Time zero detection of infectious messages

US 9,154,511 B1
Filed: 06/16/2005
Issued: 10/06/2015
Est. Priority Date: 07/13/2004
Status: Active Grant

First Claim

Patent Images

1. A method for detecting infectious messages, comprising:

receiving an individual message at a message forwarding device in a local network, the local network in communication with a global network, wherein the individual message has not yet been delivered to one or more recipients in the local network;

executing instructions stored in memory, wherein execution of the instructions by a processor;

performs an analysis of the individual message to determine similarity to known viruses, wherein the message is classified suspicious, wherein the individual message is not yet classified as either legitimate or infectious, anddetermines that a message previously received at the local network has been classified as suspicious;

receiving information related to monitoring of electronic mail traffic in the global network, the information identifying increases in global messages corresponding to the message previously received and classified as suspicious at the local network; and

executing further instructions stored in memory, wherein execution of the instructions by the processor;

reclassifies the individual message according to;

the analysis of the individual message resulting in classification of the individual message as suspicious,the similarity of the individual message to the message previously received and classified as suspicious at the local network, andthe presence of an increase in the global network of messages corresponding to the message previously received and classified as suspicious at the local network; and

processes the individual message based on the reclassification whereby individual messages reclassified as infectious messages are quarantined from a delivery queue and not allowed to be redistributed by the message forwarding device in the local network.

View all claims

23 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Detecting infectious messages comprises performing an individual characteristic analysis of a message to determine whether the message is suspicious, determining whether a similar message has been noted previously in the event that the message is determined to be suspicious, classifying the message according to its individual characteristics and its similarity to the noted message in the event that a similar message has been noted previously.

135 Citations

19 Claims

1. A method for detecting infectious messages, comprising:
- receiving an individual message at a message forwarding device in a local network, the local network in communication with a global network, wherein the individual message has not yet been delivered to one or more recipients in the local network;
  
  executing instructions stored in memory, wherein execution of the instructions by a processor;
  
  performs an analysis of the individual message to determine similarity to known viruses, wherein the message is classified suspicious, wherein the individual message is not yet classified as either legitimate or infectious, anddetermines that a message previously received at the local network has been classified as suspicious;
  
  receiving information related to monitoring of electronic mail traffic in the global network, the information identifying increases in global messages corresponding to the message previously received and classified as suspicious at the local network; and
  
  executing further instructions stored in memory, wherein execution of the instructions by the processor;
  
  reclassifies the individual message according to;
  
  the analysis of the individual message resulting in classification of the individual message as suspicious,the similarity of the individual message to the message previously received and classified as suspicious at the local network, andthe presence of an increase in the global network of messages corresponding to the message previously received and classified as suspicious at the local network; and
  
  processes the individual message based on the reclassification whereby individual messages reclassified as infectious messages are quarantined from a delivery queue and not allowed to be redistributed by the message forwarding device in the local network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein performing an analysis of the individual message includes calculating a probability that the message is infectious.
  - 3. The method of claim 1, wherein performing an analysis of the individual message includes calculating a probability that the message is infectious, and wherein the individual message is determined to be suspicious if the probability is between a legitimate threshold and an infectious threshold.
  - 4. The method of claim 1, wherein performing an analysis of the individual message includes performing a signature matching test to determine whether the individual message has a signature that is substantially similar to a known virus signature.
  - 5. The method of claim 1, wherein performing an analysis of the individual message includes performing a file name test to detect a suspicious file name.
  - 6. The method of claim 5, wherein the file name is suspicious when the extension of the file name does not correspond to a sequence in the file.
  - 7. The method of claim 1, wherein performing an analysis of the individual message includes performing a character test to determine whether the individual message includes unusual characters for type of file accompanying the individual message.
  - 8. The method of claim 7, wherein the unusual characters correspond to an extension for the type of file accompanying the individual message.
  - 9. The method of claim 1, wherein performing an analysis of the individual message includes performing a bit pattern test to determine whether there is anomaly in the content of the individual message.
  - 10. The method of claim 1, wherein performing an analysis of the individual message includes performing an N-gram test.
  - 11. The method of claim 1, wherein performing an analysis of the individual message includes performing a probabilistic finite state automata (PFSA) test.

12. A non-transitory computer-readable storage medium having embodied thereon a program, the program being executable by a computing device to perform a method for detecting infectious messages, the method comprising:
- receiving an individual message at a local network, the local network in communication with a global network, wherein the individual message has not yet been delivered to one or more recipients in the local network;
  
  performing an analysis of the individual message to determine similarity to known viruses, wherein the message is classified as suspicious, wherein the individual message is not yet classified as either legitimate or infectious;
  
  determining that a message previously received at the local network has been classified as suspicious;
  
  receiving information related to monitoring electronic mail traffic in the global network, the information identifying increases in global messages corresponding to the message previously received and classified as suspicious at the local network;
  
  reclassifying the individual message according to;
  
  the analysis of the individual message resulting in classification of the individual message as suspicious,the similarity of the individual message to the message previously received and classified as suspicious at the local network, andthe presence of an increase in the global network of messages corresponding to the message previously received and classified as suspicious at the local network; and
  
  processing the individual message based on the reclassification whereby individual messages reclassified as infectious messages are quarantined from a delivery queue and not allowed to be redistributed in the local network.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The non-transitory computer readable storage medium of claim 12, wherein performing an analysis of the individual message includes calculating a probability that the message is infectious.
  - 14. The non-transitory computer readable storage medium of claim 12, wherein performing an analysis of the individual message includes performing a character test to determine whether the message includes unusual characters for a type of file accompanying the message.
  - 15. The non-transitory computer-readable storage medium of claim 14, wherein the unusual characters correspond to an extension for the type of file accompanying the individual message.
  - 16. The non-transitory computer readable storage medium of claim 12, wherein performing an analysis of an individual message includes performing a bit pattern test to determine whether there is anomaly in the content of the message.
  - 17. The non-transitory computer readable storage medium of claim 12, wherein performing an analysis of the individual message includes performing an N-gram test.
  - 18. The non-transitory computer-readable storage medium of claim 12, wherein performing an analysis of the individual message includes performing a file name test to detect a suspicious file name.
  - 19. The non-transitory computer-readable storage medium of claim 18, wherein the file name is suspicious when the extension of the file name does not correspond to a sequence in the file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Quest Software, Inc.
Original Assignee
Dell Software, Inc. (Dell Technologies Inc.)
Inventors
Rihn, Jennifer, Oliver, Jonathan J.
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
GYORFI, THOMAS A

Application Number

US11/156,372
Time in Patent Office

3,764 Days
Field of Search

726/22
US Class Current

1/1
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06N 7/01   Probabilistic graphical mod...

H04L 63/0245   Filtering by information in...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Time zero detection of infectious messages

First Claim

23 Assignments

0 Petitions

Accused Products

Abstract

135 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Time zero detection of infectious messages

First Claim

23 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

135 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others