Time zero detection of infectious messages

US 8,850,566 B2
Filed: 10/29/2007
Issued: 09/30/2014
Est. Priority Date: 07/13/2004
Status: Active Grant

First Claim

Patent Images

1. A method of detecting infectious messages, the method comprising:

performing a first individual characteristic analysis of a message, wherein the first individual characteristic analysis includes comparing the individual characteristics of the message to individual characteristics of a previously received message;

generating a first probability of infection based on the first individual characteristic analysis;

generating a second probability of infection based on a second analysis of the message, the second analysis including a traffic analysis for identifying a spike in a number of previously received messages similar to the message, the previously received messages having been classified as suspicious and stored in memory;

determining an overall probability of infection based on the first probability and the second probability; and

classifying the message as infectious based on the overall probability meeting a threshold, wherein the message is classified as suspicious based on failure of the overall probability to meet the threshold.

View all claims

23 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Detecting infectious messages comprises performing an individual characteristic analysis of a message to determine whether the message is suspicious, determining whether a similar message has been noted previously in the event that the message is determined to be suspicious, classifying the message according to its individual characteristics and its similarity to the noted message in the event that a similar message has been noted previously.

129 Citations

18 Claims

1. A method of detecting infectious messages, the method comprising:
- performing a first individual characteristic analysis of a message, wherein the first individual characteristic analysis includes comparing the individual characteristics of the message to individual characteristics of a previously received message;
  
  generating a first probability of infection based on the first individual characteristic analysis;
  
  generating a second probability of infection based on a second analysis of the message, the second analysis including a traffic analysis for identifying a spike in a number of previously received messages similar to the message, the previously received messages having been classified as suspicious and stored in memory;
  
  determining an overall probability of infection based on the first probability and the second probability; and
  
  classifying the message as infectious based on the overall probability meeting a threshold, wherein the message is classified as suspicious based on failure of the overall probability to meet the threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein determining the overall probability is further based on weighting the first and second probability.
  - 3. The method of claim 1, wherein performing the first individual characteristic analysis comprises comparing the individual characteristics of the message to a statistical model.
  - 4. The method of claim 3, further comprising updating the statistical model based on the classification of the message.
  - 5. The method of claim 3, wherein the statistical model is based on a plurality of messages previously sent to a recipient.
  - 6. The method of claim 3, wherein the statistical model is based on a plurality of messages previously sent to a network.
  - 7. The method of claim 1, wherein the traffic analysis further comprises identifying a predetermined increase in a number of similar suspicious messages received within a specified period of time previously.
  - 8. The method of claim 7, further comprising updating the overall probability based on the number of similar suspicious messages received within the specified period of time previously.
  - 9. The method of claim 1, wherein generating the first probability of infection is based on a degree of similarity with a previously received message.
  - 10. The method of claim 1, further comprising continuing to perform individual characteristic analyses to generate further probabilities of infection until the overall probability meets the threshold or until it is determined that no more individual characteristic analyses are available.
  - 11. The method of claim 1, further comprising reclassifying the message as legitimate based on the overall probability meeting a second threshold.

12. A method of detecting infectious messages, the method comprising:
- performing a first individual characteristic analysis of a message, wherein performing the first individual characteristic analysis includes comparing a signature based on the individual characteristics of the message to a signature based on individual characteristics of a previously received message;
  
  generating a first probability of infection based on the first individual characteristic analysis;
  
  generating a second probability of infection based on a second analysis of the message, the second analysis including a traffic analysis for identifying a spike in a number of previously received messages similar to the message, the previously received messages having been classified as suspicious and stored in memory;
  
  determining an overall probability of infection based on the first probability and the second probability; and
  
  classifying the message as infectious based on the overall probability meeting a threshold, wherein the message is classified as suspicious based on failure of the overall probability to meet the threshold.

13. An apparatus for detecting infections messages, the apparatus comprising:
- a testing module stored in memory and executable by a processor to generate a first and second probability of infection, the first probability of infection based on an individual characteristic analysis of a message, wherein the individual characteristic analysis includes a comparison of a signature based on the individual characteristics of the message to a signature based on individual characteristics of a previously received message, the second analysis including a traffic analysis for identifying a spike in a number of previously received messages similar to the message, the previously received messages having been classified as suspicious and stored in memory;
  
  a processor to execute instructions stored in memory to determine an overall probability of infection based on the first probability of infection and the second probability of infection; and
  
  a message classifier stored in memory and executable to classify the message as infectious based on the overall probability meeting a threshold and to classify the message as suspicious based on failure of the overall probability to meet the threshold.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The apparatus of claim 13, wherein the processor further executes instructions stored in memory to weight the first probability and the second probability for the determination of the overall probability.
  - 15. The apparatus of claim 13, wherein the traffic analysis further comprises identifying a predetermined increase in a number of previously received similar suspicious messages, the similar suspicious messages received within a specified period of time.
  - 16. The apparatus of claim 15, wherein the processor further executes instructions stored in memory to update the overall probability based on the number of previously received similar suspicious messages.
  - 17. The apparatus of claim 13, wherein the testing module is further executable to perform another individual characteristic analysis, the individual characteristic analysis generating further probabilities of infection until the overall probability meets the threshold or it is determined that no more individual characteristic analyses are available to be performed.

18. A non-transitory computer-readable storage medium having embodied thereon a program, the program being executable by a processor to perform a method, the method comprising:
- performing a first individual characteristic analysis of a message, wherein the first individual characteristic analysis includes comparing the individual characteristics of the message to individual characteristics of a previously received message;
  
  generating a first probability of infection based on the first individual characteristic analysis;
  
  generating a second probability of infection based on a second analysis of the message, the second analysis including a traffic analysis for identifying a spike in a number of previously received messages similar to the message, the previously received messages having been classified as suspicious and stored in memory;
  
  determining an overall probability of infection based on the first probability and the second probability; and
  
  classifying the message as infectious based on the overall probability meeting a threshold, wherein the message is classified as suspicious based on failure of the overall probability to meet the threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Quest Software, Inc.
Original Assignee
SonicWALL, Inc. (SonicWall Holdings Ltd.)
Inventors
Rihn, Jennifer, Oliver, Jonathan J.
Primary Examiner(s)
Schwartz, Darren B
Assistant Examiner(s)
GYORFI, THOMAS A

Application Number

US11/927,438
Publication Number

US 20080104703A1
Time in Patent Office

2,528 Days
Field of Search

726 22- 25
US Class Current

726/22
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06N 7/01   Probabilistic graphical mod...

H04L 63/0245   Filtering by information in...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Time zero detection of infectious messages

First Claim

23 Assignments

0 Petitions

Accused Products

Abstract

129 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Time zero detection of infectious messages

First Claim

23 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

129 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others