Managing infectious messages as identified by an attachment

US 7,343,624 B1
Filed: 06/16/2005
Issued: 03/11/2008
Est. Priority Date: 07/13/2004
Status: Active Grant

First Claim

Patent Images

1. A method of evaluating a message for infectious file attachments, comprising:

receiving a message, the message including an attachment having a file name;

comparing the file name of the attachment with a plurality of previously received legitimate messages having a legitimate attachment, the legitimate messages including a legitimate attachment file name;

identifying an anomaly in the file name of the attachment for the message with respect to a file name of the legitimate attachment for one or more of the plurality of previously received legitimate messages;

executing a second test in response to identification of the file name anomaly, wherein the second test identifies the presence of a further anomaly related to the file name of the attachment;

calculating a probability as to whether the attachment is infectious based on the presence of the identified file name anomaly and the results of the second test; and

forwarding the message to a data store for subsequent processing, the data store associated with the probability as to whether the attachment is infectious.

View all claims

23 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Managing electronic messages comprises receiving a message, forwarding the message, determining that the forwarded message is infectious after the message has been forwarded and preventing the infectious forwarded message from spreading.

163 Citations

View as Search Results

22 Claims

1. A method of evaluating a message for infectious file attachments, comprising:
- receiving a message, the message including an attachment having a file name;
  
  comparing the file name of the attachment with a plurality of previously received legitimate messages having a legitimate attachment, the legitimate messages including a legitimate attachment file name;
  
  identifying an anomaly in the file name of the attachment for the message with respect to a file name of the legitimate attachment for one or more of the plurality of previously received legitimate messages;
  
  executing a second test in response to identification of the file name anomaly, wherein the second test identifies the presence of a further anomaly related to the file name of the attachment;
  
  calculating a probability as to whether the attachment is infectious based on the presence of the identified file name anomaly and the results of the second test; and
  
  forwarding the message to a data store for subsequent processing, the data store associated with the probability as to whether the attachment is infectious.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - comparing a body of the message with the plurality of previously received legitimate messages using an N-gram model, wherein the N-gram model describes properties of the plurality of the previously received legitimate messages including a legitimate attachment file name; and
      
      updating the probability as to whether the attachment is infectious based on a deviation of the body of the message from a baseline indicative of a legitimate message as reflected by the N-gram model.
  - 3. The method of claim 1, further comprising:
    - comparing a body of the message with the plurality of previously received legitimate messages by applying a probabilistic finite state automata (PFSA) to the message, wherein the PFSA describes properties of the plurality of the previously received legitimate messages including a legitimate attachment file name; and
      
      updating the probability as to whether the attachment is infectious based on a deviation of the body of the message from a baseline indicative of a legitimate message as reflected by the PFSA.
  - 4. The method of claim 1 further comprising:
    - comparing a body of the received message with a plurality of previously received legitimate messages by analyzing a signature of the message body, wherein the signature describes properties of the plurality of the previously received legitimate messages including a legitimate attachment file name; and
      
      updating the probability as to whether the attachment is infectious based more of the previously received legitimate messages.
  - 5. The method of claim 4 , wherein the similarity is a valuation from amongst a range of values.
  - 6. The method of claim 1, wherein the anomaly in the file name of the attachment with respect to the file name for one or more of the plurality of previously received legitimate messages is a misrepresentation of the type of file.
  - 7. The method of claim 1, wherein the second test includes a character test that processes the content of the attachment, and characters in the attachment not associated with a message file type as identified by the attachment file name generate a result indicating a further message anomaly.
  - 8. The method of claim 1, wherein the second test includes a bit pattern test that processes one or more portions of the attachment for bit patterns that indicate a file type, and wherein bit patterns not associated with a message file type as identified by the attachment file name generate a result indicating a further message anomaly.
  - 9. The method of claim 1, wherein the data store is a message quarantine, the message quarantine associated with messages that are not affirmatively infectious or legitimate.
  - 10. The method of claim 1, wherein the data store is a delivery queue, the delivery queue associated with messages that are affirmatively legitimate.
  - 11. The method of claim 1, wherein the data store is associated with messages to be deleted, the messages have been affirmatively identified as infectious.

12. A system for evaluating a message to detect an infectious attachment, the system comprising:
- a mail server including a processor and a computer-readable storage medium having embodied thereon a program, the program being executable by the processor to receive a message, the message including an attachment having a file name; and
  
  a network device coupled to the mail server, the network device including a processor and a computer-readable storage medium having embodied thereon a program, the program being executable by the processor to perform the steps of;
  
  receiving the message from the mail server prior to the message being placed in a delivery queue for delivery to a recipient,comparing the file name of the attachment with a plurality of previously received legitimate messages, the legitimate messages including a legitimate attachment with a. legitimate attachment file name,identifying an anomaly in the file name of the attachment for the received message with respect to the legitimate attachment file name for one or more of the plurality of previously received legitimate messages,executing a second test in response to identification of the file name anomaly, wherein the second test identifies the presence of a further anomaly related to the file name,calculating a probability as to whether the attachment is infectious based on the presence of the identified file name anomaly and the results of the second test, andforwarding the message to a data store for subsequent processing, the data store associated with, the probability as the whether the attachment is infectious.
- View Dependent Claims (13, 14, 15)
- - 13. The system of claim 12, wherein the data store is associated with the mail server, the mail server being associated with messages that are affirmatively legitimate.
  - 14. The system of claim 12, wherein the data store is a message quarantine associated with messages that are not affirmatively infectious or affirmatively legitimate.
  - 15. The system of claim 12, wherein the data store is a data store associated with messages to be deleted, the messages having been affirmatively identified as infectious.

16. A computer readable storage medium having embodied thereon a program, the program being executable by a computing device to perform a method for detecting messages with infectious file attachments, the method comprising:
- receiving a message, the message including an attachment having a file name;
  
  comparing the file name of the attachment with a plurality of previously received legitimate messages having a legitimate attachment, the legitimate messages including a legitimate attachment file name;
  
  identifying an anomaly in the file name of the attachment for the message with respect to a file name of the legitimate attachment for one or more of the plurality of previously received legitimate messages;
  
  executing a second test in response to identification of the file name anomaly, wherein the second test identifies the presence of a further anomaly related to the file name of the attachment;
  
  calculating a probability as to whether the attachment is infectious based on the presence of the identified file name anomaly and the results of the second test; and
  
  forwarding the message to a data store for subsequent processing, the data store associated with the probability as to whether the attachment is infectious.

17. A gateway appliance for use in a network for receiving electronic-mail, the gateway appliance including a processor and a computer-readable storage medium having embodied thereon a program, the program being executable by the processor to perform a method for evaluating a message to detect an infectious attachment prior to the message being delivered to a mail server on a local area network, the method comprising:
- receiving the message including an attachment having a file name prior to the message being delivered to a mail server associated with a recipient of the message;
  
  comparing the file name of the attachment with a plurality of previously received legitimate messages having a legitimate attachment, the legitimate messages including a legitimate attachment file name;
  
  identifying an anomaly in the file name of the attachment for the received message with respect to a legitimate attachment file name for one or more of the plurality of previously received legitimate messages;
  
  executing a second test in response to identification of the file name anomaly, wherein the second test identifies the presence of a further anomaly related to the file name of the attachment;
  
  calculating a probability as to whether the attachment is infectious based on the presence of the identified file name anomaly and the results of the second test; and
  
  forwarding the message to another location for subsequent processing, the other location associated with the probability as the whether the attachment is infectious.
- View Dependent Claims (18, 19, 20)
- - 18. The gateway appliance of claim 17, wherein the other location is the mail server on the local area network, the mail server associated with messages that are affirmatively legitimate.
  - 19. The gateway appliance of claim 17, wherein the other location is a message quarantine associated with messages that are not affirmatively infectious or legitimate.
  - 20. The gateway appliance of claim 17, wherein the other location is a data store associated with messages to be deleted, the messages having been affirmatively identified as infectious.

21. A system for evaluating a message to detect an infectious attachment, the system comprising:
- a network device including a processor and a computer-readably storage medium having embodied thereon a program, the program being executable by the processor to;
  
  receive the message prior to the message being delivered to a mail server associated with a recipient of the message,compare the file name of the attachment with a plurality of previously received legitimate messages, the legitimate messages including a legitimate attachment with a legitimate attachment file name,identify an anomaly in the file name of the attachment for the received message with respect to a legitimate attachment file name for one or. ore of the plurality of previously received legitimate messages,execute a second test in response to identification of the file name anomaly, wherein the second test identifies the presence of a further anomaly related to the file name, andcalculate a probability as the whether the attachment is infectious based on the presence of the identified file name anomaly and the results of the second test; and
  
  a mail server including a processor and a computer-readable storage medium embodied thereon a program, the program being executable by the processor to receive the message from the network device if the probability of the message including an attachment that is infectious is below a predefined probability threshold.

22. A gateway appliance for use in a network for receiving electronic-mail, the gateway appliance including a processor and a computer-readable storage medium having embodied thereon a program, the program being executable by the processor to perform a method for evaluating a message to detect an infectious attachment after receipt of the message by a mail server on a local area network but prior to delivery of the message to an intended recipient, the method comprising:
- receiving the message from the mail server, the message including an attachment having a file name;
  
  comparing the file name of the attachment with a plurality of previously received legitimate messages, the legitimate messages including a legitimate attachment with a legitimate attachment file name;
  
  identifying an anomaly in the file name of the attachment for the received message with respect to the legitimate attachment file name for one or more of the plurality of previously received legitimate messages;
  
  executing a second test in response to identification of the file name anomaly, wherein the second test identifies the presence of a further anomaly related to the file name;
  
  calculating a probability as to whether the attachment is infectious based on the presence of the identified file name anomaly and the results of the second test; and
  
  forwarding the message to the mail server if the probability of the message including an attachment that is infectious is below a predefined probability threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Quest Software, Inc.
Original Assignee
SonicWALL, Inc. (SonicWall Holdings Ltd.)
Inventors
Rihn, Jennifer, Oliver, Jonathan J.
Primary Examiner(s)
Vu; Kim
Assistant Examiner(s)
Pich; Ponnoreay

Application Number

US11/156,373
Time in Patent Office

999 Days
Field of Search

726 22- 25, 713/188
US Class Current

726/24
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

H04L 51/212   using filtering or selectiv...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Managing infectious messages as identified by an attachment

First Claim

23 Assignments

0 Petitions

Accused Products

Abstract

163 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Managing infectious messages as identified by an attachment

First Claim

23 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

163 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links