Zero-minute virus and spam detection

US 7,603,472 B2
Filed: 10/26/2006
Issued: 10/13/2009
Est. Priority Date: 02/19/2003
Status: Active Grant

First Claim

Patent Images

1. A method for detecting unwanted electronic messages at a certain location on an electronic communications network, the method comprising:

a) establishing a database for storing metadata associated with electronic message traffic according to at least source addresses of senders of electronic messages;

b) monitoring electronic message transmissions at the certain location on the electronic communications network;

c) extracting information from the monitored electronic messages as they are transmitted across the electronic communications network, substantially without imposing a delay on the transmission of the electronic messages;

c) populating the database with metadata derived from analysis of the monitored electronic messages, the metadata including metadata derived by analyzing the content of the monitored electronic messages;

d) determining that certain monitored electronic messages are likely to be unwanted by an intended recipient based on an examination of the metadata associated with the source addresses of the senders of the monitored electronic messages and based on the analysis of the content of the monitored electronic messages, and at least in part without reference to a promulgated database of “

signatures”

of unwanted electronic messages; and

e) conditionally delivering electronic messages according to instructions from an interpreter process, the interpreter process communicating with a content-sensing application in logical communication with the interpreter process, such that if the content-sensing application analyzes the monitored electronic messages as likely unwanted by an intended recipient, then the method can, in coordination with the interpreter process and content-sensing application, configure the delivery of the unwanted electronic messages to route them to a message quarantine center, wherein actions of the interpreter process and configuration parameters corresponding to the actions of the interpreter process are logged to an interpreter process database and then later used for the determining that certain monitored electronic messages are likely to be unwanted based on patterns recognized in the traffic monitor.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed in this application are systems and methods for detecting unwanted electronic message transmissions at a certain location on an electronic communications network. The disclosed principles include establishing a database for storing metadata associated with message traffic according to at least the source addresses of the senders of electronic message transmissions. The disclosed principles also include monitoring electronic message transmissions at the certain location on the electronic communications network. Also, included is populating the database with metadata derived from analysis of the monitored electronic messages, where the metadata includes metadata derived by analyzing the contents of the monitored electronic messages. Based upon the populated database, it is determined whether certain received electronic messages are likely to be unwanted based on an examination of the metadata associated with the source addresses of the senders of the received electronic messages and based on the analysis of the content of monitored electronic messages at least in part without reference to a promulgated database of “signatures” of known unwanted electronic messages.

75 Citations

View as Search Results

29 Claims

1. A method for detecting unwanted electronic messages at a certain location on an electronic communications network, the method comprising:
- a) establishing a database for storing metadata associated with electronic message traffic according to at least source addresses of senders of electronic messages;
  
  b) monitoring electronic message transmissions at the certain location on the electronic communications network;
  
  c) extracting information from the monitored electronic messages as they are transmitted across the electronic communications network, substantially without imposing a delay on the transmission of the electronic messages;
  
  c) populating the database with metadata derived from analysis of the monitored electronic messages, the metadata including metadata derived by analyzing the content of the monitored electronic messages;
  
  d) determining that certain monitored electronic messages are likely to be unwanted by an intended recipient based on an examination of the metadata associated with the source addresses of the senders of the monitored electronic messages and based on the analysis of the content of the monitored electronic messages, and at least in part without reference to a promulgated database of “
  
  signatures”
  
  of unwanted electronic messages; and
  
  e) conditionally delivering electronic messages according to instructions from an interpreter process, the interpreter process communicating with a content-sensing application in logical communication with the interpreter process, such that if the content-sensing application analyzes the monitored electronic messages as likely unwanted by an intended recipient, then the method can, in coordination with the interpreter process and content-sensing application, configure the delivery of the unwanted electronic messages to route them to a message quarantine center, wherein actions of the interpreter process and configuration parameters corresponding to the actions of the interpreter process are logged to an interpreter process database and then later used for the determining that certain monitored electronic messages are likely to be unwanted based on patterns recognized in the traffic monitor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. A method according to claim 1, and farther comprising establishing SMTP connections between the senders of electronic messages and at least certain mail sewers of intended recipients of the electronic messages.
  - 3. A method according to claim 2, wherein the monitoring of the electronic message transmissions occurs as each of the SMTP connections between a sender and a certain mail server of an intended recipient of a monitored electronic message is processed.
  - 4. A method according to claim 1, wherein the method derives metadata from the monitored electronic messages at least in part by using program threads for detecting unwanted messages.
  - 5. A method according to claim 4, wherein the unwanted electronic messages are detected at least in part by examining their content.
  - 6. A method according to claim 5, wherein the examined content indicates that the unwanted electronic messages are spam.
  - 7. A method according to claim 6, wherein the metadata comprises a count of the number of spam messages sent from a sending mail server.
  - 8. A method according to claim 6, wherein the metadata comprises a count of the number of virus-bearing messages sent from a sending mail server.
  - 9. A method according to claim 5, wherein the examined content indicates that the unwanted electronic messages are viruses.
  - 10. A method according to claim 9, wherein the metadata comprises a count of the number of virus-bearing messages sent from a sending mail server.
  - 11. A method according to claim 4, wherein the unwanted electronic messages are detected at least in part by examining their size.
  - 12. A method according to claim 1, wherein the determining comprises detecting that the same or similar messages are being transmitted repeatedly.
  - 13. A method according to claim 12, wherein it is detected that the same or similar messages are being transmitted repeatedly to the same intended recipient or group of intended recipients.
  - 14. A method according to claim 13, wherein the detecting comprises detecting a pattern consistent with an email bomb attack.
  - 15. A method according to claim 13, wherein the detecting comprises detecting a pattern consistent with a directory harvest attack.
  - 16. A method according to claim 15, wherein the extracted information about the quarantined electronic messages is logged to an interpreter process database and then later used for the determining that certain monitored electronic messages are likely to be unwanted based on patterns recognized in the traffic monitor.
  - 17. A method according to claim 1, wherein the metadata upon which the determining is based is generated from substantially all of the monitored electronic messages.

18. A method for detecting unwanted electronic messages at a certain location on an electronic communications network, the method comprising:
- a) establishing a database for storing metadata associated with electronic message traffic according to at least source addresses of senders of electronic messages;
  
  b) monitoring electronic message transmissions at the certain location on the electronic communications network;
  
  c) extracting information from substantially all of the monitored electronic messages as they are transmitted across the electronic communications network, substantially without imposing a delay on the transmission of the electronic messages;
  
  d) populating the database with metadata derived from analysis of the monitored electronic messages, the analysis performed at least in part by program threads for determining unwanted electronic messages, the metadata including metadata derived by analyzing the contents of the monitored electronic messages;
  
  e) determining that certain monitored electronic messages are likely to be unwanted by an intended recipient based on an examination of the metadata associated with the source addresses of the senders of the monitored electronic messages and based on the analysis of the content of the monitored electronic messages, and at least in part without reference to a promulgated database of “
  
  signatures”
  
  of unwanted electronic messages; and
  
  f) conditionally delivering electronic messages according to instructions from an interpreter process, the interpreter process communicating with a content-sensing application in logical communication with the interpreter process, such that if the content-sensing application analyzes the monitored electronic messages as likely unwanted, then the method can, in coordination with the interpreter process and content-sensing application, configure the delivery of the unwanted electronic messages to route them to a message quarantine center, wherein actions of the interpreter process and configuration parameters corresponding to the actions of the interpreter process are logged to an interpreter process database and then later used for the determining that certain received electronic messages are likely to be unwanted based on patterns recognized in the traffic monitor.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 19. A method according to claim 18, and further comprising establishing SMTP connections between the senders of electronic messages and at least certain mail servers of intended recipients of the electronic messages.
  - 20. A method according to claim 19, wherein the monitoring of the electronic messages occurs as each of the SMTP connections between a sender and a certain mail server of an intended recipient of a monitored electronic message is processed.
  - 21. A method according to claim 18, wherein the examined content indicates that the unwanted electronic messages are spam.
  - 22. A method according to claim 21, wherein the metadata comprises a count of the number of spam messages sent from a sending mail server.
  - 23. A method according to claim 18, wherein the examined content indicates that the unwanted electronic messages are viruses.
  - 24. A method according to claim 18, wherein the unwanted electronic messages are detected at least in part by examining their size.
  - 25. A method according to claim 18, wherein the determining comprises detecting that the same or similar messages are being transmitted repeatedly.
  - 26. A method according to claim 25, wherein it is detected that the same or similar messages are being transmitted repeatedly to the same intended recipient or group of intended recipients.
  - 27. A method according to claim 26, wherein the detecting comprises detecting a pattern consistent with an email bomb attack.
  - 28. A method according to claim 26, wherein the detecting comprises detecting a pattern consistent with a directory harvest attack.
  - 29. A method according to claim 18, wherein the extracted information is logged to an interpreter process database and then later used for the determining that certain monitored electronic messages are likely to be unwanted based on patterns recognized in the traffic monitor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google Inc. (Alphabet Inc.)
Inventors
Cox, Fred, Akamine, Shinya, Lund, Peter K., Petry, Scott M., Oswall, Michael J.
Primary Examiner(s)
NGUYEN, THANH T

Application Number

US11/553,306
Publication Number

US 20070050461A1
Time in Patent Office

1,083 Days
Field of Search

709/230, 709/223, 709/229, 709/224, 705 40- 44, 713/151, 713/154
US Class Current

709/230
CPC Class Codes

G06Q 20/102   Bill distribution or payments

G06Q 20/105   involving programming of a ...

G06Q 20/108   Remote banking, e.g. home b...

G06Q 20/1085   involving automatic teller ...

G06Q 20/40   Authorisation, e.g. identif...

H04L 43/00   Arrangements for monitoring...

H04L 51/212   using filtering or selectiv...

H04L 63/1408   by monitoring network traff...

H04L 63/145   the attack involving the pr...

Zero-minute virus and spam detection

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

75 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Zero-minute virus and spam detection

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

75 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links