|Publication number||US20040073617 A1|
|Application number||US 10/654,771|
|Publication date||15 Apr 2004|
|Filing date||4 Sep 2003|
|Priority date||19 Jun 2000|
|Also published as||US8204945, US8272060, US20090031129, US20090031136, US20090132669, US20090158046, US20090158435, US20090182867, US20090313339, US20100205265, US20100205670, US20100205671, US20100205672, US20130014261|
|Publication number||10654771, 654771, US 2004/0073617 A1, US 2004/073617 A1, US 20040073617 A1, US 20040073617A1, US 2004073617 A1, US 2004073617A1, US-A1-20040073617, US-A1-2004073617, US2004/0073617A1, US2004/073617A1, US20040073617 A1, US20040073617A1, US2004073617 A1, US2004073617A1|
|Inventors||Walter Milliken, William Strayer, Stephen Milligan|
|Original Assignee||Milliken Walter Clark, Strayer William Timothy, Milligan Stephen Douglas|
|Export Citation||BiBTeX, EndNote, RefMan|
|Patent Citations (99), Referenced by (204), Classifications (12), Legal Events (6)|
|External Links: USPTO, USPTO Assignment, Espacenet|
 This application claims priority under 35 U.S.C. § 119 based on U.S. Provisional Application No. 60/407,975, filed Sep. 5, 2002, the disclosure of which is incorporated herein by reference. This application is also a continuation-in-part of U.S. patent application Ser. No. 10/251,403, filed Sep. 20, 2002, which claims priority under 35 U.S.C. § 119 based on U.S. Provisional Application No. 60/341,462, filed Dec. 14, 2001, both of which are incorporated herein by reference. This application is also a continuation-in-part of U.S. patent application Ser. No. 09/881,145, and U.S. patent application Ser. No. 09/881,074, both of which were filed on Jun. 14, 2001, and both of which claim priority under 35 U.S.C. § 119 based on U.S. Provisional Application No. 60/212,425, filed Jun. 19, 2000, all of which are incorporated herein by reference.
 1. Field of the Invention
 The present invention relates generally to network security and, more particularly, to systems and methods for detecting and/or preventing the transmission of unwanted e-mails, such as e-mails containing worms and viruses, including polymorphic worms and viruses, and unsolicited commercial e-mails.
 2. Description of Related Art
 Availability of low cost computers, high speed networking products, and readily available network connections has helped fuel the proliferation of the Internet. This proliferation has caused the Internet to become an essential tool for both the business community and private individuals. Dependence on the Internet arises, in part, because the Internet makes it possible for multitudes of users to access vast amounts of information and perform remote transactions expeditiously and efficiently. Along with the rapid growth of the Internet have come problems arising from attacks from within the network and the shear volume of commercial e-mail. As the size of the Internet continues to grow, so does the threat posed to users of the Internet.
 Many of the problems take the form of e-mail. Viruses and worms often masquerade within e-mail messages for execution by unsuspecting e-mail recipients. Unsolicited commercial e-mail, or “spam,” is another burdensome type of e-mail because it wastes both the time and resources of the e-mail recipient.
 Existing techniques for detecting viruses, worms, and spam examine each e-mail message individually. In the case of viruses and worms, this typically means examining attachments for byte-strings found in known viruses and worms (possibly after uncompressing or de-archiving attached files), or simulating execution of the attachment in a “safe” compartment and examining its behaviors. Similarly, existing spam filters usually examine a single e-mail message looking for heuristic traits commonly found in unsolicited commercial e-mail, such as an abundance of Uniform Resource Locators (URLs), heavy use of all-capital-letter words, use of colored text or large fonts, and the like, and then “score” the message based on the number and types of such traits found. Both the anti-virus and the anti-spam techniques can demand significant processing of each message, adding to the resource burden imposed by unwanted email. Neither technique makes use of information collected from other recent messages.
 Thus, there is need for an efficient technique that can quickly detect viruses, worms, and spam in e-mail messages arriving at e-mail servers, possibly by using information contained in multiple recent messages to detect unwanted mail more quickly and efficiently.
 Systems and methods consistent with the present invention address this and other needs by providing a new defense that detects and prevents the transmission of unwanted (and potentially unwanted) e-mail, such as e-mails containing viruses, worms, and spam.
 In accordance with an aspect of the invention as embodied and broadly described herein, a method for detecting transmission of potentially unwanted e-mail messages is provided. The method includes receiving e-mail messages and generating hash values based on one or more portions of the e-mail messages. The method further includes determining whether the generated hash values match hash values associated with prior e-mail messages. The method may also include determining that one of the e-mail messages is a potentially unwanted e-mail message when one or more of the generated hash values associated with the e-mail message match one or more of the hash values associated with the prior e-mail messages.
 In accordance with another aspect of the invention, a mail server includes one or more hash memories and a hash processor. The one or more hash memories is/are configured to store count values associated with hash values. The hash processor is configured to receive an e-mail message, hash one or more portions of the e-mail message to generate hash values, and increment the count values corresponding to the generated hash values. The hash processor is further configured to determine whether the e-mail message is a potentially unwanted e-mail message based on the incremented count values.
 In accordance with yet another aspect of the invention, a method for detecting transmission of unwanted e-mail messages is provided. The method includes receiving e-mail messages and detecting unwanted e-mail messages of the received e-mail messages based on hashes of previously received e-mail messages, where multiple hashes are performed on each of the e-mail messages.
 In accordance with a further aspect of the invention, a method for detecting transmission of potentially unwanted e-mail messages is provided. The method includes receiving an e-mail message; generating hash values over blocks of the e-mail message, where the blocks include at least two of a main text portion, an attachment portion, and a header portion of the e-mail message; determining whether the generated hash values match hash values associated with prior e-mail messages; and determining that the e-mail message is a potentially unwanted e-mail message when one or more of the generated hash values associated with the email message match one or more of the hash values associated with the prior e-mail messages.
 In accordance with another aspect of the invention, a mail server in a network of cooperating mail servers is provided. The mail server includes one or more hash memories and a hash processor. The one or more hash memories is/are configured to store information relating to hash values corresponding to previously-observed e-mails. The hash processor is configured to receive at least some of the hash values from another one or more of the cooperating mail servers and store information relating to the at least some of the hash values in at least one of the one or more hash memories. The hash processor is further configured to receive an e-mail message, hash one or more portions of the received e-mail message to generate hash values, determine whether the generated hash values match the hash values corresponding to previously-observed e-mails, and identify the received e-mail message as a potentially unwanted e-mail message when one or more of the generated hash values associated with the received e-mail message match one or more of the hash values corresponding to previously-observed e-mails.
 In accordance with yet another aspect of the invention, a mail server is provided. The mail server includes one or more hash memories and a hash processor. The one or more hash memories is/are configured to store count values associated with hash values. The hash processor is configured to receive e-mail messages, hash one or more portions of the received email messages to generate hash values, increment the count values corresponding to the generated hash values, as incremented count values, and generate suspicion scores for the received e-mail messages based on the incremented count values.
 In accordance with a further aspect of the invention, a method for preventing transmission of unwanted e-mail messages is provided. The method includes receiving an e-mail message; generating hash values over portions of the e-mail message as the e-mail message is being received; and incrementally determining whether the generated hash values match hash values associated with prior e-mail messages. The method further includes generating a suspicion score for the e-mail message based on the incremental determining; and rejecting the e-mail message when the suspicion score of the e-mail message is above a threshold.
 The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate the invention and, together with the description, explain the invention. In the drawings,
FIG. 1 is a diagram of a system in which systems and methods consistent with the present invention may be implemented;
FIG. 2 is an exemplary diagram of the e-mail server of FIG. 1 according to an implementation consistent with the principles of the invention;
FIG. 3 is an exemplary functional block diagram of the e-mail server of FIG. 2 according to an implementation consistent with the principles of the invention;
FIG. 4 is an exemplary diagram of the hash processing block of FIG. 3 according to an implementation consistent with the principles of the invention; and
 FIGS. 5A-5E are flowcharts of exemplary processing for detecting and/or preventing transmission of an unwanted e-mail message, such as an e-mail containing a virus or worm, including a polymorphic virus or worm, or an unsolicited commercial e-mail, according to an implementation consistent with the principles of the invention.
 The following detailed description of the invention refers to the accompanying drawings. The same reference numbers in different drawings may identify the same or similar elements. Also, the following detailed description does not limit the invention. Instead, the scope of the invention is defined by the appended claims and equivalents.
 Systems and methods consistent with the present invention provide virus, worm, and unsolicited e-mail detection and/or prevention in e-mail servers. Placing these features in e-mail servers provides a number of new advantages, including the ability to align hash blocks to crucial boundaries found in e-mail messages and eliminate certain counter-measures by the attacker, such as using small Internet Protocol (IP) fragments to limit the detectable content in each packet. It also allows these features to relate e-mail header fields with the potentially-harmful segment of the message (usually an “attachment”), and decode common file-packing and encoding formats that might otherwise make a virus or worm undetectable by the packet-based technique (e.g., “.zip files”).
 By placing these features within an e-mail server, the ability to detect replicated content in the network at points where large quantities of traffic are present is obtained. By relating many otherwise-independent messages and finding common factors, the e-mail server may detect unknown, as well as known, viruses and worms. These features may also be applied to detect potential unsolicited commercial e-mail (“spam”).
 E-mail servers for major Internet Service Providers (ISPs) may process a million e-mail messages a day, or more, in a single server. When viruses and worms are active in the network, a substantial fraction of this e-mail may actually be traffic generated by the virus or worm. Thus, an e-mail server may have dozens to thousands of examples of a single e-mail-borne virus pass through it in a day, offering an excellent opportunity to determine the relationships between e-mail messages and detect replicated content (a feature that is indicative of virus/worm propagation) and spam, among other, more legitimate traffic (such as traffic from legitimate mailing lists).
 Systems and methods consistent with the principles of the invention provide mechanisms to detect and stop e-mail-borne viruses and worms before the addressed user receives them, in an environment where the virus is still inert. Current e-mail servers do not normally execute any code in the e-mail being transported, so they are not usually subject to virus/worm infections from the content of the e-mails they process—though, they may be subject to infection via other forms of attack.
 Besides e-mail-borne viruses and worms, another common problem found in e-mail is mass-e-mailing of unsolicited commercial e-mail, colloquially referred to as “spam.” It is estimated that perhaps 25%-50% of all e-mail messages now received for delivery by major ISP e-mail servers is spam.
 Users of network e-mail services are desirous of mechanisms to block e-mail containing viruses or worms from reaching their machines (where the virus or worm may easily do harm before the user realizes its presence). Users are also desirous of mechanisms to block unsolicited commercial e-mail that consumes their time and resources.
 Many commercial e-mail services put a limit on each user's e-mail accumulating at the server, and not yet downloaded to the customer's machine. If too much e-mail arrives between times when the user reads his e-mail, additional e-mail is either “bounced” (i.e., returned to the sender's e-mail server) or even simply discarded, both of which events can seriously inconvenience the user. Because the user has no control over arriving e-mail due to e-mail-borne viruses/worms, or spam, it is a relatively common occurrence that the user's e-mail quota overflows due to unwanted and potentially harmful messages. Similarly, the authors of e-mail-borne viruses, as well as senders of spam, have no reason to limit the size of their messages. As a result, these messages are often much larger than legitimate e-mail messages, thereby increasing the risks of such denial of service to the user by overflowing the per-user e-mail quota.
 Users are not the only group inconvenienced by spam and e-mail-borne viruses and worms. Because these types of unwanted e-mail can form a substantial fraction, even a majority, of e-mail traffic in the Internet, for extended periods of time, ISPs typically must add extra resources to handle a peak e-mail load that would otherwise be about half as large. This ratio of unwanted-to-legitimate e-mail traffic appears to be growing daily. Systems and methods consistent with the principles of the invention provide mechanisms to detect and discard unwanted e-mail in network e-mail servers.
FIG. 1 is a diagram of an exemplary system 100 in which systems and methods consistent with the present invention may be implemented. System 100 includes mail clients 110 connected to a mail server 120 via a network 130. Connections made in system 100 may be via wired, wireless, and/or optical communication paths. While FIG. 1 shows three mail clients 110 and a single mail server 120, there can be more or fewer clients and servers in other implementations consistent with the principles of the invention.
 Network 130 may facilitate communication between mail clients 110 and mail server 120. Typically, network 130 may include a collection of network devices, such as routers or switches, that transfer data between mail clients 110 and mail server 120. In an implementation consistent with the present invention, network 130 may take the form of a wide area network, a local area network, an intranet, the Internet, a public telephone network, a different type of network, or a combination of networks.
 Mail clients 110 may include personal computers, laptops, personal digital assistants, or other types of wired or wireless devices that are capable of interacting with mail server 120 to receive e-mails. In another implementation, clients 110 may include software operating upon one of these devices. Client 110 may present e-mails to a user via a graphical user interface.
 Mail server 120 may include a computer or another device that is capable of providing e-mail services for mail clients 110. In another implementation, server 120 may include software operating upon one of these devices.
FIG. 2 is an exemplary diagram of mail server 120 according to an implementation consistent with the principles of the invention. Server 120 may include bus 210, processor 220, main memory 230, read only memory (ROM) 240, storage device 250, input device 260, output device 270, and communication interface 280. Bus 210 permits communication among the components of server 120.
 Processor 220 may include any type of conventional processor or microprocessor that interprets and executes instructions. Main memory 230 may include a random access memory (RAM) or another type of dynamic storage device that stores information and instructions for execution by processor 220. ROM 240 may include a conventional ROM device or another type of static storage device that stores static information and instructions for use by processor 220. Storage device 250 may include a magnetic and/or optical recording medium and its corresponding drive.
 Input device 260 may include one or more conventional mechanisms that permit an operator to input information to server 120, such as a keyboard, a mouse, a pen, voice recognition and/or biometric mechanisms, etc. Output device 270 may include one or more conventional mechanisms that output information to the operator, such as a display, a printer, a pair of speakers, etc. Communication interface 280 may include any transceiver-like mechanism that enables server 120 to communicate with other devices and/or systems. For example, communication interface 280 may include mechanisms for communicating with another device or system via a network, such as network 130.
 As will be described in detail below, server 120, consistent with the present invention, provides e-mail services to clients 110, while detecting unwanted e-mails and/or preventing unwanted e-mails from reaching clients 110. Server 120 may perform these tasks in response to processor 220 executing sequences of instructions contained in, for example, memory 230. These instructions may be read into memory 230 from another computer-readable medium, such as storage device 250 or a carrier wave, or from another device via communication interface 280.
 Execution of the sequences of instructions contained in memory 230 may cause processor 220 to perform processes that will be described later. Alternatively, hardwired circuitry may be used in place of or in combination with software instructions to implement processes consistent with the present invention. Thus, processes performed by server 120 are not limited to any specific combination of hardware circuitry and software.
FIG. 3 is an exemplary functional block diagram of mail server 120 according to an implementation consistent with the principles of the invention. Server 120 may include a Simple Mail Transfer Protocol (SMTP) block 310, a Post Office Protocol (POP) block 320, an Internet Message Access Protocol (IMAP) block 330, and a hash processing block 340.
 SMTP block 310 may permit mail server 120 to communicate with other mail servers connected to network 130 or another network. SMTP is designed to efficiently and reliably transfer e-mail across networks. SMTP defines the interaction between mail servers to facilitate the transfer of e-mail even when the mail servers are implemented on different types of computers or running different operating systems.
 POP block 320 may permit mail clients 110 to retrieve e-mail from mail server 120. POP block 320 may be designed to always receive incoming e-mail. POP block 320 may then hold e-mail for mail clients 110 until mail clients 110 connect to download them.
 IMAP block 330 may provide another mechanism by which mail clients 110 can retrieve e-mail from mail server 120. IMAP block 330 may permit mail clients 110 to access remote e-mail as if the e-mail was local to mail clients 1110.
 Hash processing block 340 may interact with SMTP block 310, POP block 320, and/or IMAP block 330 to detect and prevent transmission of unwanted e-mail, such as e-mails containing viruses or worms and unsolicited commercial e-mail (spam).
FIG. 4 is an exemplary diagram of hash processing block 340 according to an implementation consistent with the principles of the invention. Hash processing block 340 may include hash processor 410 and one or more hash memories 420. Hash processor 410 may include a conventional processor, an application specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or some other type of device that generates one or more representations for each received e-mail and records the e-mail representations in hash memory 420.
 An e-mail representation will likely not be a copy of the entire e-mail, but rather it may include a portion of the e-mail or some unique value representative of the e-mail. For example, a fixed width number may be computed across portions of the e-mail in a manner that allows the entire e-mail to be identified.
 To further illustrate the use of representations, a 32-bit hash value, or digest, may be computed across portions of each e-mail. Then the hash value may be stored in hash memory 420 or may be used as an index, or address, into hash memory 420. Using the hash value, or an index derived therefrom, results in efficient use of hash memory 420 while still allowing the content of each e-mail passing through mail server 120 to be identified.
 Systems and methods consistent with the present invention may use any storage scheme that records information about one or more portions of each e-mail in a space-efficient fashion, that can definitively determine if a portion of an e-mail has not been observed, and that can respond positively (i.e., in a predictable way) when a portion of an e-mail has been observed. Although systems and methods consistent with the present invention can use virtually any technique for deriving representations of portions of e-mails, the remaining discussion will use hash values as exemplary representations of portions of e-mails received by mail server 120.
 In implementations consistent with the principles of the invention, hash processor 410 may hash one or more portions of a received e-mail to produce a hash value used to facilitate hash-based detection. For example, hash processor 410 may hash one or more of the main text within the message body, any attachments, and one or more header fields, such as sender-related fields (e.g., “From:,” “Sender:,” “Reply-To:,” “Return-Path:,” and “Error-To:”). Hash processor 410 may perform one or more hashes on each of the e-mail portions using the same or different hash functions.
 As described in more detail below, hash processor 410 may use the hash results of the hash operation to recognize duplicate occurrences of e-mails and raise a warning if the duplicate e-mail occurrences arrive within a short period of time and raise their level of suspicion above some threshold. It may also be possible to use the hash results for tracing the path of an unwanted e-mail through the network.
 Each hash value may be determined by taking an input block of data and processing it to obtain a numerical value that represents the given input data. Suitable hash functions are readily known in the art and will not be discussed in detail herein. Examples of hash functions include the Cyclic Redundancy Check (CRC) and Message Digest 5 (MD5). The resulting hash value, also referred to as a message digest or hash digest, may include a fixed length value. The hash value may serve as a signature for the data over which it was computed.
 The hash value essentially acts as a fingerprint identifying the input block of data over which it was computed. Unlike fingerprints, however, there is a chance that two very different pieces of data will hash to the same value, resulting in a hash collision. An acceptable hash function should provide a good distribution of values over a variety of data inputs in order to prevent these collisions. Because collisions occur when different input blocks result in the same hash value, an ambiguity may arise when attempting to associate a result with a particular input.
 Hash processor 410 may store a representation of each e-mail it observes in hash memory 420. Hash processor 410 may store the actual hash values as the e-mail representations or it may use other techniques for minimizing storage requirements associated with retaining hash values and other information associated therewith. A technique for minimizing storage requirements may use one or more arrays or Bloom filters.
 Rather than storing the actual hash value, which can typically be on the order of 32 bits or more in length, hash processor 410 may use the hash value as an index for addressing an array within hash memory 420. In other words, when hash processor 410 generates a hash value for a portion of an e-mail, the hash value serves as the address location into the array. At the address corresponding to the hash value, a count value may be incremented at the respective storage location, thus, indicating that a particular hash value, and hence a particular e-mail portion, has been seen by hash processor 410. In one implementation, the count value is associated with an 8-bit counter with a maximum value that sticks at 255. While counter arrays are described by way of example, it will be appreciated by those skilled in the relevant art, that other storage techniques may be employed without departing from the spirit of the invention.
 Hash memory 420 may store a suspicion count that is used to determine the overall suspiciousness of an e-mail message. For example, the count value (described above) may be compared to a threshold, and the suspicion count for the e-mail may be incremented if the threshold is exceeded. Hence, there may be a direct relationship between the count value and the suspicion count, and it may be possible for the two values to be the same. The larger the suspicion count, the more important the hit should be considered in determining the overall suspiciousness of the packet. Alternatively, the suspicion count can be combined in a “scoring function” with values from this or other hash blocks in the same message in order to determine whether the message should be considered suspicious.
 It is not enough, however, for hash memory 420 to simply identify that an e-mail contains content that has been seen recently. There are many legitimate sources (e.g., e-mail list servers) that produce multiple copies of the same message, addressed to multiple recipients. Similarly, individual users often e-mail messages to a group of people and, thus, multiple copies might be seen if several recipients happen to receive their mail from the same server. Also, people often forward copies of received messages to friends or co-workers.
 In addition, virus/worm authors typically try to minimize the replicated content in each copy of the virus/worm, in order to not be detected by existing virus and worm detection technology that depends on detecting fixed sequences of bytes in a known virus or worm. These mutable viruses/worms are usually known as polymorphic, and the attacker's goal is to minimize the recognizability of the virus or worm by scrambling each copy in a different way. For the virus or worm to remain viable, however, a small part of it can be mutable in only a relatively small number of ways, because some of its code must be immediately-executable by the victim's computer, and that limits the mutation and obscurement possibilities for the critical initial code part.
 In order to accomplish the proper classification of various types of legitimate and unwanted e-mail messages, multiple hash memories 420 can be employed, with separate hash memories 420 being used for specific sub-parts of a standard e-mail message. The outputs of different ones of hash memories 420 can then be combined in an overall “scoring” or classification function to determine whether the message is undesirable or legitimate, and possibly estimate the probability that it belongs to a particular class of traffic, such as a virus/worm message, spam, e-mail list message, normal user-to-user message.
 For e-mail following the Internet mail standard RFC 822 (and its various extensions), hashing of certain individual e-mail header fields into field-specific hash memories 420 may be useful. Among the header fields for which this may be helpful are: (1) various sender-related fields, such as “From:”, “Sender:”, “Reply-To:”, “Return-Path:” and “Error-To:”; (2) the “To:” field (often a fixed value for a mailing list, frequently missing or idiosyncratic in spam messages); and (3) the last few “Received:” headers (i.e., the earliest ones, since they are normally added at the top of the message), excluding any obvious timestamp data. It may also be useful to hash a combination of the “From:” field and the e-mail address of the recipient (transferred as part of the SMTP mail-transfer protocol, and not necessarily found in the message itself).
 Any or all of hash memories 420 may be pre-loaded with knowledge of known good or bad traffic. For example, known viruses and spam content (e.g., the infamous “Craig Shergold letter” or many pyramid swindle letters) can be pre-hashed into the relevant hash memories 420, and/or periodically refreshed in the memory as part of a periodic “cleaning” process described below. Also, known legitimate mailing lists, such as mailing lists from legitimate e-mail list servers, can be added to a “From:” hash memory 420 that passes traffic without further examination.
 Over time, hash memories 420 may fill up and the possibility of overflowing an existing count value increases. The risk of overflowing a count value may be reduced if the counter arrays are periodically flushed to other storage media, such as a magnetic disk drive, optical media, solid state drive, or the like. Alternatively, the counter arrays may be slowly and incrementally erased. To facilitate this, a time-table may be established for flushing/erasing the counter arrays. If desired, the flushing/erasing cycle can be reduced by computing hash values only for a subset of the e-mails received by mail server 120. While this approach reduces the flushing/erasing cycle, it increases the possibility that a target e-mail may be missed (i.e., a hash value is not computed over a portion of it).
 Non-zero storage locations within hash memories 420 may be decremented periodically rather than being erased. This may ensure that the “random noise” from normal e-mail traffic would not remain in a counter array indefinitely. Replicated traffic (e.g., e-mails containing a virus/worm that are propagating repeatedly across the network), however, would normally cause the relevant storage locations to stay substantially above the “background noise” level.
 One way to decrement the count values in the counter array fairly is to keep a total count, for each hash memory 420, of every time one of the count values is incremented. After this total count reaches some threshold value (probably in the millions), for every time a count value is incremented in hash memory 420, another count value gets decremented. One way to pick the count value to decrement is to keep a counter, as a decrement pointer, that simply iterates through the storage locations sequentially. Every time a decrement operation is performed, the following may done: (a) examine the candidate count value to be decremented and if non-zero, decrement it and increment the decrement pointer to the next storage location; and (b) if the candidate count value is zero, then examine each sequentially-following storage location until a non-zero count value is found, decrement that count value, and advance the decrement pointer to the following storage location.
 It may be important to avoid decrementing any counters below zero, while not biasing decrements unfairly. Because it may be assumed that the hash is random, this technique should not favor any particular storage location, since it visits each of them before starting over. This technique may be superior to a timer-based decrement because it keeps a fixed total count population across all of the storage locations, representing the most recent history of traffic, and is not subject to changes in behavior as the volume of traffic varies over time.
 A variation of this technique may include randomly selecting a count value to decrement, rather than processing them cyclically. In this variation, if the chosen count value is already zero, then another one could be picked randomly, or the count values in the storage locations following the initially-chosen one could be examined in series, until a non-zero count value is found.
 FIGS. 5A-5E are flowcharts of exemplary processing for detecting and/or preventing transmission of unwanted e-mail, such as an e-mail containing a virus or worm, including a polymorphic virus or worm, or an unsolicited commercial e-mail (spam), according to an implementation consistent with the principles of the invention. The processing of FIGS. 5A-5E will be described in terms of a series of acts that may be performed by mail server 120. In implementations consistent with the principles of the invention, some of the acts may be optional and/or performed in an order different than that described. In other implementations, different acts may be substituted for described acts or added to the process.
 Processing may begin when hash processor 410 (FIG. 4) receives, or otherwise observes, an e-mail message (act 502) (FIG. 5A). Hash processor 410 may hash the main text of the message body, excluding any attachments (act 504). When hashing the main text, hash processor 410 may perform one or more conventional hashes covering one or more portions, or all, of the main text. For example, hash processor 410 may perform hash functions on fixed or variable sized blocks of the main text. It may be beneficial for hash processor 410 to perform multiple hashes on each of the blocks using the same or different hash functions.
 It may be desirable to pre-process the main text to remove attempts to fool pattern-matching mail filters. An example of this is HyperText Markup Language (HTML) e-mail, where spammers often insert random text strings in HTML comments between or within words of the text. Such e-mail may be referred to as “polymorphic spam” because it attempts to make each message appear unique. This method for evading detection might otherwise defeat the hash detection technique, or other string-matching techniques. Thus, removing all HTML comments from the message before hashing it may be desirable. It might also be useful to delete HTML tags from the message, or apply other specialized, but simple, pre-processing techniques to remove content not actually presented to the user. In general, this may be done in parallel with the hashing of the message text, since viruses and worms may be hidden in the non-visible content of the message text.
 Hash processor 410 may also hash any attachments, after first attempting to expand them if they appear to be known types of compressed files (e.g., “zip” files) (act 506). When hashing an attachment, hash processor 410 may perform one or more conventional hashes covering one or more portions, or all, of the attachment. For example, hash processor 410 may perform hash functions on fixed or variable sized blocks of the attachment. It may be beneficial for hash processor 410 to perform multiple hashes on each of the blocks using the same or different hash functions.
 Hash processor 410 may compare the main text and attachment hashes with known viruses, worms, or spam content in a hash memory 420 that is pre-loaded with information from known viruses, worms, and spam content (acts 508 and 510). If there are any hits in this hash memory 420, there is a probability that the e-mail message contains a virus or worm or is spam. A known polymorphic virus may have only a small number of hashes that match in this hash memory 420, out of the total number of hash blocks in the message. A non-polymorphic virus may have a very high fraction of the hash blocks hit in hash memory 420. For this reason, storage locations within hash memory 420 that contain entries from polymorphic viruses or worms may be given more weight during the pre-loading process, such as by giving them a high initial suspicion count value.
 A high fraction of hits in this hash memory 420 may cause the message to be marked as a probable known virus/worm or spam. In this case, the e-mail message can be sidetracked for remedial action, as described below.
 A message with a significant “score” from polymorphic virus/worm hash value hits may or may not be a virus/worm instance, and may be sidetracked for further investigation, or marked as suspicious before forwarding to the recipient. An additional check may also be made to determine the level of suspicion.
 For example, hash processor 410 may hash a concatenation of the From and To header fields of the e-mail message (act 512) (FIG. 5B). Hash processor 410 may then check the suspicion counts in hash memories 420 for the hashes of the main text, any attachments, and the concatenated From/To (act 514). Hash processor 410 may determine whether the main text or attachment suspicion count is significantly higher than the From/To suspicion count (act 516). If so, then the content is appearing much more frequently outside the messages between this set of users (which might otherwise be due to an e-mail exchange with repeated message quotations) and, thus, is much more suspicious.
 When this occurs, hash processor 410 may take remedial action (act 518). The remedial action taken might take different forms, which may be programmable or determined by an operator of mail server 120. For example, hash processor 410 may discard the e-mail. This is not recommended for anything but virtually-certain virus/worm/spam identification, such as a perfect match to a known virus.
 As an alternate technique, hash processor 410 may mark the e-mail with a warning in the message body, in an additional header, or other user-visible annotation, and allow the user to deal with it when it is downloaded. For data that appears to be from an unknown mailing list, a variant of this option is to request the user to send back a reply message to the server, classifying the suspect message as either spam or a mailing list. In the latter case, the mailing list source address can be added to the “known legitimate mailing lists” hash memory 420.
 As another technique, hash processor 410 may subject the e-mail to more sophisticated (and possibly more resource-consuming) detection algorithms to make a more certain determination. This is recommended for potential unknown viruses/worms or possible detection of a polymorphic virus/worm.
 As yet another technique, hash processor 410 may hold the e-mail message in a special area and create a special e-mail message to notify the user of the held message (probably including From and Subject fields). Hash processor 410 may also give instructions on how to retrieve the message.
 As a further technique, hash processor 410 may mark the e-mail message with its suspicion score result, but leave it queued for the user's retrieval. If the user's quota would overflow when a new message arrives, the score of the incoming message and the highest score of the queued messages are compared. If the highest queued message has a score above a settable threshold, and the new message's score is lower than the threshold, the queued message with the highest score may be deleted from the queue to make room for the new message. Otherwise, if the new message has a score above the threshold, it may be discarded or “bounced” (e.g., the sending e-mail server is told to hold the message and retry it later). Alternatively, if it is desired to never bounce incoming messages, mail server 120 may accept the incoming message into the user's queue and repeatedly delete messages with the highest suspicion score from the queue until the total is below the user's quota again.
 As another technique, hash processor 410 may apply hash-based functions as the e-mail message starts arriving from the sending server and determine the message's suspicion score incrementally as the message is read in. If the message has a high-enough suspicion score (above a threshold) during the early part of the message, mail server 120 may reject the message, optionally with either a “retry later” or a “permanent refusal” result to the sending server (which one is used may be determined by settable thresholds applied to the total suspicion score, and possibly other factors, such as server load). This results in the unwanted e-mail using up less network bandwidth and receiving server resources, and penalizes servers sending unwanted mail, relative to those that do not.
 If the suspicion count for the main text or any attachment is not significantly higher than the From/To suspicion count (act 516), hash processor 410 may determine whether the main text or any attachment has significant replicated content (non-zero or high suspicion count values for many hash blocks in the text/attachment content in all storage locations of hash memories 420) (act 520) (FIG. 5A). If not, the message is probably a normal user-to-user e-mail. These types of messages may be “passed” without further examination. When appropriate, hash processor 410 may also record the generated hash values by incrementing the suspicion count value in the corresponding storage locations in hash memory 420.
 If the message text is substantially replicated (e.g., greater than 90%), hash processor 410 may check one or more portions of the e-mail message against known legitimate mailing lists within hash memory 420 (act 522) (FIG. 5C). For example, hash processor 410 may hash the From or Sender fields of the e-mail message and compare it/them to known legitimate mailing lists within hash memory 420. Hash processor 410 may also determine whether the e-mail actually appears to originate from the correct source for the mailing list by examining, for example, the sequence of Received headers. Hash processor 410 may further examine a combination of the From or Sender fields and the recipient address to determine if the recipient has previously received e-mail from the sender. This is typical for mailing lists, but a typical of unwanted e-mail, which will normally not have access to the actual list of recipients for the mailing list. Failure of this examination may simply pass the message on, but mark it as “suspicious,” since the recipient may simply be a new subscriber to the mailing list, or the mailings may be infrequent enough to not persist in the hash counters between mailings.
 If there is a match with a legitimate mailing list (act 524), then the message is probably a legitimate mailing list duplicate and may be passed with no further examination. This assumes that the mailing list server employs some kind of filtering to exclude unwanted e-mail (e.g., refusing to forward e-mail that does not originate with a known list recipient or refusing e-mail with attachments).
 If there is no match with any legitimate mailing lists within hash memory 420, hash processor 410 may hash the sender-related fields (e.g., From, Sender, Reply-To) (act 526). Hash processor 410 may then determine the suspicion count for the sender-related hashes in hash memories 420 (act 528).
 Hash processor 410 may determine whether the suspicion counts for the sender-related hashes are similar to the suspicion count(s) for the main text hash(es) (act 530) (FIG. 5D). If both From and Sender fields are present, then the Sender field should match with roughly the same suspicion count value as the message body hash. The From field may or may not match. For a legitimate mailing list, it may be a legitimate mailing list that is not in the known legitimate mailing lists hash memory 420 (or in the case where there is no known legitimate mailing lists hash memory 420). If only the From field is present, it should match about as well as the message text for a mailing list. If none of the sender-related fields match as well as the message text, the e-mail message may be considered moderately suspicious (probably spam, with a variable and fictitious From address or the like).
 As an additional check, hash processor 410 may hash the concatenation of the sender-related field with the highest suspicion count value and the e-mail recipient's address (act 532). Hash processor 410 may then check the suspicion count for the concatenation in a hash memory 420 used just for this check (act 534). If it matches with a significant suspicion count value (act 536) (FIG. 5E), then the recipient has recently received multiple messages from this source, which makes it probable that it is a mailing list. The e-mail message may then be passed without further examination.
 If the message text or attachments are mostly replicated (e.g., greater than 90% of the hash blocks), but with mostly low suspicion count values in hash memory 420 (act 538), then the message is probably a case of a small-scale replication of a single message to multiple recipients. In this case, the e-mail message may then be passed without further examination.
 If the message text or attachments contain some significant degree of content replication (say, greater than 50% of the hash blocks) and at least some of the hash values have high suspicion count values in hash memory 420 (act 540), then the message is fairly likely to be a virus/worm or spam. A virus or worm should be considered more likely if the high-count matches are in an attachment. If the highly-replicated content is in the message text, then the message is more likely to be spam, though it is possible that e-mail text employing a scripting language (e.g., Java script) might also contain a virus.
 If the replication is in the message text, and the suspicion count is substantially higher for the message text than for the From field, the message is likely to be spam (because spammers generally vary the From field to evade simpler spam filters). A similar check can be made for the concatenation of the From and To header fields, except that in this case, it is most suspicious if the From/To hash misses (finds a zero suspicion count), indicating that the sender does not ordinarily send e-mail to that recipient, making it unlikely to be a mailing list, and very likely to be a spammer (because they normally employ random or fictitious From addresses).
 In the above cases, hash processor 410 may take remedial action (act 542). The particular type of action taken by hash processor 410 may vary as described above.
 Systems and methods consistent with the present invention provide mechanisms within an e-mail server to detect and/or prevent transmission of unwanted e-mail, such as e-mail containing viruses or worms, including polymorphic viruses and worms, and unsolicited commercial e-mail (spam).
 Implementation of a hash-based detection mechanism in an e-mail server at the e-mail message level provides advantages over a packet-based implementation in a router or other network node device. For example, the entire e-mail message has been re-assembled, both at the packet level (i.e., IP fragment re-assembly) and at the application level (multiple packets into a complete e-mail message). Also, the hashing algorithm can be applied more intelligently to specific parts of the e-mail message (e.g., header fields, message body, and attachments). Attachments that have been compressed for transport (e.g., “.zip” files) can be expanded for inspection. Without doing this, a polymorphic virus could easily hide inside such files with no repeatable hash signature visible at the packet transport level.
 With the entire message available for a single pass of the hashing process, packet boundaries and packet fragmentation do not split sequences of bytes that might otherwise provide useful hash signatures. A clever attacker might otherwise obscure a virus/worm attack by causing the IP packets carrying the malicious code to be fragmented into pieces smaller than that for which the hashing process is effective, or by forcing packet breaks in the middle of otherwise-visible fixed sequences of code in the virus/worm. Also, the entire message is likely to be longer than a single packet, thereby reducing the probability of false alarms (possibly due to insufficient hash-block sample size and too few hash blocks per packet) and increasing the probability of correct identification of a virus/worm (more hash blocks will match per message than per packet, since packets will be only parts of the entire message).
 Also, fewer hash-block alignment issues arise when the hash blocks can be intelligently aligned with fields of the e-mail message, such as the start of the message body, or the start of an attachment block. This results in faster detection of duplicate contents than if the blocks are randomly aligned (as is the case when the method is applied to individual packets).
 E-mail-borne malicious code, such as viruses and worms, also usually includes a text message designed to cause the user to read the message and/or perform some other action that will activate the malicious code. It is harder for such text to be polymorphic, because automatic scrambling of the user-visible text will either render it suspicious-looking, or will be very limited in variability. This fact, combined with the ability to start a hash block at the start of the message text by parsing the e-mail header, reduces the variability in hash signatures of the message, making it easier to detect with fewer examples seen.
 Further, the ability to extract and hash specific headers from an e-mail message separately may be used to help classify the type of replicated content the message body carries. Because many legitimate cases of message replication exist (e.g., topical mailing lists, such as Yahoo Groups), intelligent parsing and hashing of the message headers is very useful to reduce the false alarm rate, and to increase the accuracy of detection of real viruses, worms, and spam.
 This detection technique, compared to others which might extract and save fixed strings to be searched for in other pieces of e-mail, includes hash-based filters that are one-way functions (i.e., it is possible, given a piece of text, to determine if it has been seen before in another message). Given the state data contained in the filter, however, it is virtually impossible to reconstruct a prior message, or any piece of a prior message, that has been passed through the filter previously. Thus, this technique can maintain the privacy of e-mail, without retaining any information that can be attributed to a specific sender or receiver.
 The foregoing description of preferred embodiments of the present invention provides illustration and description, but is not intended to be exhaustive or to limit the invention to the precise form disclosed. Modifications and variations are possible in light of the above teachings or may be acquired from practice of the invention.
 For example, systems and methods have been described with regard to a mail server. In other implementations, the systems and methods described herein may be used within other devices, such as a mail client. In such a case, the mail client may periodically obtain suspicion count values for its hash memory from one or more network devices, such as a mail server.
 It may be possible for multiple mail servers to work together to detect and prevent unwanted e-mails. For example, high-scoring entries from the hash memory of one mail server might be distributed to other mail servers, as long as the same hash functions are used by the same cooperating servers. This may accelerate the detection process, especially for mail servers that experience relatively low volumes of traffic.
 Further, certain portions of the invention have been described as “blocks” that perform one or more functions. These blocks may include hardware, such as an ASIC or a FPGA, software, or a combination of hardware and software.
 No element, act, or instruction used in the description of the present application should be construed as critical or essential to the invention unless explicitly described as such. Also, as used herein, the article “a” is intended to include one or more items. Where only one item is intended, the term “one” or similar language is used. The scope of the invention is defined by the claims and their equivalents.
|Cited Patent||Filing date||Publication date||Applicant||Title|
|US4641274 *||19 Aug 1985||3 Feb 1987||International Business Machines Corporation||Method for communicating changes made to text form a text processor to a remote host|
|US4996711 *||21 Jun 1989||26 Feb 1991||Chaum David L||Selected-exponent signature systems|
|US5276735 *||17 Apr 1992||4 Jan 1994||Secure Computing Corporation||Data enclave and trusted path system|
|US5276736 *||13 Jul 1992||4 Jan 1994||David Chaum||Optionally moderated transaction systems|
|US5276737 *||20 Apr 1992||4 Jan 1994||Silvio Micali||Fair cryptosystems and methods of use|
|US5276869 *||10 Sep 1990||4 Jan 1994||International Business Machines Corporation||System for selecting document recipients as determined by technical content of document and for electronically corroborating receipt of document|
|US5276901 *||16 Dec 1991||4 Jan 1994||International Business Machines Corporation||System for controlling group access to objects using group access control folder and group identification as individual user|
|US5278901 *||30 Apr 1992||11 Jan 1994||International Business Machines Corporation||Pattern-oriented intrusion-detection system and method|
|US5280527 *||14 Apr 1992||18 Jan 1994||Kamahira Safe Co., Inc.||Biometric token for authorizing access to a host system|
|US5283887 *||19 Dec 1990||1 Feb 1994||Bull Hn Information Systems Inc.||Automatic document format conversion in an electronic mail system based upon user preference|
|US5379340 *||2 Aug 1991||3 Jan 1995||Betterprize Limited||Text communication system|
|US5379374 *||21 Nov 1991||3 Jan 1995||Hitachi, Ltd.||Collaborative information processing system and workstation|
|US5386470 *||24 Aug 1993||31 Jan 1995||3Com Ireland||Repeaters for secure local area networks|
|US5388189 *||28 Oct 1993||7 Feb 1995||Racal-Datacom, Inc.||Alarm filter in an expert system for communications network|
|US5481312 *||18 Nov 1994||2 Jan 1996||At&T Corp.||Method of and apparatus for the transmission of high and low priority segments of a video bitstream over packet networks|
|US5481613 *||15 Apr 1994||2 Jan 1996||Northern Telecom Limited||Computer network cryptographic key distribution system|
|US5483466 *||15 Nov 1993||9 Jan 1996||Hitachi, Ltd.||Client/server system and mail reception/display control method|
|US5485409 *||30 Apr 1992||16 Jan 1996||International Business Machines Corporation||Automated penetration analysis system and method|
|US5485460 *||19 Aug 1994||16 Jan 1996||Microsoft Corporation||System and method for running multiple incompatible network protocol stacks|
|US5491750 *||30 Dec 1993||13 Feb 1996||International Business Machines Corporation||Method and apparatus for three-party entity authentication and key distribution using message authentication codes|
|US5495610 *||13 Jul 1995||27 Feb 1996||Seer Technologies, Inc.||Software distribution system to build and distribute a software release|
|US5602918 *||22 Dec 1995||11 Feb 1997||Virtual Open Network Environment Corp.||Application level security system and method|
|US5604490 *||9 Sep 1994||18 Feb 1997||International Business Machines Corporation||Method and system for providing a user access to multiple secured subsystems|
|US5606668 *||15 Dec 1993||25 Feb 1997||Checkpoint Software Technologies Ltd.||System for securing inbound and outbound data packet flow in a computer network|
|US5706442 *||20 Dec 1995||6 Jan 1998||Block Financial Corporation||System for on-line financial services using distributed objects|
|US5706507 *||5 Jul 1995||6 Jan 1998||International Business Machines Corporation||System and method for controlling access to data located on a content server|
|US5708780 *||7 Jun 1995||13 Jan 1998||Open Market, Inc.||Internet server access control and monitoring systems|
|US5708826 *||29 Dec 1995||13 Jan 1998||Fujitsu Limited||Apparatus and method for converting presentation data|
|US5710883 *||10 Mar 1995||20 Jan 1998||Stanford University||Hypertext document transport mechanism for firewall-compatible distributed world-wide web publishing|
|US5717757 *||19 Nov 1996||10 Feb 1998||Micali; Silvio||Certificate issue lists|
|US5717758 *||9 Dec 1996||10 Feb 1998||Micall; Silvio||Witness-based certificate revocation system|
|US5857022 *||19 Feb 1997||5 Jan 1999||Certco Llc||Enhanced cryptographic system and method with key escrow feature|
|US5859966 *||10 Oct 1995||12 Jan 1999||Data General Corporation||Security system for computer systems|
|US5860068 *||4 Dec 1997||12 Jan 1999||Petabyte Corporation||Method and system for custom manufacture and delivery of a data product|
|US5862325 *||27 Sep 1996||19 Jan 1999||Intermind Corporation||Computer-based communication system and method using metadata defining a control structure|
|US5864667 *||22 Aug 1997||26 Jan 1999||Diversinet Corp.||Method for safe communications|
|US5864683 *||12 Oct 1994||26 Jan 1999||Secure Computing Corporartion||System for providing secure internetwork by connecting type enforcing secure computers to external network for limiting access to data based on user and process access rights|
|US5864852 *||26 Apr 1996||26 Jan 1999||Netscape Communications Corporation||Proxy server caching mechanism that provides a file directory structure and a mapping mechanism within the file directory structure|
|US5872844 *||18 Nov 1996||16 Feb 1999||Microsoft Corporation||System and method for detecting fraudulent expenditure of transferable electronic assets|
|US5872849 *||19 Feb 1997||16 Feb 1999||Certco Llc||Enhanced cryptographic system and method with key escrow feature|
|US5872931 *||13 Aug 1996||16 Feb 1999||Veritas Software, Corp.||Management agent automatically executes corrective scripts in accordance with occurrences of specified events regardless of conditions of management interface and management engine|
|US6012144 *||1 Oct 1997||4 Jan 2000||Pickett; Thomas E.||Transaction security method and apparatus|
|US6014651 *||23 Sep 1998||11 Jan 2000||Crawford; Christopher M.||Commercial online software distribution systems and methods using encryption for security|
|US6021510 *||24 Nov 1997||1 Feb 2000||Symantec Corporation||Antivirus accelerator|
|US6023723 *||22 Dec 1997||8 Feb 2000||Accepted Marketing, Inc.||Method and system for filtering unwanted junk e-mail utilizing a plurality of filtering mechanisms|
|US6026414 *||5 Mar 1998||15 Feb 2000||International Business Machines Corporation||System including a proxy client to backup files in a distributed computing environment|
|US6029256 *||31 Dec 1997||22 Feb 2000||Network Associates, Inc.||Method and system for allowing computer programs easy access to features of a virus scanning engine|
|US6178242 *||28 Jan 1998||23 Jan 2001||Nds Limited||Digital recording protection system|
|US6178509 *||5 Sep 1997||23 Jan 2001||Intel Corporation||Tamper resistant methods and apparatus|
|US6182142 *||10 Jul 1998||30 Jan 2001||Encommerce, Inc.||Distributed access management of information resources|
|US6182226 *||18 Mar 1998||30 Jan 2001||Secure Computing Corporation||System and method for controlling interactions between networks|
|US6185678 *||2 Oct 1998||6 Feb 2001||Trustees Of The University Of Pennsylvania||Secure and reliable bootstrap architecture|
|US6185682 *||3 Jun 1998||6 Feb 2001||U.S. Philips Corporation||Authentication system|
|US6185689 *||24 Jun 1998||6 Feb 2001||Richard S. Carson & Assoc., Inc.||Method for network self security assessment|
|US6192360 *||23 Jun 1998||20 Feb 2001||Microsoft Corporation||Methods and apparatus for classifying text and for building a text classifier|
|US6192407 *||4 Apr 1997||20 Feb 2001||Tumbleweed Communications Corp.||Private, trackable URLs for directed document delivery|
|US6338141 *||30 Sep 1998||8 Jan 2002||Cybersoft, Inc.||Method and apparatus for computer virus detection, analysis, and removal in real time|
|US6341369 *||3 Dec 1998||22 Jan 2002||International Business Machines Corporation||Method and data processing system for specifying and applying rules to classification-based decision points in an application system|
|US6507851 *||1 Dec 1999||14 Jan 2003||Sony Corporation||Customer information retrieving method, a customer information retrieving apparatus, a data preparation method, and a database|
|US6510431 *||28 Jun 1999||21 Jan 2003||International Business Machines Corporation||Method and system for the routing of requests using an automated classification and profile matching in a networked environment|
|US6510464 *||23 Dec 1999||21 Jan 2003||Verizon Corporate Services Group Inc.||Secure gateway having routing feature|
|US6510466 *||14 Dec 1998||21 Jan 2003||International Business Machines Corporation||Methods, systems and computer program products for centralized management of application programs on a network|
|US6675153 *||12 Aug 1999||6 Jan 2004||Zix Corporation||Transaction authorization system|
|US6675209 *||19 Jul 1999||6 Jan 2004||Hewlett-Packard Development Company, L.P.||Method and system for assigning priority among network segments|
|US6681331 *||11 May 1999||20 Jan 2004||Cylant, Inc.||Dynamic software system intrusion detection|
|US6684335 *||19 Aug 1999||27 Jan 2004||Epstein, Iii Edwin A.||Resistance cell architecture|
|US6842860 *||21 Jul 2000||11 Jan 2005||Networks Associates Technology, Inc.||System and method for selectively authenticating data|
|US6842861 *||24 Mar 2000||11 Jan 2005||Networks Associates Technology, Inc.||Method and system for detecting viruses on handheld computers|
|US6845449 *||21 Jul 2000||18 Jan 2005||Networks Associates Technology, Inc.||System and method for fast nested message authentication codes and error correction codes|
|US6847888 *||6 Mar 2003||25 Jan 2005||Hrl Laboratories, Llc||Method and apparatus for geographic shape preservation for identification|
|US6985923 *||13 Jun 2000||10 Jan 2006||International Business Machines Corporation||Method, article of manufacture and apparatus for processing redundant electronic mail messages|
|US6993660 *||10 Dec 2001||31 Jan 2006||Mcafee, Inc.||System and method for performing efficient computer virus scanning of transient messages using checksums in a distributed computing environment|
|US7159237 *||19 Jan 2001||2 Jan 2007||Counterpane Internet Security, Inc.||Method and system for dynamic network intrusion monitoring, detection and response|
|US20020001384 *||4 Apr 2001||3 Jan 2002||Broadcom Corporation||Authentication engine architecture and method|
|US20020004902 *||21 Jun 2001||10 Jan 2002||Eng-Whatt Toh||Secure and reliable document delivery|
|US20020016826 *||16 Jul 2001||7 Feb 2002||Olof Johansson||Firewall apparatus and method of controlling network data packet traffic between internal and external networks|
|US20020016910 *||9 Feb 2001||7 Feb 2002||Wright Robert P.||Method for secure distribution of documents over electronic networks|
|US20020019945 *||27 Apr 2001||14 Feb 2002||Internet Security System, Inc.||System and method for managing security events on a network|
|US20020023140 *||8 Jun 2001||21 Feb 2002||Hile John K.||Electronic document delivery system|
|US20020026591 *||12 Apr 2001||28 Feb 2002||Hartley Bruce V.||Method and apparatus for assessing the security of a computer system|
|US20030004688 *||13 Jun 2002||2 Jan 2003||Gupta Ramesh M.||Virtual intrusion detection system and method of using same|
|US20030004689 *||13 Jun 2002||2 Jan 2003||Gupta Ramesh M.||Hierarchy-based method and apparatus for detecting attacks on a computer system|
|US20030005326 *||29 Jun 2001||2 Jan 2003||Todd Flemming||Method and system for implementing a security application services provider|
|US20030009554 *||9 Jul 2001||9 Jan 2003||Burch Hal Joseph||Method and apparatus for tracing packets in a communications network|
|US20030009693 *||9 Jul 2001||9 Jan 2003||International Business Machines Corporation||Dynamic intrusion detection for computer systems|
|US20030009696 *||10 Jan 2002||9 Jan 2003||Bunker V. Nelson Waldo||Network security testing|
|US20030009699 *||13 Jun 2002||9 Jan 2003||Gupta Ramesh M.||Method and apparatus for detecting intrusions on a computer system|
|US20030014662 *||13 Jun 2002||16 Jan 2003||Gupta Ramesh M.||Protocol-parsing state machine and method of using same|
|US20030014664 *||26 Jun 2002||16 Jan 2003||Daavid Hentunen||Intrusion detection method and system|
|US20030021280 *||26 Jul 2001||30 Jan 2003||Makinson Graham Arthur||Malware scanning using a network bridge|
|US20030023692 *||16 Nov 2001||30 Jan 2003||Fujitsu Limited||Electronic message delivery system, electronic message delivery managment server, and recording medium in which electronic message delivery management program is recorded|
|US20030023695 *||10 May 2002||30 Jan 2003||Atabok Japan, Inc.||Modifying an electronic mail system to produce a secure delivery system|
|US20030023873 *||16 Mar 2001||30 Jan 2003||Yuval Ben-Itzhak||Application-layer security method and system|
|US20030023874 *||16 Jul 2001||30 Jan 2003||Rudy Prokupets||System for integrating security and access for facilities and information systems|
|US20030023875 *||26 Jul 2001||30 Jan 2003||Hursey Neil John||Detecting e-mail propagated malware|
|US20040015554 *||16 Jul 2002||22 Jan 2004||Brian Wilson||Active e-mail filter with challenge-response|
|US20050014749 *||21 Jun 2004||20 Jan 2005||Amgen Inc.||Piperazine derivatives and methods of use|
|US20050021736 *||16 Oct 2003||27 Jan 2005||International Business Machines Corporation||Method and system for monitoring performance of distributed applications|
|US20050021738 *||6 Nov 2003||27 Jan 2005||Kenneth Goeller||Network geo-location system|
|Citing Patent||Filing date||Publication date||Applicant||Title|
|US7076655||18 Jun 2002||11 Jul 2006||Hewlett-Packard Development Company, L.P.||Multiple trusted computing environments with verifiable environment identities|
|US7159210||18 Jun 2002||2 Jan 2007||Hewlett-Packard Development Company, L.P.||Performing secure and insecure computing operations in a compartmented operating system|
|US7197539||1 Nov 2004||27 Mar 2007||Symantec Corporation||Automated disablement of disposable e-mail addresses based on user actions|
|US7203964 *||7 Oct 2003||10 Apr 2007||Elmer V. Pass||Method of stopping internet viruses|
|US7219131||16 Jan 2003||15 May 2007||Ironport Systems, Inc.||Electronic message delivery using an alternate source approach|
|US7249162||25 Feb 2003||24 Jul 2007||Microsoft Corporation||Adaptive junk message filtering system|
|US7272853||4 Jun 2003||18 Sep 2007||Microsoft Corporation||Origination/destination features and lists for spam prevention|
|US7287060 *||12 Jun 2003||23 Oct 2007||Storage Technology Corporation||System and method for rating unsolicited e-mail|
|US7293063||4 Jun 2003||6 Nov 2007||Symantec Corporation||System utilizing updated spam signatures for performing secondary signature-based analysis of a held e-mail to improve spam email detection|
|US7302698||28 Nov 2000||27 Nov 2007||Hewlett-Packard Development Company, L.P.||Operation of trusted state in computing platform|
|US7366919||25 Apr 2003||29 Apr 2008||Symantec Corporation||Use of geo-location data for spam detection|
|US7409708||28 May 2004||5 Aug 2008||Microsoft Corporation||Advanced URL and IP features|
|US7451184||14 Oct 2003||11 Nov 2008||At&T Intellectual Property I, L.P.||Child protection from harmful email|
|US7461263 *||24 Sep 2003||2 Dec 2008||Unspam, Llc.||Method and apparatus for a non-revealing do-not-contact list system|
|US7464264||25 Mar 2004||9 Dec 2008||Microsoft Corporation||Training filters for detecting spasm based on IP addresses and text-related features|
|US7467370||25 Mar 2005||16 Dec 2008||Hewlett-Packard Development Company, L.P.||Apparatus and method for creating a trusted environment|
|US7483947 *||2 May 2003||27 Jan 2009||Microsoft Corporation||Message rendering for identification of content features|
|US7490244||14 Sep 2004||10 Feb 2009||Symantec Corporation||Blocking e-mail propagation of suspected malicious computer code|
|US7506031||24 Aug 2006||17 Mar 2009||At&T Intellectual Property I, L.P.||Filtering email messages corresponding to undesirable domains|
|US7519668||20 Jun 2003||14 Apr 2009||Microsoft Corporation||Obfuscation of spam filter|
|US7530106 *||2 Jul 2008||5 May 2009||Kaspersky Lab, Zao||System and method for security rating of computer processes|
|US7543053||13 Feb 2004||2 Jun 2009||Microsoft Corporation||Intelligent quarantining for spam prevention|
|US7546349||1 Nov 2004||9 Jun 2009||Symantec Corporation||Automatic generation of disposable e-mail addresses|
|US7548956 *||30 Dec 2003||16 Jun 2009||Aol Llc||Spam control based on sender account characteristics|
|US7555524||16 Sep 2004||30 Jun 2009||Symantec Corporation||Bulk electronic message detection by header similarity analysis|
|US7558832||2 May 2007||7 Jul 2009||Microsoft Corporation||Feedback loop for spam prevention|
|US7610341||14 Oct 2003||27 Oct 2009||At&T Intellectual Property I, L.P.||Filtered email differentiation|
|US7617285||29 Sep 2005||10 Nov 2009||Symantec Corporation||Adaptive threshold based spam classification|
|US7640590||21 Dec 2004||29 Dec 2009||Symantec Corporation||Presentation of network source and executable characteristics|
|US7650382||24 Apr 2003||19 Jan 2010||Symantec Corporation||Detecting spam e-mail with backup e-mail server traps|
|US7653695||17 Feb 2005||26 Jan 2010||Ironport Systems, Inc.||Collecting, aggregating, and managing information relating to electronic messages|
|US7660865 *||12 Aug 2004||9 Feb 2010||Microsoft Corporation||Spam filtering with probabilistic secure hashes|
|US7664812 *||14 Oct 2003||16 Feb 2010||At&T Intellectual Property I, L.P.||Phonetic filtering of undesired email messages|
|US7664819||29 Jun 2004||16 Feb 2010||Microsoft Corporation||Incremental anti-spam lookup and update service|
|US7665131||9 Jan 2007||16 Feb 2010||Microsoft Corporation||Origination/destination features and lists for spam prevention|
|US7673342 *||26 Jul 2001||2 Mar 2010||Mcafee, Inc.||Detecting e-mail propagated malware|
|US7676546 *||9 Mar 2010||Verisign, Inc.||Control and management of electronic messaging|
|US7680886||9 Apr 2003||16 Mar 2010||Symantec Corporation||Suppressing spam using a machine learning based spam filter|
|US7711779||20 Jun 2003||4 May 2010||Microsoft Corporation||Prevention of outgoing spam|
|US7739494||13 Sep 2005||15 Jun 2010||Symantec Corporation||SSL validation and stripping using trustworthiness factors|
|US7748038||6 Dec 2004||29 Jun 2010||Ironport Systems, Inc.||Method and apparatus for managing computer virus outbreaks|
|US7756930||28 May 2004||13 Jul 2010||Ironport Systems, Inc.||Techniques for determining the reputation of a message sender|
|US7756933||12 Dec 2005||13 Jul 2010||Collactive Ltd.||System and method for deterring rogue users from attacking protected legitimate users|
|US7757288||23 May 2005||13 Jul 2010||Symantec Corporation||Malicious e-mail attack inversion filter|
|US7769485 *||29 Sep 2007||3 Aug 2010||Pitney Bowes Inc.||Systems and methods for segregating undesired mail|
|US7774845 *||6 Nov 2002||10 Aug 2010||British Telecommunications Public Limited Company||Computer security system|
|US7788329||12 Jan 2006||31 Aug 2010||Aol Inc.||Throttling electronic communications from one or more senders|
|US7788576 *||4 Oct 2006||31 Aug 2010||Trend Micro Incorporated||Grouping of documents that contain markup language code|
|US7810160||28 Dec 2005||5 Oct 2010||Microsoft Corporation||Combining communication policies into common rules store|
|US7831667 *||13 May 2004||9 Nov 2010||Symantec Corporation||Method and apparatus for filtering email spam using email noise reduction|
|US7844678||25 Jun 2008||30 Nov 2010||At&T Intellectual Property I, L.P.||Filtering email messages corresponding to undesirable domains|
|US7849142||27 May 2005||7 Dec 2010||Ironport Systems, Inc.||Managing connections, messages, and directory harvest attacks at a server|
|US7853654 *||12 Jan 2005||14 Dec 2010||Kddi Corporation||Mass mail detection system and mail server|
|US7856090||8 Aug 2005||21 Dec 2010||Symantec Corporation||Automatic spim detection|
|US7870200||27 May 2005||11 Jan 2011||Ironport Systems, Inc.||Monitoring the flow of messages received at a server|
|US7873695||27 May 2005||18 Jan 2011||Ironport Systems, Inc.||Managing connections and messages at a server by associating different actions for both different senders and different recipients|
|US7877799||1 Aug 2001||25 Jan 2011||Hewlett-Packard Development Company, L.P.||Performance of a service on a computing platform|
|US7904517||9 Aug 2004||8 Mar 2011||Microsoft Corporation||Challenge response systems|
|US7912907||7 Oct 2005||22 Mar 2011||Symantec Corporation||Spam email detection based on n-grams with feature selection|
|US7917588||26 May 2005||29 Mar 2011||Ironport Systems, Inc.||Managing delivery of electronic messages using bounce profiles|
|US7921159||14 Oct 2003||5 Apr 2011||Symantec Corporation||Countering spam that uses disguised characters|
|US7930351 *||14 Oct 2003||19 Apr 2011||At&T Intellectual Property I, L.P.||Identifying undesired email messages having attachments|
|US7930353 *||29 Jul 2005||19 Apr 2011||Microsoft Corporation||Trees of classifiers for detecting email spam|
|US7936682||9 Nov 2005||3 May 2011||Cisco Technology, Inc.||Detecting malicious attacks using network behavior and header analysis|
|US7941490 *||11 May 2005||10 May 2011||Symantec Corporation||Method and apparatus for detecting spam in email messages and email attachments|
|US7941491||3 Jun 2005||10 May 2011||Messagemind, Inc.||System and method for dynamic adaptive user-based prioritization and display of electronic messages|
|US7941842||28 Oct 2008||10 May 2011||Unspam, Llc.||Method and apparatus for a non-revealing do-not-contact list system|
|US7949718||30 Nov 2009||24 May 2011||At&T Intellectual Property I, L.P.||Phonetic filtering of undesired email messages|
|US7966658||8 Apr 2004||21 Jun 2011||The Regents Of The University Of California||Detecting public network attacks using signatures and fast content analysis|
|US7975010||23 Mar 2005||5 Jul 2011||Symantec Corporation||Countering spam through address comparison|
|US7979907 *||18 Dec 2008||12 Jul 2011||The Trustees Of Columbia University In The City Of New York||Systems and methods for detection of new malicious executables|
|US8001193 *||16 May 2006||16 Aug 2011||Ntt Docomo, Inc.||Data communications system and data communications method for detecting unsolicited communications|
|US8010685||9 Nov 2005||30 Aug 2011||Cisco Technology, Inc.||Method and apparatus for content classification|
|US8028026 *||31 May 2006||27 Sep 2011||Microsoft Corporation||Perimeter message filtering with extracted user-specific preferences|
|US8046832||26 Jun 2002||25 Oct 2011||Microsoft Corporation||Spam detector with challenges|
|US8056128 *||30 Sep 2004||8 Nov 2011||Google Inc.||Systems and methods for detecting potential communications fraud|
|US8056131 *||26 Apr 2004||8 Nov 2011||Cybersoft, Inc.||Apparatus, methods and articles of manufacture for intercepting, examining and controlling code, data and files and their transfer|
|US8065370||3 Nov 2005||22 Nov 2011||Microsoft Corporation||Proofs to filter spam|
|US8090778||11 Dec 2006||3 Jan 2012||At&T Intellectual Property I, L.P.||Foreign network SPAM blocker|
|US8103732 *||24 Jan 2012||Verisign, Inc.||Methods for control and management of electronic messaging based on sender information|
|US8122508 *||29 Oct 2007||21 Feb 2012||Sonicwall, Inc.||Analyzing traffic patterns to detect infectious messages|
|US8145710||17 Jun 2004||27 Mar 2012||Symantec Corporation||System and method for filtering spam messages utilizing URL filtering module|
|US8161122||13 Nov 2007||17 Apr 2012||Messagemind, Inc.||System and method of dynamically prioritized electronic mail graphical user interface, and measuring email productivity and collaboration trends|
|US8166310||26 May 2005||24 Apr 2012||Ironport Systems, Inc.||Method and apparatus for providing temporary access to a network device|
|US8171549 *||26 Apr 2004||1 May 2012||Cybersoft, Inc.||Apparatus, methods and articles of manufacture for intercepting, examining and controlling code, data, files and their transfer|
|US8180838 *||29 Aug 2008||15 May 2012||Microsoft Corporation||Efficiently managing modular data storage systems|
|US8191105 *||18 Nov 2005||29 May 2012||Research In Motion Limited||System and method for handling electronic messages|
|US8201254||30 Aug 2005||12 Jun 2012||Symantec Corporation||Detection of e-mail threat acceleration|
|US8214438||1 Mar 2004||3 Jul 2012||Microsoft Corporation||(More) advanced spam detection features|
|US8218765||22 Feb 2002||10 Jul 2012||Hewlett-Packard Development Company, L.P.||Information system|
|US8219496||22 Feb 2002||10 Jul 2012||Hewlett-Packard Development Company, L.P.||Method of and apparatus for ascertaining the status of a data processing environment|
|US8224905||6 Dec 2006||17 Jul 2012||Microsoft Corporation||Spam filtration utilizing sender activity data|
|US8250159||23 Jan 2009||21 Aug 2012||Microsoft Corporation||Message rendering for identification of content features|
|US8255995||27 May 2010||28 Aug 2012||Cisco Technology, Inc.||Methods and apparatus providing computer and network security utilizing probabilistic policy reposturing|
|US8296842||1 Dec 2004||23 Oct 2012||The Regents Of The University Of California||Detecting public network attacks using signatures and fast content analysis|
|US8301702 *||12 Mar 2004||30 Oct 2012||Cloudmark, Inc.||Method and an apparatus to screen electronic communications|
|US8316442 *||15 Jan 2008||20 Nov 2012||Microsoft Corporation||Preventing secure data from leaving the network perimeter|
|US8332947||27 Jun 2006||11 Dec 2012||Symantec Corporation||Security threat reporting in light of local security tools|
|US8392511 *||17 Jan 2008||5 Mar 2013||International Business Machines Corporation||Embedding a unique serial number into the content of an email for tracking information dispersion|
|US8402102||19 Mar 2013||Symantec Corporation||Method and apparatus for filtering email spam using email noise reduction|
|US8413245 *||1 May 2006||2 Apr 2013||Cisco Technology, Inc.||Methods and apparatus providing computer and network security for polymorphic attacks|
|US8423616 *||3 May 2007||16 Apr 2013||Microsoft Corporation||Identifying and correlating electronic mail messages|
|US8463938 *||23 Oct 2009||11 Jun 2013||Comcast Cable Communications, Llc||Address couplet communication filtering|
|US8495037 *||21 Feb 2006||23 Jul 2013||Symantec Operating Corporation||Efficient isolation of backup versions of data objects affected by malicious software|
|US8495144 *||6 Oct 2004||23 Jul 2013||Trend Micro Incorporated||Techniques for identifying spam e-mail|
|US8495743||1 May 2006||23 Jul 2013||Cisco Technology, Inc.||Methods and apparatus providing automatic signature generation and enforcement|
|US8515894 *||30 Dec 2009||20 Aug 2013||Gozoom.Com, Inc.||Email analysis using fuzzy matching of text|
|US8515965 *||23 Feb 2012||20 Aug 2013||Lsi Corporation||Concurrent linked-list traversal for real-time hash processing in multi-core, multi-thread network processors|
|US8528084||23 Sep 2011||3 Sep 2013||Google Inc.||Systems and methods for detecting potential communications fraud|
|US8533270||23 Jun 2003||10 Sep 2013||Microsoft Corporation||Advanced spam detection techniques|
|US8539587||22 Mar 2006||17 Sep 2013||Hewlett-Packard Development Company, L.P.||Methods, devices and data structures for trusted data|
|US8572190 *||1 Dec 2009||29 Oct 2013||Watchguard Technologies, Inc.||Method and system for recognizing desired email|
|US8577680||30 Dec 2006||5 Nov 2013||Emc Corporation||Monitoring and logging voice traffic on data network|
|US8606860 *||20 Oct 2005||10 Dec 2013||Affini, Inc.||System and method for providing filtering email messages|
|US8615802||23 Sep 2011||24 Dec 2013||Google Inc.||Systems and methods for detecting potential communications fraud|
|US8677490 *||8 Dec 2006||18 Mar 2014||Samsung Sds Co., Ltd.||Method for inferring maliciousness of email and detecting a virus pattern|
|US8700913||23 Sep 2011||15 Apr 2014||Trend Micro Incorporated||Detection of fake antivirus in computers|
|US8719356||17 Apr 2012||6 May 2014||Return Path, Inc||Methods, systems, and computer readable media for monitoring deliverability of electronic mail based on subscriber and seed deliverability data|
|US8732245 *||7 Feb 2003||20 May 2014||Blackberry Limited||Method, system and computer software product for pre-selecting a folder for a message|
|US8732825 *||28 May 2008||20 May 2014||Symantec Corporation||Intelligent hashes for centralized malware detection|
|US8745146||13 Jan 2012||3 Jun 2014||Verisign, Inc.||Control and management of electronic messaging|
|US8775604 *||2 Nov 2009||8 Jul 2014||Barracuda Networks, Inc.||Distributed frequency data collection via indicator embedded with DNS request|
|US8832202 *||10 Sep 2008||9 Sep 2014||Fujitsu Limited||E-mail information management apparatus, and E-mail information management method|
|US8850566||29 Oct 2007||30 Sep 2014||Sonicwall, Inc.||Time zero detection of infectious messages|
|US8892673 *||9 Aug 2004||18 Nov 2014||Radix Holdings, Llc||Hybrid challenge-response|
|US8904490||10 May 2011||2 Dec 2014||Unspam, Llc||Method and apparatus for a non-revealing do-not-contact list system|
|US8955106||24 Aug 2007||10 Feb 2015||Sonicwall, Inc.||Managing infectious forwarded messages|
|US8955136||20 Feb 2012||10 Feb 2015||Sonicwall, Inc.||Analyzing traffic patterns to detect infectious messages|
|US8996638||1 Nov 2013||31 Mar 2015||Kaspersky Lab Zao||System and method for spam filtering using shingles|
|US9083695||13 May 2014||14 Jul 2015||Verisign, Inc.||Control and management of electronic messaging|
|US9116879||25 May 2011||25 Aug 2015||Microsoft Technology Licensing, Llc||Dynamic rule reordering for message classification|
|US20040003283 *||26 Jun 2002||1 Jan 2004||Goodman Joshua Theodore||Spam detector with challenges|
|US20040111531 *||6 Dec 2002||10 Jun 2004||Stuart Staniford||Method and system for reducing the rate of infection of a communications network by a software worm|
|US20040148506 *||24 Sep 2003||29 Jul 2004||Prince Matthew B.||Method and apparatus for a non-revealing do-not-contact list system|
|US20040167964 *||25 Feb 2003||26 Aug 2004||Rounthwaite Robert L.||Adaptive junk message filtering system|
|US20040177110 *||3 Mar 2003||9 Sep 2004||Rounthwaite Robert L.||Feedback loop for spam prevention|
|US20040199595 *||16 Jan 2003||7 Oct 2004||Scott Banister||Electronic message delivery using a virtual gateway approach|
|US20040199773 *||26 Apr 2004||7 Oct 2004||Radatti Peter V.||Apparatus, methods and articles of manufacture for intercepting, examining and controlling code, data and files and their transfer|
|US20040205135 *||25 Mar 2003||14 Oct 2004||Hallam-Baker Phillip Martin||Control and management of electronic messaging|
|US20040215977 *||13 Feb 2004||28 Oct 2004||Goodman Joshua T.||Intelligent quarantining for spam prevention|
|US20040221062 *||2 May 2003||4 Nov 2004||Starbuck Bryan T.||Message rendering for identification of content features|
|US20040260776 *||23 Jun 2003||23 Dec 2004||Starbuck Bryan T.||Advanced spam detection techniques|
|US20040260922 *||25 Mar 2004||23 Dec 2004||Goodman Joshua T.||Training filters for IP address and URL learning|
|US20050015454 *||20 Jun 2003||20 Jan 2005||Goodman Joshua T.||Obfuscation of spam filter|
|US20050021649 *||20 Jun 2003||27 Jan 2005||Goodman Joshua T.||Prevention of outgoing spam|
|US20050022008 *||4 Jun 2003||27 Jan 2005||Goodman Joshua T.||Origination/destination features and lists for spam prevention|
|US20050022014 *||6 Nov 2002||27 Jan 2005||Shipman Robert A||Computer security system|
|US20050080642 *||14 Oct 2003||14 Apr 2005||Daniell W. Todd||Consolidated email filtering user interface|
|US20050080860 *||14 Oct 2003||14 Apr 2005||Daniell W. Todd||Phonetic filtering of undesired email messages|
|US20050080889 *||14 Oct 2003||14 Apr 2005||Malik Dale W.||Child protection from harmful email|
|US20050091321 *||14 Oct 2003||28 Apr 2005||Daniell W. T.||Identifying undesired email messages having attachments|
|US20050097174 *||14 Oct 2003||5 May 2005||Daniell W. T.||Filtered email differentiation|
|US20050108339 *||13 May 2004||19 May 2005||Matt Gleeson||Method and apparatus for filtering email spam using email noise reduction|
|US20050154601 *||9 Jan 2004||14 Jul 2005||Halpern Joshua I.||Information security threat identification, analysis, and management|
|US20050188032 *||12 Jan 2005||25 Aug 2005||Katsuyuki Yamazaki||Mass mail detection system and mail server|
|US20050193073 *||1 Mar 2004||1 Sep 2005||Mehr John D.||(More) advanced spam detection features|
|US20050198289 *||12 Mar 2004||8 Sep 2005||Prakash Vipul V.||Method and an apparatus to screen electronic communications|
|US20050204005 *||12 Mar 2004||15 Sep 2005||Purcell Sean E.||Selective treatment of messages based on junk rating|
|US20050204006 *||12 Mar 2004||15 Sep 2005||Purcell Sean E.||Message junk rating interface|
|US20050223221 *||25 Mar 2005||6 Oct 2005||Proudler Graeme J||Apparatus and method for creating a trusted environment|
|US20050229254 *||8 Apr 2004||13 Oct 2005||Sumeet Singh||Detecting public network attacks using signatures and fast content analysis|
|US20050240910 *||26 Apr 2004||27 Oct 2005||Radatti Peter V||Apparatus, methods and articles of manufacture for intercepting, examining and controlling code, data, files and their transfer|
|US20050265319 *||26 May 2005||1 Dec 2005||Clegg Paul J||Method and apparatus for destination domain-based bounce profiles|
|US20050283837 *||6 Dec 2004||22 Dec 2005||Michael Olivier||Method and apparatus for managing computer virus outbreaks|
|US20060010215 *||27 May 2005||12 Jan 2006||Clegg Paul J||Managing connections and messages at a server by associating different actions for both different senders and different recipients|
|US20060010217 *||3 Jun 2005||12 Jan 2006||Business Instruments Corp.||System and method for dynamic adaptive user-based prioritization and display of electronic messages|
|US20060026236 *||7 Feb 2003||2 Feb 2006||Research In Motion Limited||Method, system and computer software product for pre-selecting a folder for a message|
|US20060031314 *||28 May 2004||9 Feb 2006||Robert Brahms||Techniques for determining the reputation of a message sender|
|US20060031338 *||9 Aug 2004||9 Feb 2006||Microsoft Corporation||Challenge response systems|
|US20060031359 *||27 May 2005||9 Feb 2006||Clegg Paul J||Managing connections, messages, and directory harvest attacks at a server|
|US20060036693 *||12 Aug 2004||16 Feb 2006||Microsoft Corporation||Spam filtering with probabilistic secure hashes|
|US20060036695 *||12 Aug 2004||16 Feb 2006||Rolnik Robert C||Timed delivery of alert notifications based on user set criteria|
|US20060059238 *||27 May 2005||16 Mar 2006||Slater Charles S||Monitoring the flow of messages received at a server|
|US20060095523 *||17 Jun 2005||4 May 2006||Bruno Decarpigny||System and method for sending messages into a communications network by electronic mail, based on the use of a send filter|
|US20060098585 *||9 Nov 2005||11 May 2006||Cisco Technology, Inc.||Detecting malicious attacks using network behavior and header analysis|
|US20060101680 *||27 May 2005||18 May 2006||Smith Michael J||Container contents identifier|
|US20060123476 *||11 Feb 2005||8 Jun 2006||Karim Yaghmour||System and method for warranting electronic mail using a hybrid public key encryption scheme|
|US20060161986 *||9 Nov 2005||20 Jul 2006||Sumeet Singh||Method and apparatus for content classification|
|US20060161989 *||12 Dec 2005||20 Jul 2006||Eran Reshef||System and method for deterring rogue users from attacking protected legitimate users|
|US20060168059 *||20 Oct 2005||27 Jul 2006||Affini, Inc.||System and method for providing filtering email messages|
|US20060168202 *||12 Dec 2005||27 Jul 2006||Eran Reshef||System and method for deterring rogue users from attacking protected legitimate users|
|US20060212523 *||21 Mar 2005||21 Sep 2006||International Business Machines Corporation||Policy based control of multiple message forwards|
|US20060262867 *||16 May 2006||23 Nov 2006||Ntt Docomo, Inc.||Data communications system and data communications method|
|US20080109448 *||18 Jan 2008||8 May 2008||Messageone, Inc.||System and Method for Managing Data Across Multiple Environments|
|US20080313708 *||12 Jun 2007||18 Dec 2008||Alcatel Lucent||Data content matching|
|US20090300761 *||3 Dec 2009||John Park||Intelligent Hashes for Centralized Malware Detection|
|US20100058023 *||4 Mar 2010||Microsoft Corporation||Efficiently managing modular data storage systems|
|US20100077480 *||8 Dec 2006||25 Mar 2010||Samsung Sds Co., Ltd.||Method for Inferring Maliciousness of Email and Detecting a Virus Pattern|
|US20100106677 *||30 Dec 2009||29 Apr 2010||Gozoom.Com, Inc.||Email analysis using fuzzy matching of text|
|US20110099291 *||28 Apr 2011||Comcast Cable Communications, Llc||Address Couplet Communication Filtering|
|US20110145267 *||1 Jun 2009||16 Jun 2011||Jean-Pierre David||File presence detection and monitoring|
|US20120158729 *||23 Feb 2012||21 Jun 2012||Lsi Corporation||Concurrent linked-list traversal for real-time hash processing in multi-core, multi-thread network processors|
|US20130246378 *||30 Apr 2007||19 Sep 2013||Stephen Owen Hearnden||Partial hash system, method, and computer program product|
|US20130246550 *||14 May 2013||19 Sep 2013||Camcast Cable Communications, LLC||Address Couplet Communication Filtering|
|EP2315407A2 *||24 Sep 2010||27 Apr 2011||Comcast Cable Communications, LLC||Address couplet communication filtering|
|EP2715565A4 *||25 May 2012||15 Jul 2015||Microsoft Technology Licensing Llc||Dynamic rule reordering for message classification|
|EP2811699A1 *||26 Nov 2013||10 Dec 2014||Kaspersky Lab, ZAO||System and method for spam filtering using shingles|
|WO2004088455A3 *||24 Mar 2004||15 Dec 2005||Verisign Inc||Control and management of electronic messaging|
|WO2005103899A1 *||1 Dec 2004||3 Nov 2005||Univ California||Detecting public network attacks using signatures and fast content analysis|
|WO2005119482A1 *||27 May 2005||15 Dec 2005||Clegg Paul J||Method and apparatus for destination domain-based bounce profiles|
|WO2005119485A1 *||31 May 2005||15 Dec 2005||Paul J Clegg||Method and apparatus for mail flow monitoring|
|WO2006048529A1 *||26 Oct 2005||11 May 2006||Bruno Decarpigny||System and method for transmitting messages in an electronic messaging communication network, using a transmission filter|
|WO2009146536A1||1 Jun 2009||10 Dec 2009||Corporation De L'ecole Polytechnique De Montreal||File presence detection and monitoring|
|WO2012007202A1 *||13 May 2011||19 Jan 2012||F-Secure Corporation||Identifying polymorphic malware|
|U.S. Classification||709/206, 709/224|
|International Classification||H04L12/58, G06F21/00, H04L29/06|
|Cooperative Classification||H04L12/585, H04L63/145, G06F21/562, H04L51/12|
|European Classification||H04L63/14D1, G06F21/56B, H04L12/58F|
|4 Sep 2003||AS||Assignment|
Owner name: BBNT SOLUTIONS LLC, MASSACHUSETTS
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:MILLIKEN, WALTER CLARK;STRAYER, WILLIAM TIMOTHY;MILLIGAN, STEPHEN DOUGLAS;REEL/FRAME:014474/0767
Effective date: 20030902
|12 May 2004||AS||Assignment|
Owner name: FLEET NATIONAL BANK, AS AGENT,MASSACHUSETTS
Free format text: PATENT & TRADEMARK SECURITY AGREEMENT;ASSIGNOR:BBNT SOLUTIONS LLC;REEL/FRAME:014624/0196
Effective date: 20040326
|2 Mar 2006||AS||Assignment|
Owner name: BBN TECHNOLOGIES CORP.,MASSACHUSETTS
Free format text: MERGER;ASSIGNOR:BBNT SOLUTIONS LLC;REEL/FRAME:017274/0318
Effective date: 20060103
|22 Sep 2008||AS||Assignment|
Owner name: STRAGENT, LLC, TEXAS
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:BBN TECHNOLOGIES CORP.;REEL/FRAME:021567/0572
Effective date: 20080915
|27 Oct 2009||AS||Assignment|
|8 Feb 2010||AS||Assignment|
Owner name: STRAGENT, LLC,TEXAS
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:AZURE NETWORKS, LLC;REEL/FRAME:023905/0349
Effective date: 20090820
Owner name: AZURE NETWORKS, LLC,TEXAS
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:STRAGENT, LLC;REEL/FRAME:023909/0810
Effective date: 20081010