Method and apparatus for managing computer virus outbreaks
First Claim
1. A method, comprising the computer-implemented steps of:
- receiving one or more sets of message information for one or more first messages that are suspected to be associated with computer viruses;
sending the one or more sets of message information to a virus-check component to determine whether the one or more first messages comprise one or more viruses;
receiving an indication from the virus-check component that the one or more first messages do not comprise any viruses;
in response to receiving the indication that the one or more first messages do not comprise any viruses and that the one or more first messages was sent from a source not known to be associated with viruses but that sent a large number of messages according to a message sending pattern suspected to be associated with computer viruses and comprising at least one attachment, and based on mapping the one or more sets of message information received in a specified time period to virus outbreak information by generating a current average virus score value by combining one or more prior virus score values associated with respective one or more prior time periods, generating a percent-of-normal virus score value by comparing the current average virus score value with a long-term average virus score value and mapping the percent-of-normal virus score value to a range of virus score values, determining that the one or more first messages do comprise one or more viruses; and
in response to the determining that the one or more first messages do comprise one or more viruses, performing a message flow control action for one or more second messages that are also suspected to be associated with computer viruses as the one or more first messages;
wherein the method is performed by one or more processors.
1 Assignment
0 Petitions
Accused Products
Abstract
Early detection of computer viruses is provided by collecting information about suspicious messages and generating virus outbreak information. In one embodiment, a method comprises receiving the virus outbreak information that has been determined by receiving message information for messages that have characteristics associated with computer viruses, wherein the messages were determined by a virus-check component as not comprising a virus, and mapping the message information received in a specified time period to the virus outbreak information; and when the virus outbreak information indicates initiation of a virus attack, performing a message flow control action for additional messages that have the same characteristics associated with computer viruses as the first messages. As a result, a messaging gateway can suspend delivery of messages early in a virus outbreak, providing sufficient time for updating an anti-virus checker that can strip virus code from the messages.
244 Citations
37 Claims
-
1. A method, comprising the computer-implemented steps of:
-
receiving one or more sets of message information for one or more first messages that are suspected to be associated with computer viruses; sending the one or more sets of message information to a virus-check component to determine whether the one or more first messages comprise one or more viruses; receiving an indication from the virus-check component that the one or more first messages do not comprise any viruses; in response to receiving the indication that the one or more first messages do not comprise any viruses and that the one or more first messages was sent from a source not known to be associated with viruses but that sent a large number of messages according to a message sending pattern suspected to be associated with computer viruses and comprising at least one attachment, and based on mapping the one or more sets of message information received in a specified time period to virus outbreak information by generating a current average virus score value by combining one or more prior virus score values associated with respective one or more prior time periods, generating a percent-of-normal virus score value by comparing the current average virus score value with a long-term average virus score value and mapping the percent-of-normal virus score value to a range of virus score values, determining that the one or more first messages do comprise one or more viruses; and in response to the determining that the one or more first messages do comprise one or more viruses, performing a message flow control action for one or more second messages that are also suspected to be associated with computer viruses as the one or more first messages; wherein the method is performed by one or more processors. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. A method, comprising the computer-implemented steps of:
-
receiving one or more sets of message information for one or more first messages that are suspected to be associated with computer viruses; sending the one or more sets of message information to a virus-check component to determine whether the one or more first messages comprise one or more viruses; receiving an indication from the virus-check component that the one or more first messages do not comprise any viruses; in response to receiving the indication that the one or more first messages do not comprise any viruses and that the one or more first messages was sent from a source not known to be associated with viruses but that sent a large number of messages according to a message sending pattern suspected to be associated with computer viruses and comprising at least one attachment, and based on mapping the one or more sets of message information received in a specified time period to virus outbreak information by generating a current average virus score value by combining one or more prior virus score values associated with respective one or more prior time periods, generating a percent-of-normal virus score value by comparing the current average virus score value with a long-term average virus score value and mapping the percent-of-normal virus score value to a range of virus score values, determining that the one or more first messages do comprise one or more viruses, and determining that the one or more first messages do comprise one or more viruses; wherein the method is performed by one or more processors. - View Dependent Claims (27, 28, 29, 30, 31, 32)
-
-
33. A method, comprising the computer-implemented steps of:
-
receiving one or more sets of message information for one or more first messages that are suspected to be associated with computer viruses; sending the one or more sets of message information to a virus-check component to determine whether the one or more first messages comprise one or more viruses; receiving an indication from the virus-check component that the one or more first messages do not comprise any viruses; in response to receiving the indication that the one or more first messages do not comprise any viruses and that the one or more first messages was sent from a source not known to be associated with viruses but that sent a large number of messages according to a message sending pattern suspected to be associated with computer viruses and comprising at least one attachment, and based on mapping the one or more sets of message information received in a specified time period to virus outbreak information by generating a current average virus score value by combining one or more prior virus score values associated with respective one or more prior time periods, generating a percent-of-normal virus score value by comparing the current average virus score value with a long-term average virus score value and mapping the percent-of-normal virus score value to a range of virus score values, determining that the one or more first messages do comprise one or more viruses; and in response to the determining that the one or more first messages do comprise one or more viruses, performing a message flow control action for one or more second messages that are also suspected to be associated with computer viruses as said first message; wherein the method is performed by one or more processors. - View Dependent Claims (34)
-
-
35. A non-transitory machine-readable storage medium storing one or more sequences of instructions, which instructions, when executed by one or more processors, cause the one or more processors to perform:
-
receiving one or more sets of message information for one or more first messages that are suspected to be associated with computer viruses; sending the one or more sets of message information to a virus-check component to determine whether the one or more first messages comprise one or more viruses; in response to receiving the indication that the one or more first messages do not comprise any viruses and that the one or more first messages was sent from a source not known to be associated with viruses but that sent a large number of messages according to a message sending pattern suspected to be associated with computer viruses and comprising at least one attachment, and based on mapping the one or more sets of message information received in a specified time period to virus outbreak information by generating a current average virus score value by combining one or more prior virus score values associated with respective one or more prior time periods, generating a percent-of-normal virus score value by comparing the current average virus score value with a long-term average virus score value and mapping the percent-of-normal virus score value to a range of virus score values, determining that the one or more first messages do comprise one or more viruses; and in response to determining that the one or more first message do comprise one or more viruses, performing a message flow control action for one or more second messages that are also suspected to be associated with computer viruses as the one or more first messages.
-
-
36. An apparatus, comprising:
-
one or more processors; means for receiving one or more sets of message information for one or more first messages that are suspected to be associated with computer viruses; means for sending the one or more sets of message information to a virus-check component to determine whether the one or more first messages comprise one or more viruses; means for receiving an indication from the virus-check component that the one or more first messages do not comprise any viruses; means for determining that the one or more first messages do comprise one or more viruses in response to receiving the indication that the one or more first messages do not comprise any viruses and that the one or more first messages was sent from a source not known to be associated with viruses but that sent a large number of messages according to a message sending pattern suspected to be associated with computer viruses and comprising at least one attachment, and based on mapping the one or more sets of message information received in a specified time period to virus outbreak information by generating a current average virus score value by combining one or more prior virus score values associated with respective one or more prior time periods, generating a percent-of-normal virus score value by comparing the current average virus score value with a long-term average virus score value and mapping the percent-of-normal virus score value to a range of virus score values; and means for performing a message flow control action for one or more second messages that are also suspected to be associated with computer viruses as the one or more first messages in response to the determining that the one or more first messages do comprise one or more viruses.
-
-
37. An apparatus, comprising:
-
a network interface that is coupled to a data network for receiving one or more packet flows therefrom; a processor; one or more stored sequences of instructions which, when executed by the processor, cause the processor to perform; receiving one or more sets of message information for one or more first messages that are suspected to be associated with computer viruses; sending the one or more sets of message information to a virus-check component to determine whether the one or more first messages comprise one or more viruses; receiving an indication from the virus-check component that the one or more first messages do not comprise any viruses; in response to receiving the indication that the one or more first messages do not comprise any viruses and that the one or more first messages was sent from a source not known to be associated with viruses but that sent a large number of messages according to a message sending pattern suspected to be associated with computer viruses and comprising at least one attachment, and based on mapping the one or more sets of message information received in a specified time period to virus outbreak information by generating a current average virus score value by combining one or more prior virus score values associated with respective one or more prior time periods, generating a percent-of-normal virus score value by comparing the current average virus score value with a long-term average virus score value and mapping the percent-of-normal virus score value to a range of virus score values, determining that the one or more first messages do comprise one or more viruses; and in response to the determining that the one or more first messages do comprise one or more viruses, performing a message flow control action for one or more second messages that are also suspected to be associated with computer viruses as the one or more first messages.
-
Specification