METHOD AND SYSTEM FOR USING SPAM E-MAIL HONEYPOTS TO IDENTIFY POTENTIAL MALWARE CONTAINING E-MAILS

US 20110179487A1
Filed: 01/20/2010
Published: 07/21/2011
Est. Priority Date: 01/20/2010
Status: Active Grant

First Claim

Patent Images

1. A computing system implemented process for employing honeypot systems to identify potential malware containing messages comprising:

providing one or more honeypot computing systems;

providing one or more decoy e-mail addresses associated with the one or more honeypot computing systems;

receiving one or more e-mails at one of the one or more decoy e-mail addresses associated with the one or more honeypot computing systems;

using one or more processors associated with one or more computing systems to perform a preliminary filtering of the one or more e-mails received at the one or more decoy e-mail addresses associated with one or more honeypot computing systems;

as a result of the preliminary filtering of the one or more e-mails received at the one or more decoy e-mail addresses associated with one or more honeypot computing systems, identifying one or more of the one or more e-mails as potential malware containing e-mails;

using one or more processors associated with one or more computing systems to extract one or more features, or feature values, associated with the identified potential malware containing e-mails;

defining a burst threshold for one or more of the extracted one or more features, or feature values, associated with the identified potential malware containing e-mails, such that if one or more of the extracted one or more features, or feature values, associated with the identified potential malware containing e-mails, occurs more than the burst threshold number of times for the feature, or feature value, in a defined period of time, the feature, or feature value, is considered an indicator of a malware containing e-mail;

using one or more processors associated with one or more computing systems to detect that an extracted feature, or feature value, associated with the identified potential malware containing e-mails, occurs more than the burst threshold number of times for the feature, or feature value, in the defined period of time;

transforming a status of the feature, or feature value, associated with the identified potential malware containing e-mails to the status of suspicious e-mail parameter; and

using one or more processors associated with one or more computing systems to distribute the suspicious e-mail parameter to one or more security systems or one or more e-mail systems for use in identifying potential malware containing e-mails being sent to one or more user computing systems through the one or more security systems or the one or more e-mail systems.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for employing honeypot systems to identify potential malware containing messages whereby a decoy system to receive illegitimate e-mails is established. E-mails sent to the spam e-mail honeypot decoy are initially scanned/filtered and e-mails that are not considered possible malware containing e-mails are filtered out while the remaining e-mails sent to the spam e-mail honeypot decoy are identified as potential malware containing e-mails. One or more features, and/or feature values, of the identified e-mails are then identified, extracted and ranked. Once a given feature, and/or feature value, occurs more than a burst threshold number of times, the status of the given feature, and/or feature value, is transformed to that of suspicious e-mail parameter.

Citations

20 Claims

1. A computing system implemented process for employing honeypot systems to identify potential malware containing messages comprising:
- providing one or more honeypot computing systems;
  
  providing one or more decoy e-mail addresses associated with the one or more honeypot computing systems;
  
  receiving one or more e-mails at one of the one or more decoy e-mail addresses associated with the one or more honeypot computing systems;
  
  using one or more processors associated with one or more computing systems to perform a preliminary filtering of the one or more e-mails received at the one or more decoy e-mail addresses associated with one or more honeypot computing systems;
  
  as a result of the preliminary filtering of the one or more e-mails received at the one or more decoy e-mail addresses associated with one or more honeypot computing systems, identifying one or more of the one or more e-mails as potential malware containing e-mails;
  
  using one or more processors associated with one or more computing systems to extract one or more features, or feature values, associated with the identified potential malware containing e-mails;
  
  defining a burst threshold for one or more of the extracted one or more features, or feature values, associated with the identified potential malware containing e-mails, such that if one or more of the extracted one or more features, or feature values, associated with the identified potential malware containing e-mails, occurs more than the burst threshold number of times for the feature, or feature value, in a defined period of time, the feature, or feature value, is considered an indicator of a malware containing e-mail;
  
  using one or more processors associated with one or more computing systems to detect that an extracted feature, or feature value, associated with the identified potential malware containing e-mails, occurs more than the burst threshold number of times for the feature, or feature value, in the defined period of time;
  
  transforming a status of the feature, or feature value, associated with the identified potential malware containing e-mails to the status of suspicious e-mail parameter; and
  
  using one or more processors associated with one or more computing systems to distribute the suspicious e-mail parameter to one or more security systems or one or more e-mail systems for use in identifying potential malware containing e-mails being sent to one or more user computing systems through the one or more security systems or the one or more e-mail systems.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computing system implemented process for employing honeypot systems to identify potential malware containing messages of claim 1, wherein:
    - the preliminary filtering of the one or more e-mails received at the one or more decoy e-mail addresses associated with one or more honeypot computing systems includes implementing a heuristic using one or more processors associated with one or more computing systems that excludes all e-mails of the one or more e-mails received at the one or more decoy e-mail addresses associated with one or more honeypot computing systems that are text only e-mails, or do not include binary attachments, or that have only image based binary attachments, from further processing by the computing system implemented process for employing honeypot systems to identify potential malware containing messages.
  - 3. The computing system implemented process for employing honeypot systems to identify potential malware containing messages of claim 1, wherein:
    - for each extracted feature type of the extracted one or more features, or feature values, associated with the identified potential malware containing e-mails, the feature type is extracted from the identified potential malware containing e-mails and compared with a white list of known feature type values and a white list rule base describing patterns within the feature type values that are commonly found within legitimate e-mails and any feature value associated with the identified potential malware containing e-mails that is found within the white list or that matches a rule within the white list rule base is considered a legitimate feature value and not a candidate for being transformed into a suspicious e-mail parameter.
  - 4. The computing system implemented process for employing honeypot systems to identify potential malware containing messages of claim 1, wherein:
    - at least one of the one or more extracted features, or feature values, associated with the identified potential malware containing e-mails is the subject header of the identified potential malware containing e-mails.
  - 5. The computing system implemented process for employing honeypot systems to identify potential malware containing messages of claim 1, wherein:
    - at least one of the one or more extracted features, or feature values, associated with the identified potential malware containing e-mails is the filename of any attachment to the identified potential malware containing e-mails.
  - 6. The computing system implemented process for employing honeypot systems to identify potential malware containing messages of claim 1, wherein:
    - at least one of the one or more extracted features, or feature values, associated with the identified potential malware containing e-mails is the filenames of files contained within any archive file attachments to identified potential malware containing e-mails.
  - 7. The computing system implemented process for employing honeypot systems to identify potential malware containing messages of claim 1, wherein:
    - at least one of the one or more extracted features, or feature values, associated with the identified potential malware containing e-mails is a defined character string.

8. A system for employing honeypot systems to identify potential malware containing messages comprising:
- one or more honeypot computing systems;
  
  at least one computing system;
  
  at least one e-mail system;
  
  at least one processor associated with the at least one computing system, the at least one processor associated with the at least one computing system executing at least part of a computing system implemented process for employing honeypot systems to identify potential malware containing messages, the computing system implemented process for employing honeypot systems to identify potential malware containing messages comprising;
  
  providing one or more decoy e-mail addresses associated with the one or more honeypot computing systems;
  
  receiving one or more e-mails at one of the one or more decoy e-mail addresses associated with the one or more honeypot computing systems;
  
  using the at least one processor associated with the at least one computing system to perform a preliminary filtering of the one or more e-mails received at the one or more decoy e-mail addresses associated with one or more honeypot computing systems;
  
  as a result of the preliminary filtering of the one or more e-mails received at the one or more decoy e-mail addresses associated with one or more honeypot computing systems, identifying one or more of the one or more e-mails as potential malware containing e-mails;
  
  using the at least one processor associated with the at least one computing system to extract one or more features, or feature values, associated with the identified potential malware containing e-mails;
  
  defining a burst threshold for one or more of the extracted one or more features, or feature values, associated with the identified potential malware containing e-mails, such that if one or more of the extracted one or more features, or feature values, associated with the identified potential malware containing e-mails, occurs more than the burst threshold number of times for the feature, or feature value, in a defined period of time, the feature, or feature value, is considered an indicator of a malware containing e-mail;
  
  using the at least one processor associated with the at least one computing system to detect that an extracted feature, or feature value, associated with the identified potential malware containing e-mails, occurs more than the burst threshold number of times for the feature, or feature value, in the defined period of time;
  
  transforming a status of the feature, or feature value, associated with the identified potential malware containing e-mails to the status of suspicious e-mail parameter; and
  
  using the at least one processor associated with the at least one computing system to distribute the suspicious e-mail parameter to one or more security systems or the at least one e-mail system for use in identifying potential malware containing e-mails being sent to one or more user computing systems through the one or more security systems or the at least one e-mail system.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system for employing honeypot systems to identify potential malware containing messages comprising of claim 8, wherein:
    - the preliminary filtering of the one or more e-mails received at the one or more decoy e-mail addresses associated with one or more honeypot computing systems includes implementing a heuristic using one or more processors associated with one or more computing systems that excludes all e-mails of the one or more e-mails received at the one or more decoy e-mail addresses associated with one or more honeypot computing systems that are text only e-mails, or do not include binary attachments, or that have only image based binary attachments, from further processing by the computing system implemented process for employing honeypot systems to identify potential malware containing messages.
  - 10. The system for employing honeypot systems to identify potential malware containing messages comprising of claim 8, wherein:
    - for each extracted feature type of the extracted one or more features, or feature values, associated with the identified potential malware containing e-mails, the feature type is extracted from the identified potential malware containing e-mails and compared with a white list of known feature type values and a white list rule base describing patterns within the feature type values that are commonly found within legitimate e-mails and any feature value associated with the identified potential malware containing e-mails that is found within the white list or that matches a rule within the white list rule base is considered a legitimate feature value and not a candidate for being transformed into a suspicious e-mail parameter.
  - 11. The system for employing honeypot systems to identify potential malware containing messages comprising of claim 8, wherein:
    - at least one of the one or more extracted features, or feature values, associated with the identified potential malware containing e-mails is the subject header of the identified potential malware containing e-mails.
  - 12. The system for employing honeypot systems to identify potential malware containing messages comprising of claim 8, wherein:
    - at least one of the one or more extracted features, or feature values, associated with the identified potential malware containing e-mails is the filename of any attachment to the identified potential malware containing e-mails.
  - 13. The system for employing honeypot systems to identify potential malware containing messages comprising of claim 8, wherein:
    - at least one of the one or more extracted features, or feature values, associated with the identified potential malware containing e-mails is the filenames of files contained within any archive file attachments to identified potential malware containing e-mails.
  - 14. The system for employing honeypot systems to identify potential malware containing messages comprising of claim 8, wherein:
    - at least one of the one or more extracted features, or feature values, associated with the identified potential malware containing e-mails is a defined character string.

15. A method for employing honeypot systems to identify potential malware containing messages comprising:
- providing one or more honeypot computing systems;
  
  providing one or more decoy e-mail addresses associated with the one or more honeypot computing systems;
  
  receiving one or more e-mails at one of the one or more decoy e-mail addresses associated with the one or more honeypot computing systems;
  
  performing a preliminary filtering of the one or more e-mails received at the one or more decoy e-mail addresses associated with one or more honeypot computing systems;
  
  as a result of the preliminary filtering of the one or more e-mails received at the one or more decoy e-mail addresses associated with one or more honeypot computing systems, identifying one or more of the one or more e-mails as potential malware containing e-mails;
  
  extracting one or more features, or feature values, associated with the identified potential malware containing e-mails;
  
  defining a burst threshold for one or more of the extracted one or more features, or feature values, associated with the identified potential malware containing e-mails, such that if one or more of the extracted one or more features, or feature values, associated with the identified potential malware containing e-mails, occurs more than the burst threshold number of times for the feature, or feature value, in a defined period of time, the feature, or feature value, is considered an indicator of a malware containing e-mail;
  
  detecting that an extracted feature, or feature value, associated with the identified potential malware containing e-mails, occurs more than the burst threshold number of times for the feature, or feature value, in the defined period of time;
  
  transforming a status of the feature, or feature value, associated with the identified potential malware containing e-mails to the status of suspicious e-mail parameter; and
  
  distributing the suspicious e-mail parameter to one or more security systems or one or more e-mail systems for use in identifying potential malware containing e-mails being sent to one or more user computing systems through the one or more security systems or the one or more e-mail systems.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method for employing honeypot systems to identify potential malware containing messages of claim 15, wherein:
    - the preliminary filtering of the one or more e-mails received at the one or more decoy e-mail addresses associated with one or more honeypot computing systems includes implementing a heuristic using one or more processors associated with one or more computing systems that excludes all e-mails of the one or more e-mails received at the one or more decoy e-mail addresses associated with one or more honeypot computing systems that are text only e-mails, or do not include binary attachments, or that have only image based binary attachments, from further processing by the computing system implemented process for employing honeypot systems to identify potential malware containing messages.
  - 17. The method for employing honeypot systems to identify potential malware containing messages of claim 15, wherein:
    - for each extracted feature type of the extracted one or more features, or feature values, associated with the identified potential malware containing e-mails, the feature type is extracted from the identified potential malware containing e-mails and compared with a white list of known feature type values and a white list rule base describing patterns within the feature type values that are commonly found within legitimate e-mails and any feature value associated with the identified potential malware containing e-mails that is found within the white list or that matches a rule within the white list rule base is considered a legitimate feature value and not a candidate for being transformed into a suspicious e-mail parameter.
  - 18. The method for employing honeypot systems to identify potential malware containing messages of claim 15, wherein:
    - at least one of the one or more extracted features, or feature values, associated with the identified potential malware containing e-mails is the subject header of the identified potential malware containing e-mails.
  - 19. The method for employing honeypot systems to identify potential malware containing messages of claim 15, wherein:
    - at least one of the one or more extracted features, or feature values, associated with the identified potential malware containing e-mails is the filename of any attachment to the identified potential malware containing e-mails.
  - 20. The method for employing honeypot systems to identify potential malware containing messages of claim 15, wherein:
    - at least one of the one or more extracted features, or feature values, associated with the identified potential malware containing e-mails is the filenames of files contained within any archive file attachments to identified potential malware containing e-mails.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Symantec Corporation (NortonLifeLock Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Lee, Martin

Granted Patent

US 8,549,642 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 51/212   using filtering or selectiv...

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

METHOD AND SYSTEM FOR USING SPAM E-MAIL HONEYPOTS TO IDENTIFY POTENTIAL MALWARE CONTAINING E-MAILS

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR USING SPAM E-MAIL HONEYPOTS TO IDENTIFY POTENTIAL MALWARE CONTAINING E-MAILS

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links