Systems and methods for enhancing electronic communication security

US 7,458,098 B2
Filed: 03/08/2002
Issued: 11/25/2008
Est. Priority Date: 03/08/2002
Status: Active Grant

First Claim

Patent Images

1. An application layer security system, the system comprising:

a) at least one application server system communication interface communicatively coupling the security system to one or more application server systems;

b) a system data store capable of storing an electronic communication and accumulated data associated with received electronic communications; and

c) a system processor in communication with the system data store and the at least one application server system communication interface, wherein the system processor comprises one or more processing elements and wherein the system processor;

i) receives an electronic communication from a remote system and directed to or from a selected application server system;

ii) applies a plurality of anomaly types of tests to each of the received electronic communication, wherein the plurality of tests combine to evaluate the received electronic communication for a plurality of security risk categories, each of the plurality of tests being operable to measure different behavioral attributes present in at least one of the plurality of security risk categories, the behavioral attributes comprising characteristics of the electronic communication which when taken alone are not determinative of a classification associated with the communication, however, when taken in combination with other behavioral attributes can be used to identify a communication classification;

iii) stores in the system data store (1) a risk profile associated with the received electronic communication based upon the applied plurality of tests, the risk profile including an array comprising the results of each of the plurality of anomaly types of tests applied to each of the electronic communication; and

(2) a queue data store with an index queue associated with each of the plurality of test types;

iv) determines whether an anomaly exists with respect to the received electronic communication based upon the stored risk profile and accumulated data associated with received electronic communications from the system data store, the determination being based on comparing the behavioral attributes associated with the currently received electronic communication with identified behavioral attributes associated previously received and classified communications, the previously received and classified communications comprising both known non-anomalous communications and known anomalous communications; and

v) outputs an anomaly indicator signal if an anomaly is determined to exist based upon the comparison of the behavioral attributes of the communication with identified attributes of previously received and classified communications.

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is directed to systems and methods for enhancing electronic communication security. An electronic communication related to an application is received and stored. One or more risk assessments are made with respect to the received communication thereby generating a risk profile associated with the communication. The risk profile is analyzed with respect to data associated with previously received communications to determine if the received communication is anomalous. If the received communication is determined to be anomalous, an anomaly indicator signal is output.

719 Citations

64 Claims

1. An application layer security system, the system comprising:
- a) at least one application server system communication interface communicatively coupling the security system to one or more application server systems;
  
  b) a system data store capable of storing an electronic communication and accumulated data associated with received electronic communications; and
  
  c) a system processor in communication with the system data store and the at least one application server system communication interface, wherein the system processor comprises one or more processing elements and wherein the system processor;
  
  i) receives an electronic communication from a remote system and directed to or from a selected application server system;
  
  ii) applies a plurality of anomaly types of tests to each of the received electronic communication, wherein the plurality of tests combine to evaluate the received electronic communication for a plurality of security risk categories, each of the plurality of tests being operable to measure different behavioral attributes present in at least one of the plurality of security risk categories, the behavioral attributes comprising characteristics of the electronic communication which when taken alone are not determinative of a classification associated with the communication, however, when taken in combination with other behavioral attributes can be used to identify a communication classification;
  
  iii) stores in the system data store (1) a risk profile associated with the received electronic communication based upon the applied plurality of tests, the risk profile including an array comprising the results of each of the plurality of anomaly types of tests applied to each of the electronic communication; and
  
  (2) a queue data store with an index queue associated with each of the plurality of test types;
  
  iv) determines whether an anomaly exists with respect to the received electronic communication based upon the stored risk profile and accumulated data associated with received electronic communications from the system data store, the determination being based on comparing the behavioral attributes associated with the currently received electronic communication with identified behavioral attributes associated previously received and classified communications, the previously received and classified communications comprising both known non-anomalous communications and known anomalous communications; and
  
  v) outputs an anomaly indicator signal if an anomaly is determined to exist based upon the comparison of the behavioral attributes of the communication with identified attributes of previously received and classified communications.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 2. The system of claim 1, wherein the received electronic communication comprises an e-mail communication, an HTTP communication, an FTP communication, a WAIS communication, a telnet communication or a Gopher communication.
  - 3. The system of claim 2, wherein the received electronic communication is an e-mail communication.
  - 4. The system of claim 1, wherein each of the plurality of tests applied by the system processor comprises intrusion detection, virus detection, spam detection or policy violation detection.
  - 5. The system of claim 1, wherein the system processor applies each of the plurality of tests in a parallel fashion.
  - 6. The system of claim 1, wherein the system processor applies each of the plurality of tests in a sequential fashion.
  - 7. The system of claim 6, wherein the system data store comprises:
    - i) a message data store capable of storing an electronic communication, andii) a queue data store capable of storing a plurality of index queues;
      
      and wherein the system processor applies the plurality of tests in a sequential fashion by;
      
      1) storing the received electronic communication in the message data store;
      
      2) assigning a selected index to the stored electronic communication;
      
      3) executing a plurality of testing engines, wherein each of the testing engines has a test type and has an index queue in the queue data store associated with it, wherein at any given time at least two of the executing testing engines have differing test types, and wherein each of the testing engines;
      
      (a) monitors its associated index queue for a placed index;
      
      (b) retrieves the electronic communication associated with the placed index from the message data store; and
      
      (c) tests the retrieved electronic communication against a set of one or more criteria; and
      
      4) placing the selected index into the index queue associated with a first testing engine, wherein the first testing engine has a first test type; and
      
      5) placing the selected index into the index queue associated with a second testing engine, after the first testing engine performs its test upon the stored electronic communication associated with the selected index, wherein the second testing engine has a second test type that differs from the first test type.
  - 8. The system of claim 7, wherein the test type of each executing test engine is intrusion detection, virus detection, spam detection or policy violation detection.
  - 9. The system of claim 1, wherein the system processor applies each of the plurality of tests based upon configuration information stored in the system data store.
  - 10. The system of claim 1, wherein the system processor determines whether an anomaly exists further based upon configuration information stored in the system data store.
  - 11. The system of claim 10, wherein the configuration information comprises anomaly types, anomaly threshold information, anomaly time period information or anomaly response information.
  - 12. The system of claim 1, wherein the system processor further derives one or more anomaly thresholds from the accumulated data associated with received electronic communications in the system data store.
  - 13. The system of claim 1, wherein the system processor determines whether an anomaly exists by:
    - 1) determining a set of anomaly types of interest;
      
      2) for each of the anomaly types of interest in the determined set,(a) acquiring one or more anomaly thresholds associated with the respective anomaly type based at least in part upon accumulated data associated with received electronic communications from the system data store;
      
      (b) comparing information in the stored risk profile against at least one of the acquired one or more anomaly thresholds; and
      
      (c) determining whether an anomaly of the respective anomaly type exists with respect to the received electronic communication based upon the comparison.
  - 14. The system of claim 13, wherein the system processor determines the set of anomaly types of interest by reading configuration information from the system data store.
  - 15. The system of claim 13, wherein the system processor determines the set of anomaly types of interest based upon the received electronic communication.
  - 16. The system of claim 13, wherein the system processor acquires the one or more anomaly thresholds by deriving at least one anomaly threshold from the accumulated data associated with received electronic communications.
  - 17. The system of claim 16, wherein the derivation of the at least one anomaly threshold is further based upon a predetermined time period.
  - 18. The system of claim 13, wherein the system processor acquires at least one anomaly threshold of the one or more anomaly thresholds by reading configuration information from the system data store.
  - 19. The system of claim 1, wherein the anomaly indicator signal comprises a notification conveyed to an administrator.
  - 20. The system of claim 19, wherein the notification comprises an e-mail message, a page, a facsimile, an telephone call, an SMS message, a WAP alert or an SNMP alert.
  - 21. The system of claim 19, wherein the anomaly indicator signal further comprises an anomaly type and wherein the notification conveyed to the administrator comprises the anomaly type.
  - 22. The system of claim 1, wherein the anomaly indicator signal comprises an anomaly type.
  - 23. The system of claim 1, wherein the system is disposed between a firewall system and one or more application server systems.
  - 24. The system of claim 23, further comprising a firewall communication interface communicatively coupling the system to the firewall system, wherein the system processor receives the electronic communication directed to the selected application server system via the firewall communication interface.
  - 25. The system of claim 1, wherein the system processor further forwards the received electronic communication to a destination indicated by the received electronic communication.
  - 26. The system of claim 1, wherein the system processor further aggregates the stored risk profile with the accumulated data associated with received electronic communications and stores aggregated accumulated data in the system data store.
  - 27. The system of claim 1, wherein the system processor further stores the received electronic communication in the system data store.
  - 28. The system of claim 1, wherein the system processor further determines which of the plurality of tests to apply to the received communication.
  - 29. The system of claim 28, wherein the system processor determines the tests to be applied based upon configuration information stored in the system data store.
  - 30. The system of claim 28, wherein the system processor determines the tests to be applied based upon characteristics of the received electronic communication.
  - 31. The system of claim 1, wherein the system processor further provides an interface via which an administrator enters configuration information, receives configuration information from the interface and stores the received configuration information in the system data store.
  - 32. The system of claim 31, wherein the system processor applies the plurality of tests based upon the stored configuration information.
  - 33. The system of claim 31, wherein the system processor determines whether an anomaly exists based upon the stored configuration information.
  - 34. The system of claim 33, wherein the stored configuration information comprises anomaly types, anomaly threshold information, anomaly time period information or anomaly response information.
  - 35. The system of claim 31, wherein the system processor provides the interface to the administrator via a Web server, an e-mail server, an automated voice recognition system or an SMS message server.
  - 36. The system of claim 31, wherein the system processor further populates the interface with default values prior to providing it to the administrator.
  - 37. The system of claim 1, wherein the system processor further takes a corrective measure responsive to the anomaly indicator signal.
  - 38. The system of claim 37, wherein the corrective measure comprises conveying a notification to an administrator, refusing acceptance of further communications from the source of the received communication, quarantine of the received communication, stripping the received communication of identified content, or throttling excessive numbers of incoming connections per second to levels manageable by internal application servers.
  - 39. The system of claim 38, wherein the notification comprises an e-mail message, a page, a facsimile, an telephone call, an SMS message, a WAP alert or SNMP alert.
  - 40. The system of claim 1, wherein the one or more application server systems comprise e-mail server systems, Web server systems, FTP server systems, telnet server systems, GOPHER server systems or WAIS server systems.
  - 41. The system of claim 40, wherein the one or more application server systems are e-mail server systems.

42. A method for enhancing application layer communication security, the method comprising the steps of:
- a) receiving an electronic communication directed to or from a selected application server system, wherein the received electronic communication is an application layer communication;
  
  b) applying a plurality of anomaly types of tests to each of the received electronic communication, wherein the plurality of tests evaluate the received electronic communication for a plurality of security risk categories, each of the plurality of tests being operable to measure different behavioral attributes present in at least one of the plurality of security risk categories, the behavioral attributes comprising characteristics which when taken alone are not determinative of a classification associated with the communication, however, when taken in combination with other behavioral attributes can be used to identify a communication classification, thereby generating at least one risk profile associated with the electronic communication, and storing in a system data store (1) a risk profile associated with the received electronic communication based upon the applied plurality of tests, the risk profile including an array comprising the results of each of the plurality of anomaly types of tests applied to each of the electronic communication and (2) a queue data store with an index queue associated with each of the plurality of test types;
  
  c) determining whether an anomaly exists with respect to the received electronic communication based upon a comparison of the behavioral attributes associated with the currently received electronic communication and identified attributes associated with previously received and classified communications, the previously received and classified communications comprising both known non-anomalous communications and known anomalous communications; and
  
  d) outputting an anomaly indicator signal if an anomaly is determined to exist based upon the comparison of the behavioral attributes of the communication with identified attributes of previously received and classified communications.
- View Dependent Claims (43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55)
- - 43. The method of claim 42, wherein the received electronic communication comprises an e-mail communication, an HTTP communication, an FTP communication, a WAIS communication, a telnet communication or a Gopher communication.
  - 44. The method of claim 43, wherein the received electronic communication is an e-mail communication.
  - 45. The method of claim 42, wherein the step of applying plurality of tests comprises applying one or more of an intrusion detection test, a virus detection test, a spam detection test or a policy violation test.
  - 46. The method of claim 42, wherein the step of applying plurality of tests comprises sequentially applying a plurality of tests.
  - 47. The method of claim 46, wherein the step of applying plurality of tests comprises for each of the plurality of tests performing the steps of:
    - i) selecting a test to perform,ii) performing the selected test on the received electronic communication, andiii) outputting a risk profile based upon the performed test.
  - 48. The method of claim 47, and further comprising the step of receiving configuration information and wherein the step of selecting a test comprises selecting a test based upon the received configuration information.
  - 49. The method of claim 47, wherein the step of selecting a test comprises selecting a test based upon a type associated with the received electronic communication.
  - 50. The method of claim 42, and further comprising the step of receiving configuration information and wherein the step of determining whether an anomaly exists is further based upon the received configuration information.
  - 51. The method of claim 50, wherein the received configuration information comprises anomaly types or anomaly response information.
  - 52. The method of claim 51, and further comprising the step of receiving accumulated data associated with received communication and wherein the step of determining whether an anomaly exists comprises deriving anomaly threshold information from the received accumulated data.
  - 53. The method of claim 51, wherein the received configuration information further comprises anomaly threshold information or anomaly time period information.
  - 54. The method of claim 42, and further comprising the step of receiving accumulated data associated with received communication and wherein the step of determining whether an anomaly exists is further based upon the received accumulated data associated with received communications.
  - 55. The method of claim 42, and further comprising the step of taking a corrective measure responsive to the anomaly indicator signal.

56. Computer readable storage media storing instructions that upon execution by a system processor cause the system processor to provide application layer security, the media having stored instruction that cause the system processor to perform the steps comprising of:
- a) receiving an electronic communication directed to or from a selected application server system, wherein the received electronic communication is an application layer communication;
  
  b) applying a plurality of anomaly types of tests to each of the received electronic communication, wherein the plurality of tests evaluate the received electronic communication for a plurality of security risk categories, each of the plurality of tests being operable to measure different behavioral attributes present in at least one of the plurality of security risk categories, the behavioral attributes comprising characteristics which when taken alone are not determinative of a classification associated with the communication, however, when taken in combination with other behavioral attributes can be used to identify a communication classification, thereby generating at least one risk profile associated with the electronic communication, and storing in a system data store (1) the risk profile associated with the received electronic communication based upon the applied plurality of tests, the risk profile including an array comprising the results of each of the plurality of anomaly types of tests applied to each of the electronic communication and (2) a queue data store with an index queue associated with each of the plurality of test types;
  
  c) determining whether an anomaly exists with respect to the received electronic communication based upon a comparison of the behavioral attributes associated with the currently received electronic communication and identified attributes associated with previously received and classified communications, the previously received and classified communications comprising both known non-anomalous communications and known anomalous communications; and
  
  d) outputting an anomaly indicator signal if an anomaly is determined to exist based upon the comparison of the behavioral attributes of the communication with identified attributes of previously received and classified communications.
- View Dependent Claims (57, 58, 59, 60, 61, 62)
- - 57. The media of claim 56, wherein the instructions causing the system processor to receive the electronic communication comprise instructions causing the system processor to receive an e-mail communication, an HTTP communication, an FTP communication, a WAIS communication, a telnet communication or a Gopher communication.
  - 58. The media of claim 56, wherein the instructions causing the system processor to receive the electronic communication comprise instructions causing the system processor to receive an e-mail communication.
  - 59. The media of claim 56, wherein the instructions causing the system processor to apply the plurality of tests comprise instructions causing the system processor to apply one or more of an intrusion detection test, a virus detection test, a spam detection test or a policy violation test.
  - 60. The media of claim 56, wherein the instructions causing the system processor to apply a plurality of tests comprise instructions causing the system processor to:
    - i) select a test to perform;
      
      ii) perform the selected test on the received electronic communication; and
      
      iii) outputting a risk profile based upon the performed test.
  - 61. The media of claim 56, wherein the instructions causing the system processor to determine whether an anomaly exists comprises instruction causing the system processor to:
    - i) determine a set of anomaly types of interest;
      
      ii) for each of the anomaly types of interest in the determined set,1) acquire one or more anomaly thresholds associated with the respective anomaly type;
      
      2) compare information in the at least one risk profile against at least one of the acquired one or more anomaly thresholds; and
      
      3) determine whether an anomaly of the respective anomaly type exists with respect to the received electronic communication based upon the comparison.
  - 62. The media of claim 56, wherein the instructions causing the system processor to output the anomaly indicator signal comprise instructions causing the system to convey a notification to an administrator, wherein the notification comprises an e-mail message, a page, a facsimile, an telephone call, an SMS message, a WAP alert or an SNMP alert.

63. An application layer security system, the system comprising:
- a) receiving means for receiving an application layer electronic communication;
  
  b) storing means for storing an electronic communication and accumulated data associated with received electronic communications;
  
  c) assessment means for applying a plurality of anomaly types of tests to each of the received electronic communication, wherein the plurality of tests evaluate the received electronic communication for a plurality of security risk categories each of the plurality of tests being operable to measure different behavioral attributes present in a particular security risk category from among the plurality of security risk categories, the behavioral attributes comprising characteristics which when taken alone are not determinative of a classification associated with the communication, however, when taken in combination with other behavioral attributes can be used to identify a communication classification, and for storing a risk profile in the storing means, wherein the risk profile was generated from applying the plurality of tests to the received electronic communication, and thereby storing in a system data store (1) the risk profile associated with the received electronic communication based upon the applied plurality of tests, the risk profile including an array comprising the results of each of the plurality of anomaly types of tests applied to each of the electronic communication and (2) a queue data store with an index queue associated with each of the plurality of test types;
  
  d) anomaly determining means for determining whether an anomaly exists with respect to the received communication based upon a comparison of the behavioral attributes associated with the currently received electronic communication and identified attributes associated with previously received and classified communications, the previously received and classified communications comprising both known non-anomalous communications and known anomalous communications; and
  
  e) output means for outputting an anomaly indicator signal if an anomaly was determined to exist by the anomaly determining means based upon the comparison of the behavioral attributes of the communication with identified attributes of previously received and classified communications.

64. An application layer security system, the system comprising:
- a) at least one application server system communication interface communicatively coupling the security system to one or more application server systems;
  
  b) a system data store capable of storing an electronic communication and accumulated data associated with received electronic communications; and
  
  c) a system processor in communication with the system data store and the at least one application server system communication interface, wherein the system processor comprises one or more processing elements and wherein the system processor;
  
  i) receives an electronic communication directed to or from a selected application server system;
  
  ii) applies a plurality of anomaly types of tests to each of the received electronic communication, wherein the plurality of tests combine to evaluate the received electronic communication for a plurality of security risk categories, each of the plurality of tests being operable to measure different behavioral attributes present in at least one of the plurality of security risk categories, the behavioral attributes comprising characteristics of the electronic communication which when taken alone are not determinative of a classification associated with the communication, however, when taken in combination with other behavioral attributes can be used to identify a communication classification;
  
  iii) stores in the system data store (1) a risk profile associated with the received electronic communication based upon the applied plurality of tests, the risk profile including an array comprising the results of each of the plurality of anomaly types of tests applied to each of the electronic communication; and
  
  (2) a queue data store having a plurality of index queue associated with the plurality of test types;
  
  iv) determines whether an anomaly exists with respect to the received electronic communication based upon the stored risk profile and accumulated data associated with received electronic communications from the system data store; and
  
  v) outputs an anomaly indicator signal if an anomaly is determined to exist;
  
  wherein the system data store comprises;
  
  i) a message data store capable of storing an electronic communication, andii) the queue data store capable of storing the plurality of index queues;
  
  and wherein the system processor applies the plurality of tests in a sequential fashion by;
  
  1) storing the received electronic communication in the message data store;
  
  2) assigning a selected index to the stored electronic communication;
  
  3) executing a plurality of testing engines, wherein each of the testing engines has a test type and has an index queue in the queue data store associated with it, wherein at any given time at least two of the executing testing engines have differing test types, and wherein each of the testing engines;
  
  (a) monitors its associated index queue for a placed index;
  
  (b) retrieves the electronic communication associated with the placed index from the message data store; and
  
  (c) tests the retrieved electronic communication against a set of one or more criteria; and
  
  4) placing the selected index into the index queue associated with a first testing engine, wherein the first testing engine has a first test type; and
  
  5) placing the selected index into the index queue associated with a second testing engine, after the first testing engine performs its test upon the stored electronic communication associated with the selected index, wherein the second testing engine has a second test type that differs from the first test type.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
Secure Computing Corporation (McAfee, LLC)
Inventors
Rajan, Guru, Judge, Paul
Primary Examiner(s)
Chai; Longbit

Application Number

US10/094,211
Publication Number

US 20030172166A1
Time in Patent Office

2,454 Days
Field of Search

726/23
US Class Current

726/23
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/145 the attack involving the pr...

Systems and methods for enhancing electronic communication security

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

719 Citations

64 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for enhancing electronic communication security

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

719 Citations

64 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links