Systems and methods for upstream threat pushback
First Claim
1. A method for identifying a back trail for an electronic communications, the method comprising the steps of:
- a) receiving an electronic communication comprising a destination address;
b) identifying one or more addresses of computer systems in a path from a source to the destination address;
c) analyzing authenticity of at least one of the identified computer system addresses; and
d) outputting one or more computer system addresses analyzed to be authentic;
wherein the step of analyzing authenticity comprises assigning a confidence level to each of the at least one identified computer system addresses.
14 Assignments
0 Petitions
Accused Products
Abstract
The present invention is directed to systems and methods for detecting and preventing the delivery of unsolicited communications. A communication transmitted over a communications network is received and analyzed by a system processor. The system processor can extract attributes from the communication and compare extracted attributes to information stored in a system data store. In processing the communication, the system processor may assign a confidence level) a trust level, or other indicia of content. The results of that processing, analysis, and comparison can be propagated to one or more upstream computers in the path from the communication'"'"'s origin to its destination. Such one or more upstream computers are identified from within the content of the communication, the header of the communication and/or the transfer protocol interactions in receiving the communication. The identified computers are authenticated to limit forgery. The upstream computers receiving the propagated information can selectively apply the information to reduce the flow of communications exhibiting the same threat and/or undesirable characteristics.
737 Citations
46 Claims
-
1. A method for identifying a back trail for an electronic communications, the method comprising the steps of:
-
a) receiving an electronic communication comprising a destination address; b) identifying one or more addresses of computer systems in a path from a source to the destination address; c) analyzing authenticity of at least one of the identified computer system addresses; and d) outputting one or more computer system addresses analyzed to be authentic; wherein the step of analyzing authenticity comprises assigning a confidence level to each of the at least one identified computer system addresses. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A system for identifying a back trail for an electronic communications, the system comprising:
-
a) a interface adapted to link the system with a communication network; b) a system data store capable of storing one or more electronic communications, data associated therewith, configuration data or combinations thereof; and c) a system processor in communication with the interface and the system data store and comprising one or more processing elements, wherein the one or more processing elements are programmed or adapted to; i) receive an communication via the interface, wherein the received communication comprises a header having a destination address; ii) store the received communication in the system data store; iii) parse the header of the received communication for one or more addresses of computer systems in a path between a source and the destination address; iv) perfoim a plurality of tests on each of the one or more addresses to assign a confidence value to each address; v) determine whether each address is valid by comparing its assigned confidence value to a predetermined threshold in the system data store; and vi) output each address determined valid. - View Dependent Claims (16, 17)
-
-
18. A system for identifying a back trail for an electronic communication, the system comprising:
-
a) interface means for receiving communications transmitted over a communication network; b) storage means for storing at least one or more received communications, data associated therewith, configuration data or combinations thereof; c) identification means for identifying from a received communication one or more addresses along a path between a source of a received communication and a destination of the received communication; d) verification means for verifying each address identified by the identification means comprising means for assigning a confidence value to each address and means for comparing the confidence value assigned to each address with a predetermined threshold in the storage means; and e) means for outputting verified addresses.
-
-
19. Computer readable media storing instruction that upon execution by a system processor cause the system processor to identify a back trail for an electronic communication by performing the steps comprising of:
-
a) receiving an communication via the interface, wherein the received communication comprises a header having a destination address; b) storing the received communication in the system data store; c) parsing the header of the received communication for one or more addresses of computer systems in a path between a source and the destination address; d) performing a plurality of tests on each of the one or more addresses to assign a confidence value to each address; e) determining whether each address is valid by comparing its assigned confidence value to a predetermined threshold in the system data store; and f) outputting each address determined valid.
-
-
20. A threat push-back system within, or in communication with, an application layer security system, a threat management center or an application client, the system comprising:
-
a) an interface communicatively coupling the system to a communication network; b) a system data store capable of storing an electronic communication and accumulated data associated with one or more received electronic communications; and c) a system processor in communication with the system data store and the interface, wherein the system processor comprises one or more processing elements and wherein the system processor; i) receives a communication via the interface; ii) generates a threat profile associated with the received communication; iii) stores in the system data store the generated threat profile associated with the received communication; iv) compares the generated threat profile with threat configuration information; v) if the comparison indicates the received communication represent a threat, 1) determines one or more computer addresses in a back path of the received communication; 2) analyzes the one or more computer addresses in the back path of the received communication for authenticity; 3) assigns a confidence value to the one or more computer addresses based upon the analysis; and 4) outputs information based upon the stored threat profile to one or more upstream computers associated with one or more of the determined addresses. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
-
-
44. A computer implemented threat push-back method, the method comprising the steps of:
-
a) providing an interface for establishing configuration information regarding one or more threat types, wherein configuration information comprises threat types of interest and weights associated therewith; b) receiving a communication; c) generating a threat profile associated with the received communication by applying one or more tests to the received communication, wherein each of the one or more tests evaluates the received communication for a particular security risk; d) comparing the generated threat profile with the configuration information by calculating a threat value from the threat profile and detennining whether the threat value satisfies a predetermined threat condition; and e) if the comparison indicates the received communication represents a threat, i) determining one or more computer addresses in a back path of the received communication; ii) analyzing authenticity of at least one of the determined computer system addresses; iii) assianing a confidence value to said at least one of the determined computer system addresses; iv) taking a corrective measure, wherein the corrective measure comprises conveying a notification to one or more users, refusing acceptance of further communications from the source of the received communication, quarantine of the received communication, stripping the received communication of identified content, or throttling excessive numbers of incoming connections per second to levels manageable by internal application servers, wherein each notification conveyed comprises an e-mail message, a page, a facsimile, an telephone call, an SMS message, a WAP alert or SNMP alert; and v) outputting information based upon the stored threat profile to one or more upstream application layer security system, one or more threat management system, or combinations thereof, wherein each upstream application layer security system or threat management system is associated with one or more of the determined addresses.
-
-
45. Computer readable media storing instructions that upon execution by a system processor cause the system processor to identify and push-back threat infonnation upstream of an identified threat by performing the steps comprising of:
-
a) providing an interface for establishing configuration information regarding one or more threat types, wherein configuration information comprises threat types of interest and weights associated therewith; b) receiving a communication; c) generating a threat profile associated with the received communication by applying one or more tests to the received communication, wherein each of the one or more tests evaluates the received communication for a particular security risk; d) comparing the generated threat profile with the configuration information by calculating a threat value from the threat profile and determining whether the threat value satisfies a predetermined threat condition; and e) if the comparison indicates the received communication represents a threat, i) determining one or more computer addresses in a back path of the received communication; ii) analyzing authenticity of at least one of the determined computer system addresses; iii) assigning a confidence value to said at least one of the determined computer system addresses; iv) outputting a threat notification to one or more users, wherein each outputted threat notification comprises an e-mail message, a page, a facsimile, an telephone call, an SMS message, a WAP alert, or an SNMP alert; and v) outputting information based upon the stored threat profile to one or more upstream application layer security system, one or more threat management system, or combinations thereof, wherein each upstream application layer security system or threat management system is associated with one or more of the determined addresses.
-
-
46. A threat push-hack system within, or in communication with, an application layer security system, a threat management center or an application client, the system comprising:
-
a) configuration means for establishing configuration information regarding one or more threat types, wherein configuration information comprises threat types of interest and weights associated therewith; b) receiving means for receiving an electronic communication; c) means for generating a threat profile associated with the received communication by applying one or more tests to the received communication, wherein each of the one or more tests evaluates the received communication for a particular security risk; d) means for comparing the generated threat profile with the configuration information by calculating a threat value from the threat profile and determining whether the threat value satisfies a predetermined threat condition; and e) back path identification means for detennining one or more computer addresses in a back path of the received communication; f) authentication means for authenticating at least one of the one or more computer addresses from the back path identification means, wherein the authentication means assigns a confidence level to each of said at least one of the one or more computer addresses; g) output means for outputting information based upon the stored threat profile to one or more upstream application layer security system, one or more threat management system, or combinations thereof, wherein each upstream application layer security system or threat management system is associated with one or more of the determined addresses; and h) means for taking a corrective measure, wherein the corrective measure comprises conveying a notification to one or more users, refusing acceptance of further communications from the source of the received communication, quarantine of the received communication, stripping the received communication of identified content, or throttling excessive numbers of incoming connections per second to levels manageable by internal application servers, wherein each notification conveyed comprises an e-mail message, a page, a facsimile, an telephone call, an SMS message, a WAP alert or SNMP alert.
-
Specification