claim 7, wherein said sender identity is considered to be similar to, but not identical to, an identity of a person or organization in said contacts list if a distance metric between said sender identity and said identity of said person or organization in said contacts list is below a threshold value and greater than zero.
  - 9. The system of claim 7, wherein said sender identity comprises one or more ofa sender email address;
    - a domain name of said sender email address;
      
      a portion of said domain name of said sender email address;
      
      a display name of said sender email address; and
      
      ,a biometric identifier of said sender.
  - 10. The system of claim 9, wherein said biometric identifier comprises one or more ofa fingerprint,a palm print,a voice print,a facial image, andan eye scan.
  - 11. The system of claim 1, wherein said determine whether said electronic message represents a potential threat comprisesclassify said electronic message as a potential threat if said sender has an identity that is similar to, but not identical to, an identity of a person or organization that was a sender or a receiver of a message in said archive of electronic messages.
  - 12. The system of claim 1, wherein said determine whether said electronic message represents a potential threat comprisessaid electronic message contains a link to a website, wherein said website has a website identity that is similar to, but not identical to, a website identity referenced in a message in said archive of electronic messages.
  - 13. The system of claim 12, wherein said website identity referenced in a message in said archive of electronic messages is a domain identity associated with said sender of said message in said archive of electronic messages.
  - 14. The system of claim 1, wherein said determine whether said electronic message represents a potential threat comprisesclassify said electronic message as a potential threat if said electronic message contradicts a message in said archive of electronic messages.
  - 15. The system of claim 14, wherein said contradicts a message in said archive of electronic messages comprisessaid electronic message provides an account identity into which said user is directed to transfer funds;
    - andsaid message in said archive of electronic messages provides a different account identity into which said user is directed to transfer funds.
  - 16. The system of claim 1, wherein said website warning comprisesa warning to said user not to provide personal information to said website.
  - 17. The system of claim 1, wherein said website maturity score is calculated based on one or more ofan elapsed time since a domain associated with said website was registered;
    - and,a registration length of time for which said domain was registered.
  - 18. The system of claim 1, wherein said website maturity score is calculated based on an elapsed time since measured traffic to or from said website exceeded a traffic threshold value.
  - 19. The system of claim 1, wherein said message filter is further configured toidentify personal, sensitive, or confidential information in said one or more message parts;
    - and,transform said electronic message to protect said personal, sensitive, or confidential information if said personal, sensitive, or confidential information is present in said one or more message parts.
  - 20. The system of claim 19, wherein said personal, sensitive, or confidential information is identified using natural language processing.
  - 21. The system of claim 19, wherein said personal, sensitive, or confidential information is identified by tags inserted into said electronic message by said sender.
  - 22. The system of claim 19, wherein said transform said electronic message to protect said personal, sensitive, or confidential information comprises transform said personal, sensitive, or confidential information into an encoded form.
  - 23. The system of claim 19, wherein said transform said electronic message to protect said personal, sensitive, or confidential information comprisesdetermine whether each of said one or more receivers is authorized to receive said personal, sensitive, or confidential information;
    - andwarn said sender or remove a receiver from said electronic message if said receiver of said one or more receivers is not authorized to receive said personal, sensitive, or confidential information, or warn said sender and remove said receiver from said electronic message.
  - 24. The system of claim 23, wherein said remove said receiver from said electronic message further comprisesidentify an alternate email address for said receiver, wherein said alternate email address is authorized to receive said personal, sensitive, or confidential information;
    - and,add said alternate email address as a new receiver of said electronic message.
  - 25. The system of claim 1, further comprisingwherein said electronic message further comprisesa recipient information;
    - and,a resource or a reference to said resource;
      
      a message transformation subsystem that replaces said resource or said reference to said resource with a protected reference to said resource, to form a protected message;
      
      an authorization subsystem configured to determine whether said user is an authorized user who is permitted to use said protected reference to access said resource; and
      
      ,a secure resource access subsystem configured to provide said authorized user with secure access to said resource via a security mechanism that mitigates one or more potential threats from said resource;
      
      whereinsaid recipient of said electronic message creates a copy of said protected reference; and
      
      ,use of said protected reference or of said copy of said protected reference by said user to access said resource automatically causessaid authorization subsystem to determine whether said user is said authorized user; and
      
      ,when said user is said authorized user, said secure resource access subsystem to provide said authorized user with said secure access to said resource via said security mechanism; and
      
      ,when said user is not said authorized user, said secure resource access subsystem to block access to said resource for said user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Mimecast Services Limited (Mimecast Limited)
Original Assignee
Mimecast North America, Inc. (Mimecast Limited)
Inventors
Maylor, Jackie, Tyler, Simon, Bauer, Peter, Benamram, Gilly, Sowden, Paul, Malone, Steven, Van Ry, Wayne, Ribeiro, Francisco
Primary Examiner(s)
Pham, Luu
Assistant Examiner(s)
Baum, Ronald

Application Number

US15/010,023
Publication Number

US 20170078321A1
Time in Patent Office

473 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/6245   Protecting personal data, e...

H04L 12/4625   Single bridge functionality...

H04L 51/046   Interoperability with other...

H04L 51/212   using filtering or selectiv...

H04L 63/0254   Stateful filtering

H04L 63/0281   Proxies

H04L 63/08   for authentication of entit...

H04L 63/105   Multiple levels of security

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

Malware detection system based on stored data

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

64 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Malware detection system based on stored data

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

64 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links