JP2008519532A - Message profiling system and method - Google Patents

Abstract

A method and system for operation on one or more data processors that processes a communication to determine whether the communication is to be delivered to a recipient based on message classification or message sender characteristics. One embodiment of the present invention provides a method operating on one or more data processors for specifying a reputation for a messaging entity, the method identifying one or more characteristics associated with communication of the messaging entity. And determining a reputation score based on the received identification data, wherein the determined reputation score indicates the reputation of the messaging entity and the determined reputation score Is used to determine what action should be taken for communications associated with the messaging entity.

Description

  This document relates broadly to systems and methods for handling communications, and in particular to systems and methods for filtering communications.

  In the anti-spam industry, spammers use a variety of original means to avoid detection by spam filters. Available anti-spam systems include fail-open systems, where all incoming messages are filtered for spam. However, these systems can be inefficient and inaccurate in messages that are correctly classified as legitimate or spam.

  In accordance with the teachings disclosed herein, methods and systems are provided for operation on one or more data processors that specify a reputation for a messaging entity. For example, the method and system includes receiving data identifying one or more characteristics associated with communication of a messaging entity and determining a reputation based on the received identification data, the determined reputation The score indicates the reputation of the messaging entity, and the determined reputation score is used to determine what action should be taken for communications associated with the messaging entity.

  As another example, systems and methods for performing transmission filtering that utilizes transmission sender reputation scores are provided. The system and method identify at least one characteristic for a transmission from a sender, perform a real-time query against a reputation system that includes the transmission characteristic, and receive a score that represents the reputation associated with the transmission And performing actions corresponding to a range of sender reputation scores in a transmission from the sender.

  As another example, a system and method for filtering a group of transmissions utilizing transmission sender reputation scores is provided. For example, the system and method can group multiple transmissions together based on content similarity or similarity in transmission sender behavior, identify at least one characteristic for each transmission in the grouping, and Querying and receiving a score representing the reputation of each sender and classifying the group of transmissions based on the percentage of senders with a good reputation and those with a bad reputation in the group.

  As another example, systems and methods are provided for tuning and training a filtering system that utilizes a transmission sender's reputation score in a trainable transmission set. For example, the method identifies at least one characteristic for a transmission from a sender, queries the reputation system, receives a score representing the sender's reputation, and falls within a range where the sender's reputation score is classified. Classifying the transmissions into a plurality of categories based on and passing the transmission and transmission classification categories to a trainer of another filtering system to be used for optimization of the filtering system.

  As another example, systems and methods are provided that operate on one or more data processors to classify communications from messaging entities. For example, the system and method receive a communication from a messaging entity, use a plurality of message classification techniques to classify the communication, and combine the message classification output to generate a message profile score. The message profile score is used to determine what action should be taken for communications associated with the messaging entity.

  As another example, such a system and method includes identifying at least one characteristic for a transmission from a sender, querying the reputation system, receiving a score representing the sender's reputation, Classify transmissions into multiple categories based on the extent to which their reputation scores are classified, and pass transmission and transmission classification categories to another filtering system trainer to be used for filtering system optimization Can be included.

  As another example, such systems and methods can receive communications from a messaging entity, use multiple message classification techniques to classify communications, and generate messages to generate message profile scores. Combining the classification outputs, the message profile score is used to determine what action should be taken for communications associated with the messaging entity.

  In accordance with the teachings disclosed herein, methods and systems are provided for operation on one or more data processors that classify communications from a messaging entity. For example, the systems and methods may include multiple message classification techniques, which are configured to classify communications received from a messaging entity. The system and method may further include message profiling logic configured to combine the message classification outputs to generate a message profile score, the message profile score taking action for communications associated with the messaging entity. Used to determine what to do.

  As another example, methods and systems may include receiving communications delivered from a messaging entity. Multiple message classification techniques are used to classify communications. A message classification technique is associated with a confidence value, and the confidence value is used to generate a message classification output from the message classification technique. The message classification outputs are combined to generate a message profile score. The message profile score is used to determine what action should be taken for communications associated with the messaging entity.

  As another example, the systems and methods may utilize multiple message classification techniques that are configured to classify communications received from a messaging entity. Message profiling logic may be configured to combine the message classification outputs to generate a message profile score. The message profile score is used to determine what action should be taken for communications associated with the messaging entity.

  As another example, the system and method may be used to adjust message classification parameters for use with one or more message classification techniques. A plurality of input data is received (eg, via input logic or processing instructions) that is a plurality of communications or that represents a plurality of data. The tuner program is used to adjust message classification parameters associated with message classification techniques. Communication is received from the messaging entity. The adjusted message classification parameters are used by multiple message classification techniques to classify communications. Message classification outputs from multiple message classification techniques are combined to generate a message profile score. The message profile score is used to determine what action should be taken for communications associated with the messaging entity.

(Detailed explanation)
FIG. 1 depicts a system for handling transmissions received over a network 40 at 30. The transmission can be many different types of communications (eg, an e-mail message sent from one or more messaging entities 50). System 30 assigns a classification to a messaging entity (eg, messaging entity 52) and takes action with respect to the messaging entity's communication based on the classification specified for the messaging entity.

  The system 30 uses a filtering system 60 and a reputation system 70 to support processing communications from the messaging entity 50. Filtering system 60 uses reputation system 70 to assist in determining what filtering actions (if any) are made on the messaging entity's communication. For example, the communication can be determined to be from a reputable source, so the communication is not filtered.

  The filtering system 60 identifies at 62 one or more message characteristics associated with the received communication and provides identification information to the reputation system 70. The reputation system 70 evaluates the reputation by calculating the probability that the identified message characteristic indicates a particular quality. The overall reputation score is determined based on the calculated probability and provided to the filtering system 60.

  Filtering system 60 examines a reputation score at 64 to determine what action is taken for sender communication (eg, a communication transmission is located in message receiving system 80, Whether it is delivered to the designated recipient of the communication). Filtering system 60 may determine that communications are handled based on the whole or part of the scored reputation provided by reputation system 70. Illustratively, the communication can be determined to be from a non-reputable sender, resulting in the communication being treated as a Spam (eg, deleted, quarantine, etc.).

  Reputation systems can be configured in many different ways to support filtering systems. For example, reputation system 70 may be located external to or internal to filtering system 60 depending on the current situation. As another example, FIG. 2 depicts a reputation system 70 configured to calculate a reputation score based on such message characteristic identification information as the sender's identity as shown at 82. Yes. It will be appreciated that other message characteristics may be used in place of or in addition to the sender identity. Further, transmissions can be from many different types of messaging entities (eg, domain names, IP addresses, telephone numbers, or individual electronic addresses, user names that represent organizations, computers, or individual to send electronic messages) Users). For example, the generated classification of reputable and unreputable may be based on IP transmission trends for sending unwanted transmissions or legitimate communications.

System configuration 90 is also shown in FIG. 2 and may be established by identifying a set of binary testable criteria 92, which is a strong discriminator between good senders and bad senders. I think that the. P (NR | C _i ) may be defined as the probability that the sender is not reputable if the sender follows the quality / criteria C _i , and P (R | C _i ) If the criterion C _i is followed, the sender can be defined as a reputable function.

For each quality / criterion C _i , a periodic (eg, daily, weekly, monthly, etc.) sampling exercise is performed to recalculate P (NR | C _i ). Can be broken. The sampling exercise may include selecting a random sample set S of sender N that is known to have a quality / criterion C _{i that} is true. The senders in the sample are then sorted into one of the following sets: reputable (R), not reputable (NR), or unknown (U). N _R is the number of the sender in the sample is reputable sender, N _NR is the sender number of the sender reputation is not good, and the like. P (NR | C _i ) and P (R | C _i ) can then be represented by the formula:

を用いて推定される。この目的において、Ｎ＝３０は、各々の質／判定基準Ｃ_ｉに対してＰ（ＮＲ｜Ｃ_ｉ）およびＰ（Ｒ｜Ｃ_ｉ）の正確な推定を達成するためには大きすぎるサンプルサイズであることが決定される。

Is used to estimate. For this purpose, N = 30 is a sample size that is too large to achieve an accurate estimate of P (NR | C _i ) and P (R | C _i ) for each quality / criteria C _i . It is determined that there is.

After calculating P (NR | C _i ) and P (R | C _i ) for all criteria, the calculated probability is the sum of the unreputable probabilities P _NR 94 for each sender in the reputation space. , and used to reputation is calculated the total P _R 96 probability of a good sender. These probabilities are given by the formula:

を用いて計算され得る。実験においては、上記の式は広範囲の入力判定基準の組み合わせに対して非常に良い挙動を見せ、実際には、それらの挙動は、入力判定基準の「評判が良くない」および「評判が良い」挙動の条件付き確率の単純な（ｎａｉｖｅ）結合を正確に算出するための式の挙動に類似するように見える。

Can be calculated using In experiments, the above formulas behave very well for a wide range of input criteria combinations, and in fact, these behaviors are “not-reputable” and “reputable” input criteria. It appears to be similar to the behavior of the formula for accurately calculating the naive combination of conditional probabilities of behavior.

For each sender, after calculating the P _NR and P _R, the reputation score is below the reputation function, on the sender:

を用いて計算される。異なる関数が、評判スコアのデタミネータ９８として振舞い、関数の表現に加えて、多くの異なる形式で表現され得ることが理解される。実例として、図３は、１００において評判スコアを決定するための表形式を描いている。表は、Ｐ_ＮＲおよびＰ_Ｒに基づいて、それらが０．０〜１．０の間で変動する場合に、上記の関数により生成される評判スコアを示している。例えば、１１０に示されているように、５３という評判スコアはＰ_ＮＲ＝０．９およびＰ_Ｒ＝０．２の組み合わせにおいて取得される。この評判スコアは、センダが評判が良いと考慮されない比較的高い指標である。０という評判スコアは、Ｐ_ＮＲおよびＰ_Ｒが同一である場合に取得される（例えば、１２０において示されるように、Ｐ_ＮＲ＝０．７およびＰ_Ｒ＝０．７の場合に、評判スコアが０になる）。評判スコアは、Ｐ_ＲがＰ_ＮＲよりも大きい場合に決定される、センダが比較的評判が良いことを指示するための負の値を有し得る。例えば、１３０に示されるように、Ｐ_ＮＲ＝０．５およびＰ_Ｒ＝０．８の場合には、評判スコアは−１２である。

Is calculated using It is understood that different functions behave as reputation score determinators 98 and can be expressed in many different forms in addition to the function representation. Illustratively, FIG. 3 depicts a tabular format for determining a reputation score at 100. _Table, based on the _{P NR} and _{P R,} if they vary between 0.0 and 1.0 shows a reputation score generated by the above function. For example, as shown at 110, a reputation score of 53 is obtained in a combination of P _NR = 0.9 and P _R = 0.2. This reputation score is a relatively high indicator that a sender is not considered to have a good reputation. Reputation score of 0 _is obtained when _{P NR} and _{P R} are the same (e.g., as indicated at _120, in the case of P NR = 0.7 and _P R = 0.7, the reputation score 0). Reputation score, P _R is determined is larger than P _NR, it may have a negative value to indicate that the sender is relatively reputable. For example, as shown at 130, if P _NR = 0.5 and P _R = 0.8, the reputation score is -12.

The reputation score may be shown graphically as depicted at 150 in FIG. Graph 150 _is based on the value of _{P NR} and _{P R,} was generated from the above functions. Figure 4 is a section _{P NR,} and _{P R} are as the probability that varies between each of 0.0 to 1.0, is used as the probability of each probability Nonsupamu property (hamminess), and spam of (spamminess) In that respect, it illustrates the determination of reputation scores in the context of Spam.

  As shown in these examples, a reputation score may be a numeric reputation that specifies a messaging entity based on communication characteristics (eg, messaging entity characteristics) and / or behavior of the messaging entity. . The numerical reputation may fluctuate between a continuous spectrum with a good reputation classification and a continuous spectrum with a poor reputation classification. However, the reputation can be non-numerical, for example, depending on the category of text or categories of text at multiple levels.

  FIG. 5 depicts an operational scenario, where the reputation system is used by the filtering system to generate a reputation score. In this operational scenario, a reputation score is calculated at a particular sender (eg, IP address, domain name, telephone number, address, etc.) from a set of input data. Referring to FIG. 5, data is collected in the steps 200 necessary to calculate the unreputable and reputable probabilities at the sender. The data is then integrated at step 210 and used to calculate the probability at step 220. This includes determining the probability of not having a good reputation for the sender and the probability of having a good reputation in the various selected criteria. The total probability of not having a good reputation and the total probability of having a good reputation are then calculated for each sender.

  After calculating the sum of the probable probabilities for each sender and the sum of the probable probabilities, a reputation score is calculated at 230 for that sender using the reputation function. In step 240, the sender's reputation score is distributed locally and / or to one or more systems to evaluate communications associated with the sender. Illustratively, the reputation score can be distributed to a filtering system. Depending on the reputation score, the filtering system may be chosen to act on the transmission based on the extent to which the sender's reputation score is classified. For unreputable senders, the filtering system may choose to drop the transmission (eg, quietly), choose to store it in an isolated area, or flag the transmission as suspicious. You can choose to stand. In addition, the filter system applies such behavior without requiring a new look-up query to make the reputation system create all future transmissions from this sender for a specific period of time. Can be chosen to do. For reputable senders, filtering systems allow transmissions to bypass all or certain filtering techniques that cause significant processing overhead, network overhead, or storage overhead in the filtering system. And apply the behavior as well.

  As with other process flows described herein, it is understood that the processes and order of processes can be changed, changed and / or augmented, yet still achieve desirable results. For example, an optional addition to the step of extracting unique identifying information about the sender of the transmission may be a certain part of the transmission (e.g., the domain name that is said to be sent in the header of the message). It may be to use a sender authentication technique for authenticating to unforgeable information about the sender (e.g., the IP address from which the transmission originated). This process may allow the filtering system to perform a lookup on the reputation system by querying information (eg, domain name, or email address) that is probably fake and not authenticated. If such a domain, or address, has a positive reputation, the transmission can be delivered directly to the recipient's system by bypassing all or some filtering techniques. If such a domain, or address, has a negative reputation, the filtering system may choose to drop the transmission, choose to store it in the quarantine area, or flag as suspicious You can choose to stand up.

  Many different types of sender authentication techniques can be used (eg, the Sender Policy Framework (SPF) technique). SPF is a protocol that allows domain owners to publish DNS records that indicate which IP addresses are allowed to send mail on behalf of known domains. As another non-limiting example, SenderID, or DomainKeys can be used as a sender authentication technique.

  As another example, many different types of criteria may be used in the processing of sender communications. FIG. 6 depicts the use of a bad reputation criterion 300 and a good reputation criterion 310 in use in determining a reputation score.

The non-reputable criterion 300 and the reputable criterion 310 help to distinguish between a non-reputable sender and a reputable sender. The set of criteria can often change without significantly affecting the reputation score generated using this scoring technique. Illustratively within the context of SPAM identification, the following is a list of spammy criteria that can be used to score a sender's reputation score for a message. The list is not intended to be exhaustive and may be adapted to include other criteria or remove criteria based on observed behavior.
1. Mean Spam Score: If the average spam profiler score of a transmission sent by a sender exceeds a certain threshold W, the sender is declared “not well-received”.
2. RDNS Lookup Failer: When a reverse domain name system (RDNS) queries the sender's IP address fail, the sender is declared "not reputable" .
3. RBL Membership: If a sender is included in a real-time blackhole list (RBL), the sender is declared “not-reputable”. (Note: Multiple RBLs may be used. Each RBL may constitute a separate test criterion.)
4). Mail Volume: If the sender's average (average or median) transmission volume exceeds a threshold X, the sender is declared "not well-received". Here, X is measured at the transmission in the period (eg, one day, one week, or one month). (Note: Multiple average amounts over multiple time periods may be used, and each average amount may constitute a separate test criterion.)
5. Mail Burstyness / Sending History: Sender average (average or median) transmission traffic pattern burstiness (for a larger period of time (eg, daily active transmission) If the number of active transmission subperiods (in hours, or the number of active transmission days in a month) is less than a certain threshold Y, the sender declares it "not good" Is done. Here, Y is measured in a subperiod for each period. (Note: Multiple average burstiness measured over multiple periods may be used, and each average burstiness measurement may constitute a separate test criterion.)
6). Mail Blades: Sender's average (average or median) transmission traffic breadth (from the same sender during a period (eg, one day, one week, or one month) If the threshold (defined by the percentage of systems receiving the transmission) exceeds a certain threshold Z, the sender is declared "not well-received". (Note: Multiple average blades over multiple periods may be used, and each average blade measurement may constitute a separate test criterion.)
7). Malware Activity: If the sender is known to deliver one or more malware codes (eg, virus, spyware, intrusion code) during the measurement period, the sender Is declared "not popular".
8). Type of Address: If known to be dynamically specified by the Internet Service Provider (ISP) as a dial-up or broadband Dynamic Host Control Protocol (DHCP) client, The sender is declared "not well-received".
9. CIDR Block Spamminess: When the sender's IP address is known to reside in a Classless Inter-Domain Routing (CIDR) block that primarily contains "bad" IP addresses Sender is declared "not well-received".
10. Human Feedback: If a sender reports that an undesired transmission is being sent by people who analyze the content and other characteristics of these transmissions, the sender is “not well received. Is declared.
11. Spam Trap Feedback: When a sender sends a transmission to an account that is declared as a spam trap and is not supposed to receive any legitimate transmission, The sender is declared "not well-received".
12 Bounceback Feedback: If a sender sends a bounceback transmission, or if the transmission is sent to an account that does not exist in the destination system, the sender is said to be “unreputable”. Declared.
13. Legislation / Standards Conformance: When a sender does not comply with transmission behavior laws, rules, and established standards in either the transmission sender and / or recipient country of operation Sender is declared "not well-received".
14 Continuity of Operation: If a sender is not operated at a position that transmits longer than a certain threshold Z, the sender is declared "not well-received".
15. Responsiveness to Recipient Demands: For the legitimate demands of the recipient to terminate the relationship with the sender so that the sender does not receive any further transmission from the sender. If the sender does not respond in a reasonable time frame, the sender is declared “not well-received”.

The following is a list of “reputable” criteria that can be used to determine a sender ’s “reputable”. The list is not intended to be exhaustive and may be adapted to include other criteria or remove criteria based on observed behavior.
1. Mean Spam Score: A sender is declared “reputable” if the transmission's average spam profiler score is below a certain threshold W.
2. Human Feedback: Senders are reported to be sent only legitimate transmissions by people who analyze transmission flows from their senders related to the reputation of the organization to which those sending stations belong In some cases, the sender is declared “reputable”.

  In the sender's world, after calculating the reputation rating of each sender, the reputation classification is via a communication protocol that can be interpreted by a queryer (eg DNS, HTTP, etc.) that uses the reputation system. Can be made available. As shown in FIG. 7, if a query 350 has been issued to the sender, the reputation system can optionally be used by the queryer to make a final decision on the acceptability of the sender's transmission. May be responsive to a return value 360 that includes the sender's reputation score as well as other relevant additional information (eg, age of the decision score, input data determining the score, etc.).

  An example of a communication protocol that may be used is a Domain Name System (DNS) server, which may respond to a return value in the form of an IP address (172.xyz). The IP address is the formula:

を用いてエンコードされ得る。

Can be encoded using

The sent sender's reputation is as follows from the return value:
rep = (-1) ^2-x * (256y + z)
Can be deciphered.

Therefore, when x = 0, the returned reputation is a positive number, and when x = 1, the returned reputation is a negative number. The absolute value of reputation is determined from the y and z values. This encoding scheme allows the server to return reputation values in the range [−65535, 65535] via the DNS protocol. It also leaves 7 (7) unused bits (ie, the 7 most significant bits of x). These bits can be saved for extension of the reputation system. (For example, the age of the reputation score can be communicated to the original queryer.)
FIG. 8 depicts a system for handling transmissions received over the network 440 at 430. A transmission may be many different types of communications (e.g., an e-mail message sent from one or more messaging entities 450). System 430 uses a filtering system 460 to assist in processing communications from messaging entity 450. Filtering system 460 examines characteristics associated with communications from messaging entity 450 and, based on the investigation, actions related to communications are taken. For example, the communication may be determined to be legitimate, so the communication is not filtered by the filtering system 460 and is instead provided to the receiving system 70 for delivery to the intended recipient.

In order to increase the accuracy of proper classification of messages (eg, as spam or legitimate), the filtering system 460 may be configured by a message profiler program 500 as shown in FIG. Message profiler 500 uses a plurality of message classification techniques, or filters 510, to classify messages as shown in FIG. An exemplary message classification technique or filter 510 in which the message profiler 500 may be used is:
Reverse DNS (Reverse DNS (RDNS))-a classification technique, where (1) the domain exists in the DNS system of the sender's IP address and (2) if such a domain exists Perform a reverse domain name service (DNS) lookup based on the sender IP address of the message to check if the domain is compatible with the domain that the sender requires to send the message. Classification method.
Real-time Black-hole List (RBL) —a classification technique that checks whether an IP address is not identified as an IP address that is likely to send unnecessary messages to any RBLs For this purpose, a classification technique that queries one or more real-time black hole lists (RBLs) based on the sender IP address of the message.
Reputation Server-a classification technique, based on the sender's IP address and / or the sender's domain name and other message sender characteristics to receive a score describing the sender's reputation A classification method that queries one or more reputation servers.
Signature / fingerprinting-based analysis (e.g., Statistical Lookup Service (SLS))-a classification technique that calculates a hash of a message, and the calculated hash of the message is A classification technique that queries a centralized statistical lookup service (SLS) to determine how often it is seen in recent mail flows.
• Message Header Analysis Classification Technique-As an example, this technique may include System Defined Header Analysis (SDHA), User Defined Header Analysis (UDHA), etc.
System Defined Header Analysis (SDHA)-a set of classification techniques that examine messages and the message headers tend to identify possibly unwanted senders of messages. A set that identifies whether to exhibit characteristics defined for a particular system.
User Defined Header Analysis (UDHA)-a set of classification techniques, in which messages are examined and the message headers tend to identify possibly unwanted message senders A set that identifies whether to show characteristics defined for the system.
• Sender Authentication-a set of classification methods, where (1) the sender's requested domain publishes a record of the mail server authorized to send mail to that domain And (2) if such a record is published, to determine whether the record authorizes the sender's IP address for sending mail on behalf of the requested domain A set that performs a lookup. Examples of commonly used Sender Authentication techniques include Sender Policy Framework (SPF) and SenderID.
Bayesian filtering—a statistical classification technique that estimates the combination of conditional probabilities that a message is classified into a particular category based on a set of text tokens (words) in the message. A method to calculate
Content Filtering—a classification technique that searches message content with words associated with a certain message category.
Clustering Classification—A classification technique based on measuring similarity among characteristics, where communications are clustered into such groups as desirable, undesirable (eg, spam), etc. Clustering is performed so that the similarity within a group is high and the similarity between groups is low.
The list is not intended to be exhaustive and can be adapted to include other approaches if other approaches are discovered. Some of the listings constitute a single approach, while others constitute a combined set of many similar or closely related approaches. When multiple techniques are described jointly, the message profiler 500 recognizes that each technique has its own confidence value.

  Message profiler 500 classifies messages using a threshold-based approach. Each of the classification techniques 510 is used by a message profiler 500 that has an associated confidence value 520. If the message reaches profiling, the message profiler 500 iterates through the classification techniques, allowing each technique to attempt to classify the message. The result of each classification is a decimal value in the range [0, 1]. After iterating through each classification technique, the message profiler 500 has the following formula:

を用いてメッセージにおけるスコアを算出する。ここで、ＳＶ_ｉは分類手法ｉに関連する信頼値、Ｃ_ｉは分類手法ｉにより生成された［０，１］における分類値である。

Is used to calculate the score in the message. Here, SV _i is a confidence value related to the classification method i, and C _i is a classification value in [0, 1] generated by the classification method i.

  In a classification technique with a non-linear scoring function, the following equation can be used:

ここで、ＳＶ_１ｉおよびＳＶ_２ｉは、分類手法ｉに関連する信頼値であり、Ｃ_ｉは、分類手法ｉにより生成された［０，１］における分類値である。

Here, SV _1i and SV _2i are confidence values related to the classification method i, and C _i is a classification value in [0, 1] generated by the classification method i.

  If the message score exceeds a certain threshold T, determined at 520, then the message is declared to belong to the first defined category. If the message score is below the threshold, it is declared to belong to the opposite category. The system can then take appropriate action based on the threshold reached by the message score (e.g., quarantine the message, drop the message (i.e. without delivering as shown at 530) Message), rewriting the subject of the message to include a specific string (eg, “SUSPECTED SPAM”), the message is encrypted by the encryption engine for secure delivery And so on). The system may also allow multiple thresholds to be identified and different behavior or different behaviors applied at each threshold, which increases the message profiler 500's increased confidence in the classification results. Means.

The effectiveness and accuracy of the message profiler 500 depends on several factors (eg, SV _i associated with the classification technique 510, or a set of confidence values 520 of SV _1i / SV _2i ). A tunable message classification scheme, along with an optimal set of values, can be used to generate a set of associated thresholds and actions, which can be used for classification techniques that operate on constantly changing message flow patterns. It can be generated periodically to keep the message profiler 500 updated with up-to-date protection against frequent changes in the distribution of scores. Thus, the message profiler configuration is a vector (SV ₁ , SV ₂ ,..., SV _N ).
(Vectors represent the confidence values of all N classification methods). As shown in FIG. 10, the message classification tuner program 600 performs a profiler search by performing a probabilistic search through a vector space of all possible vectors and at preselected thresholds. Message profiler 500 may be configured to tune by identifying a vector that maximizes the accuracy of filtering. Tuner 600 uses a different approach to do this (eg, uses a heuristic approach 610).

  FIG. 11 illustrates a tuner that uses a heuristic approach known as a genetic algorithm for performing a vector space search. The concept behind genetic algorithms derives from evolutionary theory, where genotypes (represented through chromosomes) compete with each other through their phenotypes (represented as biological organisms). Over time, biological evolution produces highly adapted, complex organisms that can survive in an environment for the organism to evolve. Similarly, the genetic algorithm searches through a vector space consisting of candidate solutions to the problem, where each candidate solution is represented as a vector. In many simulated candidate solution generations, genetic algorithms gradually evolve toward solutions that are increasingly well adapted to the problem.

  Over time, the ability of a genetic algorithm to evolve a good solution to a problem depends on the existence of an accurate mechanism for assessing the relative fitness level of a candidate solution compared to other candidate solutions. Thus, the genetic algorithm 650 is designed with a fitness function 660 that accurately models the fitness of the candidate solution in the domain of the actual problem.

  The following is the message profiler 500:

の最適化のために使用され得るフィットネス関数６６０である。関数における項の定義は以下のようになる：
Ｎ_ＣＡＴ１＝第１のカテゴリに所属するデータセット全体からのメッセージベクトルの数
Ｎ_ＣＡＴ２＝第２のカテゴリに所属するデータセット全体からのメッセージベクトルの数
Ｃ＝第２のカテゴリからの誤った分類をされたメッセージのための定数乗数
Ｓ_{ＣＡＴ１＿ＭＩＫＳＴＡＫＥｉ}＝他のカテゴリに所属するように誤った分類をされた第１のメッセージカテゴリからのメッセージベクトルｉのメッセージプロファイラスコア
Ｓ_{ＣＡＴ２＿ＭＩＳＴＡＫＥｉ}＝他のカテゴリに所属するように誤った分類をされた第２のメッセージカテゴリからのメッセージベクトルｉのメッセージプロファイラスコア
Ｔ＝メッセージプロファイラの数値しきい値で、しきい値を超えると、メッセージは第１のカテゴリに所属すると考慮される
関数は、構成が先に分類されたデータのセットにおけるメッセージベクトルを正確に分類しようとしてなされた、誤りに関連するコストを表現する。従って、低いフィットネス値は、遺伝的アルゴリズムの目的のために良く考慮される。関数における第１項は、第２のカテゴリに所属するように誤った分類をされた、第１のカテゴリからのメッセージに関連するコストを表現し（例えば、正当であると分類された望ましくないメッセージ、別名偽陰性（ｆａｌｓｅ ｎｅｇａｔｉｖｅ））、第２項は、第１のカテゴリに所属するように誤った分類をされた、第２のカテゴリからのメッセージに関連するコストを表現する（例えば、望ましくないと分類された正当なメッセージ、別名偽陽性（ｆａｌｓｅ ｐｏｓｉｔｉｖｅ））。総和は点の総数を表し、総和により、構成はメッセージベクトルを分類しようとする場合に誤りを生じた。直観的に、各々の項は、本質的に、分類エラーの平均の周波数と、分類エラーの平均の大きさ双方の表現である。第２項は定数Ｃを掛けられていることに注意されたい。この定数（２０という値にセットされ得る）は、一方のカテゴリからのメッセージの誤った分類の、反対のカテゴリからのメッセージの誤った分類に関連する、相対的なコストを表す。Ｃを２０にセットすることによって、これは、第２のカテゴリからのメッセージ上の分類の誤りが、第２のカテゴリからの誤りよりも２０倍費用のかかることを指示する。例えば、メッセージプロファイラ５００が、望ましい、および望ましくないメールの分類に使用される場合には、第１のカテゴリは望ましくないメール（例えば、スパム）を表し得、第２のカテゴリは正当なメッセージを表し得る。次いで、上記の関数は正当なメッセージの誤った分類（偽陽性）を、望ましくないメッセージの誤った分類（偽陰性）に比べ２０倍費用がかかると判断し得る。これは、偽陽性が偽陰性よりもかなり高いリスクを保有するような、反スパムコミュニティにおける現実世界の観点を反映する。メッセージプロファイラ５００が、ポリシーのコンプライアンスに関連する分類のために使用される場合には、偽陽性は、敏感な情報を含むが、メッセージプロファイラ５００によって、それ自体としてはラベルされず、結果として、組織がその特定のカテゴリに適用されるように選ばれ得るようなポリシーを回避させられるようなメッセージである。

Is a fitness function 660 that may be used for optimization of The definition of a term in a function is as follows:
N _CAT1 = number of message vectors from the entire data set belonging to the first category N _CAT2 = number of message vectors from the entire data set belonging to the second category C = incorrect classification from the second category Constant multiplier S _{CAT1_MIKSTAKEi} for the message that has been classified = message profiler score S _{CAT2_MISTAKEi} = message vector i from the first message category _{misclassified} to belong to another category Message profiler score for message vector i from the misclassified second message category T = numeric threshold of message profiler, above which the message is considered to belong to the first category the function is Configuration is made the message vector in the set of data classified previously trying correctly classified, representing the costs associated with the error. Thus, low fitness values are well considered for genetic algorithm purposes. The first term in the function represents the cost associated with a message from the first category that was misclassified to belong to the second category (eg, an undesired message classified as legitimate) , Aka false negative), the second term represents the costs associated with messages from the second category that were misclassified to belong to the first category (eg, undesirable) Legitimate messages categorized as, also known as false positive). The sum represents the total number of points, and due to the sum, the configuration made an error when trying to classify the message vector. Intuitively, each term is essentially a representation of both the average frequency of classification errors and the average magnitude of classification errors. Note that the second term is multiplied by a constant C. This constant (which can be set to a value of 20) represents the relative cost associated with misclassifying messages from one category and misclassifying messages from the opposite category. By setting C to 20, this indicates that classification errors on messages from the second category are 20 times more expensive than errors from the second category. For example, if message profiler 500 is used to classify desirable and undesirable mail, the first category may represent unwanted mail (eg, spam) and the second category represents legitimate messages. obtain. The above function may then determine that a false classification of a legitimate message (false positive) is 20 times more expensive than a false classification of an unwanted message (false negative). This reflects a real-world view in the anti-spam community where false positives carry a significantly higher risk than false negatives. If the message profiler 500 is used for classification related to policy compliance, false positives contain sensitive information but are not labeled as such by the message profiler 500, resulting in organizational Is a message that allows a policy that can be chosen to apply to that particular category.

  FIG. 12 depicts an operational scenario in which a message profiler can be used. Referring to FIG. 12, the operational scenario includes receiving, at step 710, a communication sent from the messaging entity over the network. Multiple message classification techniques are then used at 710 to classify the communication. Each of the message classification techniques is associated with a confidence value, which is used in collecting the message classification output from the message classification technique. The output of each classification can be a numeric value, a textual value, or a category value. The message classification outputs are combined at step 720 to generate a message profiler score at step 730. The message profiler score is used in step 740 to determine what action should be taken for communications associated with the messaging entity.

As with other process flows described herein, it is understood that the processing and processing instructions can be changed, changed, and / or augmented, and still achieve desirable results. For example, a message profiler can be configured in an operational scenario that recognizes that there is a single approach that cannot properly classify messages into two distinct categories (eg, desirable (legitimate) and desirable No (spam, phishing, virus, etc.) distinction between message communications, or determination of whether a message complies with specific organizational policies, laws, or regulations). In this operating scenario, such a configured message profiler is:
1. The results of many message classification techniques can be used to aggregate classifications (eg, “desirable” or “legitimate”, “HIPPA compliant”, “a priori” without specifying which classification technique is used). GLBA violations, “HR policy violations” etc.) can be designed to provide a framework for combining,
2. From the classification logic of the classification technique, the importance of each classification technique (expressed as a contribution to the total classification) so that the level of importance of the technique can be adjusted to reflect the change in accuracy over time Can be designed to decouple,
3. Through the mechanism, the relative importance of each of the classification methods within the framework so that the framework can be adjusted to use this information to achieve a very accurate ratio in the total of the classification And can be designed to provide a mechanism to describe the correlation of their individual accuracy,
4). Designed to provide a mechanism for discovering the relative importance of each of the classification methods within the framework, through the mechanism, so that the framework can be tuned for maximum classification accuracy in an environment. obtain.
Further, the message profiler can be configured to operate in other operating scenarios. For example, FIG. 13 depicts a message profiler that is adapted to operate with adaptive message blocking and whitelisting. Referring to FIG. 13, in addition to the classification of individual messages, the aggregated result of the message profiler program 500 also determines the sender of the message at 820 based on the distribution of the message profiler scores that those messages are receiving. Used to classify. Specific time frame (e.g., hours, days, weeks) during an average score of messages received from a particular sender (for example, IP) is greater than specific threshold T _U, the score distribution than ST _U May have a small standard deviation, the sender may be classified as “bad” (the information is stored in the data store 840). Process 800 then uses the data from data store 840 to determine that all messages and connections originating from such senders can be dropped at 810 without processing in the next X time. To do. On the other hand, if the average score is less than or equal to the threshold _TL having a standard deviation smaller than ST _L , the sender may be considered valid (the information is stored in the data storage device 830). The message from that sender causes the process 800 to bypass certain filtering techniques (eg, message profiler 500 filtering) that cause significant processing overhead, network overhead, or storage overhead in filtering 460. obtain.

  The message profiler may also be used in connection with adaptive training of endo and exo filtering systems. By using the sender classification system and method described herein, the message profiler can be used to train various filtering techniques used within the profile and others that are completely outside the profile. It can be used as well. Such techniques replace Bayesian, Support Vector Machine (SVM), and other statistical stationary filtering techniques with sign-based techniques (eg, Statistical Lookup Service (SLS) and message clustering type techniques). As well as. A training strategy in such an approach may use a set of classified, legitimate and undesirable messages, based on the sender's reputation specified from the total score of messages from such senders. May be provided by a message profiler. Messages from senders classified as unreputable may be provided to the filtering system trainer as undesirable, and the desired messages are obtained from streams sent by legitimate senders.

  As described above, the message profiler 500 may use a reputation-based approach as one classification technique. FIG. 14 depicts a reputation system that may be used by the filtering system 460 in handling transmissions received over the network 440 from the messaging entity 450 at 900. More specifically, the filtering system 460 uses the reputation system 900 to assist in determining (at least in part) what filtering actions (if any) should be taken on the messaging entity's communication. For example, it can be determined that the communication is from a reputable source, and as a result, the communication is not filtered.

  Filtering system 460 identifies the sender of the communication received at 950 and provides that identification information to reputation system 900. The reputation system 900 evaluates the reputation of the queried sender's identity by calculating the probability that the messaging entity exhibits certain characteristics. The overall reputation score is determined based on the calculated probability and provided to the filtering system 460. Reputation scores can be numeric in value, textual, and categorical.

  The filtering system 460 determines at 952 what action should be taken in the sender's communication. Filtering system 460 may use the reputation score from reputation system 900 as a message classification filter, which is multiplied by its respective adjusted confidence value and then aggregated with other message classification filter results.

The reputation system can be configured in many different ways to assist the filtering system. For example, FIG. 15 depicts a reputation system 900 that is configured to calculate a reputation score. System configuration 1000 may be established by identifying binary testable criteria 1002, which may be a strong discriminator between good and bad senders. P (NR | C _i ) can be defined as the probability that a sender is not reputable if it follows quality / criteria C _i , and P (R | C _i ) is quality / criteria If C _i is followed, it can be defined as a function that the sender is reputable.

For each quality / criteria C _i , periodic (eg, daily, weekly, monthly, etc.) sampling exercises are performed to recalculate P (NR | C _i ). obtain. The sampling exercise may include selecting a random sample set S of sender N that is known to have a quality / criterion C _{i that} is true. The senders in the sample are then sorted into one of the following sets: reputable (R), not reputable (NR), or unknown (U). N _R is the number of the sender in the sample is reputable sender, N _NR is the sender number of the sender reputation is not good, and the like. P (NR | C _i ) and P (R | C _i ) can then be represented by the formula:

を用いて推定される。この目的において、Ｎ＝３０は、各々の質／判定基準Ｃ_ｉにおいてＰ（ＮＲ｜Ｃ_ｉ）およびＰ（Ｒ｜Ｃ_ｉ）の正確な推定を達成するためには大きすぎるサンプルサイズであることが決定された。

Is used to estimate. For this purpose, N = 30 is a sample size that is too large to achieve an accurate estimate of P (NR | C _i ) and P (R | C _i ) at each quality / criteria C _i Was decided.

After calculating P (NR | C _i ) and P (R | C _i ) for all criteria, the calculated probability is the sum of the unreputable probabilities P _NR 1004 for each sender in the reputation space. , And the sum of the probable sender probabilities P _R 1006. These probabilities are given by the formula:

を用いて計算され得る。実験においては、上記の式は広範囲の入力判定基準の組み合わせの非常に良い挙動を見せ、実際には、それらの挙動は、入力判定基準の「評判が良くない」および「評判が良い」挙動の条件付き確率の単純な（ｎａｉｖｅ）結合を正確に算出するための式の挙動に類似するように見える。

Can be calculated using In experiments, the above formulas show very good behavior for a wide range of input criteria combinations, and in fact, those behaviors are similar to those of the input criteria “not-reputable” and “reputable” behavior. It appears to be similar to the behavior of the formula for accurately calculating the naive combination of conditional probabilities.

For each sender, after calculating the P _NR and P _R, the reputation score is below the reputation function for that sender:

を用いて計算される。異なる関数が、評判スコアのデタミネータ１００８として振舞い得、関数の表現に加えて、多くの異なる形式で表現され得ることが理解される。実例として、図１６は、１１００において評判スコアを決定するための表形式を描いている。表は、Ｐ_ＮＲおよびＰ_Ｒの値に基づいて、それらが０．０〜１．０の間で変動する場合に、上記の関数により生成される評判スコアを示している。例えば、１１１０に示されているように、５３という評判スコアはＰ_ＮＲ＝０．９およびＰ_Ｒ＝０．２の組み合わせにおいて取得される。この評判スコアは、センダが、評判が良いと考慮されない、比較的高い指標である。０という評判スコアは、Ｐ_ＮＲおよびＰ_Ｒが同一である場合に取得される（例えば、１１２０において示されるように、Ｐ_ＮＲ＝０．７およびＰ_Ｒ＝０．７の場合には、評判スコアが０になる）。評判スコアは、Ｐ_ＲがＰ_ＮＲよりも大きい場合に決定される、センダが比較的評判が良いことを指示するための負の値を有し得る。例えば、１１３０に示されるように、Ｐ_ＮＲ＝０．５およびＰ_Ｒ＝０．８の場合には、評判スコアは−１２である。

Is calculated using It is understood that different functions can behave as reputation score determinators 1008 and can be expressed in many different forms in addition to the function representation. Illustratively, FIG. 16 depicts a tabular format for determining a reputation score at 1100. Table, based on the value of P _NR and P _R, if they vary between 0.0 and 1.0 shows a reputation score generated by the above function. For example, as shown at 1110, a reputation score of 53 is obtained in a combination of P _NR = 0.9 and P _R = 0.2. This reputation score is a relatively high indicator that the sender is not considered good reputation. Reputation score of 0 _is obtained when _{P NR} and _{P R} are the same (e.g., as shown in _1120, when the P NR = 0.7 and _P R = 0.7, the reputation score Becomes 0). Reputation score, P _R is determined is larger than P _NR, it may have a negative value to indicate that the sender is relatively reputable. For example, as shown at 1130, if P _NR = 0.5 and P _R = 0.8, the reputation score is -12.

  Many different types of criteria can be used in the processing of reputation system sender communications (eg, using non-reputable and reputable criteria to determine reputation scores). An example of such a criterion is disclosed in US Provisional Patent Application No. 60 / 625,507, filed Nov. 5, 2004 and entitled “CLASSIFICATION OF MESSAGING ENTITIES”.

  The systems and methods disclosed herein are shown by way of example only and are not meant to limit the scope of the invention. Other variations of the systems and methods described above will be apparent to those skilled in the art and are considered to be within the scope of the invention itself. For example, the systems and methods may be configured to handle many different types of communications (eg, legitimate messages, or unwanted communications, or communications that violate preselected policies). Illustratively, unwanted communications can include spam or virus communications, and preselected policies can include corporate communications policies, messaging policies, legal or regulatory policies, or international communications policies.

  As another broad example and variation of the systems and methods disclosed herein, the systems and methods can be implemented on various types of computer architectures (eg, on different types of networked environments). . Illustratively, FIG. 17 depicts a server access architecture, in which the disclosed system and method can be used (eg, as shown at 1330 in FIG. 17). The architecture in this example comprises an enterprise local network 1290 and various computer systems within the local network 1290. These systems include application servers 1220 (eg, web servers and email servers), user workstations (eg, email readers and web browsers) that run local clients 1230, and data storage devices 1210 (eg, database and network connections). Disc). These systems communicate with each other through a local communication network (e.g., Ethernet (registered trademark) 1250). A firewall system 1240 is provided between the local communication network and the Internet 1260. An external server host 1270 and an external client 1280 are connected to the Internet 1260. The present disclosure may be any type of network, including but not limited to the Internet, wireless networks, wide area networks, local area networks, and combinations thereof, to facilitate communication between components. Understood.

  The local client 1230 may access the application server 1220 and the shared data storage device 1210 through a local communication network. The external client 1280 can access the external application server 1270 through the Internet 1260. In an example where the local server 1220 or the local client 1230 needs access to the external server 1270, or an example where the external client 1280 or the external server 1270 needs access to the local server 1220, Electronic communication in the appropriate protocol flows through the “always open” port of the firewall system 1240.

  The system 1330 described herein may be located on a hardware device or one or more servers connected to a local communications network, such as Ethernet 1280, including a firewall system 1240, a local server 1220, and It can be logically inserted between the local client 1230. Electronic communications associated with applications that enter or leave the local communications network through firewall system 1240 are routed to system 1330.

  In the example of FIG. 17, system 1330 may be configured as part of a threat management system to store and process reputation data for a large number of senders. This may cause the threat management system to make an informed decision on whether to allow or block email (e-mail).

  System 1330 can be used to handle many different types of email, and can be used to handle a variety of protocols used for email transmission, delivery and processing, including SMTP and POP3. . These protocols each mean a standard for communicating email messages between servers, and a standard for server client communication associated with email messages. These protocols are each defined in particular in RFC (Request for Comments) popularized by the IETF (Internet Engineering Task Force). The SMTP protocol is defined in RFC1221, and the POP3 protocol is defined in RFC1939.

  Since the start of these standards, various needs have evolved in the field of email, leading to the development of further standards, including enhancements or additional protocols. For example, various enhancements have evolved the SMTP standard, leading to the evolution of extended SMTP. Examples of expansion can be found below. (1) RFC1869. RFC 1869 defines a framework for extending SMTP services by defining means (so that the server SMTP can inform the client SMTP about the service extensions it supports). (2) RFC 1891 that defines the extension of the SMTP service. This is because (a) a delivery status notification is generated under certain circumstances, (b) whether such notification returns the content of the message, and (c) the DSN issues Allows the SMTP client to clarify both the recipients to be sent and the additional information returned with the DSN that identifies the sender to the transaction in which the original message was delivered.

  In addition, the IMAP protocol has evolved as an alternative to POP3 to support further interaction between email servers and clients. This protocol is described in RFC 2060.

  Other communication mechanisms are also widely used on networks. These communication mechanisms include, but are not limited to, Voice over IP (VoIP (Voice Over IP)) and instant messaging. VoIP is used in IP telephony to provide a set of functions for handling the delivery of voice information using the Internet Protocol (IP). Instant messaging is a communication type that includes a client that connects to an instant messaging service that delivers communications (eg, conversations) in real time.

  As the Internet has become more widely used, it has also created new troubles for users. In particular, the amount of spam received by individual users has increased dramatically over the past few years. Spam as used herein refers to receiving any communication not requested or desired by the recipient. The systems and methods may be configured to address these types of unsolicited or undesired communications as disclosed herein. This can be useful in spamming emails in consuming corporate resources and impacting productivity.

  The systems and methods disclosed herein are for networks (eg, local area networks, wide area networks, the Internet, etc.), fiber optic media, carrier waves, wireless networks for communication with one or more data processing devices. The data signal transmitted through the above may be used. A data signal may carry any or all data published, provided to, or provided from a device.

  Further, the methods and systems described herein may be implemented on many different types of processing devices with program code that includes program instructions executable by one or more processors. Software program instructions may include source code, object code, machine code, or any other stored data operable to cause a processing system to perform the methods described herein.

  System and method data (eg, association, mapping, etc.) can be stored in different types of storage devices and programming structures (eg, data storage, RAM, ROM, flash memory, single layer files, databases, programming data structures, It can be stored and implemented in one or more different types of computer-implemented methods, such as programming variables, IF-THEN (or similar types of statement structures, etc.). Note that a data structure describes a format for use in organizing and storing data in a database, program, memory or other computer-readable medium for use by a computer program.

  The system and method includes a computer storage mechanism (eg, a CD-ROM, including instructions used in execution by a processor to perform the operations of the method and to implement the system described herein. Many different types of computer readable media may be provided, including diskettes, RAM, flash memory, computer hard drives, etc.

  The computer components, software modules, functions, and data structures described herein may be directly or indirectly connected to each other to allow the flow of data required for their operation. obtain. A software instruction or module can be, for example, as a subroutine unit of code, as a software functional unit of code, as an object (in the case of an object-oriented paradigm), as an applet, in a computer script language, as another type of computer code or firmware Note also that it can be implemented. Software components and / or functionality may be located on a single device and distributed across multiple devices depending on the immediate situation.

  As used throughout this specification and the appended claims, the meanings of “a”, “an” and “the” are clearly indicated otherwise in the context. Except where otherwise, it is understood to include multiple references. Also, as used throughout the description and the appended claims, the meaning of “in” means “in” and “above” unless the context clearly dictates otherwise. Including ". Finally, as used throughout this specification and the appended claims, the meanings of “and” and “or” are expressly used in conjunction and conjunction unless the context clearly dictates otherwise. It can be used interchangeably, including both conjunctions. The phrase “exclusive or” can be used to indicate a situation where only the meaning of paradoxical conjunctions can be applied.

FIG. 1 is a block diagram depicting a system for handling transmissions received over a network. FIG. 2 is a block diagram depicting a reputation system that is configured to determine a reputation score. FIG. 3 is a table depicting reputation scores at various calculated probability values. FIG. 4 is a graph depicting reputation scores at various calculated probability values. FIG. 5 is a flowchart depicting an operational scenario for generating a reputation score. FIG. 6 is a block diagram depicting the use of bad reputation criteria and good reputation criteria to determine a reputation score. FIG. 7 is a block diagram depicting a reputation system configured to respond to a return value that includes a sender's reputation score. FIG. 8 is a block diagram depicting a system for handling transmissions received over a network. FIG. 9 is a block diagram depicting a filtering system having a message profiler program. FIG. 10 is a block diagram depicting a message classification tuner program. FIG. 11 is a block diagram depicting the use of a genetic algorithm as a message classification tuner program. FIG. 12 is a flowchart depicting an operational scenario in which a message profiler is used. FIG. 13 is a block diagram depicting a message profiler adapted to operate with adaptive message blocking and white listing. FIG. 14 is a block diagram depicting a reputation system for handling transmissions received over a network. FIG. 15 is a block diagram depicting a reputation system that is configured to determine a reputation score. FIG. 16 is a table depicting reputation scores at various calculated probability values. FIG. 17 is a block diagram depicting a server access architecture.

Claims (39)

A method operating on one or more data processors for specifying a reputation for a messaging entity, the method comprising:
Receiving data identifying one or more characteristics associated with communication of the messaging entity;
Determining a reputation score based on the received identification data;
The determined reputation score indicates the reputation of the messaging entity;
The method, wherein the determined reputation score is used to determine what action should be taken for communications associated with the messaging entity. The method of claim 1, wherein the determined reputation score is distributed to one or more computer systems used for transmission filtering. The method of claim 1, wherein the determined reputation score is locally distributed to programs used for transmission filtering. The method of claim 1, wherein the method comprises:
Determining a probability of indicating a reputation based on the received identification data;
The probability of indicating a reputation is based on a range in which the identified one or more communication characteristics indicate a criterion associated with one or more reputations, or are subject to a criterion associated with one or more reputations. Indicate the reputation of the messaging entity,
Determining the reputation score includes determining the reputation score based on a sum of the determined probabilities. The method of claim 1, wherein the method comprises:
Identifying a set of criteria used to discriminate between a reputable category and an unreputable category, the criteria comprising an unreputable criterion and a reputable criterion Including,
Using statistical sampling to estimate the conditional probability that the messaging entity displays each criterion;
Further comprising calculating a reputation for each messaging entity,
The calculating step includes:
Assuming the messaging entity indicates or obeys the set of criteria, the messaging entity calculates an estimate of the conditional probability combination that is reputable, and each such criteria A messaging entity that indicates or follows is calculated by calculating the individual conditional probabilities that it is actually a reputable messaging entity; ,
Assuming that the messaging entity indicates or obeys the set of criteria, it computes an estimate of the combination of conditional probabilities that the messaging entity is not reputable, and each such decision By calculating the individual conditional probabilities that a messaging entity that indicates or follows a criterion is actually a messaging entity that is not well-reputed, it calculates the probability that the messaging entity is eligible for a negative reputation To do
Calculating a reputation at the messaging entity by applying a function to the probability. 6. The method of claim 5, wherein the reputation of each messaging entity is encoded in a 32-bit dotted decimal IP address format, the method comprising:
Creating a domain name server (DNS) zone that includes the reputation of all messaging entities in the world of messaging entities;
Distributing the reputation of a messaging entity to one or more computer systems through the DNS protocol, wherein the one or more computer systems utilize the reputation in their operations; Method. 6. The method of claim 5, wherein the set of criteria is a group:
Average spam profiler score, reverse domain name server lookup failer, membership in one or more real-time blacklists (RBLs), email volume, email burstiness, email brados, geography Location, malware activity, address type, classless inter-domain routing (CIDR) block containing numerous Internet protocol addresses identified as sending spam, user complaint rate, and honeypot discovery Selected from the following: proportions, proportions of undeliverable transmissions identified as complying with transmission behavior laws, rules and established standards, continuity of operation, and response to recipient demand. The method that is the criterion. 6. The method of claim 5, wherein the function used to encode the reputation of the messaging entity for a 32-bit dotted decimal IP address is:

Is that way. The method of claim 1, wherein the method comprises:
Determining a probability of indicating a reputation based on the received identification data;
The probability of indicating a reputation is based on a range in which the identified one or more communication characteristics indicate a criterion associated with one or more reputations, or are subject to a criterion associated with one or more reputations. Indicate the reputation of the messaging entity,
Determining the reputation score includes determining the reputation score based on a sum of the determined probabilities;
The reputation score is determined based on applying the aggregate of the determined probabilities to a function;
The function is a function of each of the probabilities, wherein the messaging entity indicates a criterion related to reputation. A transmission filtering method using a transmission sender reputation score, the method comprising:
Identifying at least one characteristic of the transmission from the sender;
Making a real-time query against the reputation system including the transmission characteristics;
Receiving a score representing a reputation associated with the transmission;
Performing an action corresponding to the score range of the sender's reputation on a transmission from the sender. 11. The method of claim 10, wherein the behavior is the following behavior:
Reject all further transmissions from the sender for a preset period or number of transmissions and silently drop all further transmissions from the sender for a preset period or number of transmissions Isolating all further transmissions from the sender for a preset period or number of transmissions, and for all further transmissions from the sender for a preset period or number of transmissions, A method comprising at least one of bypassing a particular filtering test. 11. The method of claim 10, wherein identifying the at least one characteristic comprises extracting unique identification information for the transmission, or authenticating unique identification information for the transmission, or A method comprising a combination of these. A method of filtering a group of transmissions using a transmission sender's reputation score, the method comprising:
Grouping multiple transmissions together based on content similarity or similarity in transmission sender behavior;
Identifying at least one characteristic for each transmission in the grouping;
Querying the reputation system and receiving a score indicating the reputation of each sender;
Categorizing the group of transmissions based on the percentage of reputable and unreputable senders in the group. 14. The method of claim 13, wherein identifying the at least one characteristic includes extracting unique identification information for the transmission, or authenticating unique identification information for the transmission, or A method comprising a combination of these. A method for adjusting and training a filtering system utilizing a transmission sender's reputation score in a trainable transmission set, the method comprising:
Identifying at least one characteristic of the transmission from the sender;
Query the reputation system and receive a score representing the reputation of the sender;
Classify transmissions into multiple categories based on the extent to which sender reputation scores are classified,
Passing the transmission and transmission classification category to another filtering system trainer to be used for optimization of the filtering system. 16. The method of claim 15, wherein identifying the at least one characteristic includes extracting unique identification information for the transmission, or authenticating unique identification information for the transmission, or A method comprising a combination thereof. A method operating on one or more data processors to classify communications from a messaging entity, comprising:
Receiving communications from a messaging entity;
Using multiple message classification techniques to classify the communication;
Combining the message classification output to generate a message profile score,
The method wherein the message profile score is used to determine what action is taken for the communication associated with the messaging entity. 18. The method of claim 17, wherein the communication is an email message or VoIP communication, or an instant message communication. 18. The method of claim 17, wherein the communication is a legitimate email message, or a communication that violates spam, virus, or corporate policy. 18. The method of claim 17, wherein the message classification technique is a group:
Reverse DNS (RDNS) classification method, real-time black hole list (RBL) classification method, reputation server classification method, signature-based classification method, fingerprint-based classification method, message header analysis classification method, set of sender authentication classification methods, Bayesian A method comprising at least two techniques selected from a filtering statistical classification technique, a clustering classification technique, and a content filtering classification technique. The method of claim 17, wherein each message classification technique is associated with a confidence value used to generate a message classification output from the message classification technique. The method of claim 21, wherein a filter value from each of the classification techniques is multiplied by its associated confidence value to generate the message classification output. 23. The method of claim 22, wherein the message profile score is

Where SV _i is a confidence value associated with classification technique i and C _i is the output of the classification technique generated by classification technique i. 23. The method of claim 22, wherein the message profile score is

Where SV _1i and SV _2i are confidence values associated with classification technique i and C _i is the output of the classification technique generated by classification technique i. 18. The method of claim 17, wherein at least one of the message classification techniques includes a reputation scoring technique; the reputation scoring technique assigns a reputation probability to a messaging entity; and indicates the reputation Based on the extent to which the identified one or more communication characteristics indicate a criterion associated with one or more reputations or comply with a criterion associated with one or more reputations. A way of indicating reputation. A system operating on one or more data processors to classify communications from a messaging entity,
A plurality of message classification techniques, wherein the plurality of message classification techniques are configured to classify communications received from a messaging entity;
Message profiling logic configured to combine the output of the message classifications to generate a message profile score;
With
The method wherein the message profile score is used to determine what action should be taken for the communication associated with the messaging entity. 27. The system of claim 26, wherein the communication is a legitimate message, or an unwanted communication, or a communication that violates a preselected policy;
The unwanted communications include spam or virus communications,
The preselected policy comprises a corporate communications policy, a messaging policy, a law or regulation policy, or an international communications policy. 27. The system of claim 26, wherein each message classification technique is associated with a confidence value used to generate a message classification output from the message classification technique,
The filter value from each of the classification techniques is multiplied by its associated confidence value to produce the message classification output. 30. The system of claim 28, wherein a tuner program is used to adjust the confidence value associated with the message classification technique. 30. The system of claim 29, wherein the tuner program uses a heuristic approach to adjust the confidence value. 30. The system of claim 29, wherein the tuner program uses a genetic algorithm to adjust the confidence value;
The genetic algorithm is designed with a fitness function that models the fitness of the candidate solution in the actual problem domain,
The fitness function represents a cost associated with an error made in attempting to correctly classify a message vector into a preselected set of data. 32. The system of claim 31, wherein the system is configured to operate with adaptive message blocking and white listing. A method operating on one or more data processors for adjusting message classification parameters used by one or more message classification techniques, comprising:
Receiving multiple communications or multiple input data representing multiple communications;
Using a tuner program to adjust the message classification parameters associated with the message classification technique;
Communication is received from the messaging entity,
The adjusted message classification parameter is used by the plurality of message classification techniques to classify the received communication;
Message classification outputs from the plurality of message classifications are combined to generate a message profile score;
The method wherein the message profile score is used to determine what action should be taken for the communication associated with the messaging entity. 34. The method of claim 33, wherein the message classification parameter includes a confidence value. 35. The method of claim 34, wherein the tuner program uses a heuristic approach to adjust the confidence value. 36. The method of claim 35, wherein the tuner program uses a genetic algorithm to adjust the confidence value. 37. The method of claim 36, wherein the genetic algorithm is designed with a fitness function that models the fitness of candidate solutions in the domain in question.
The fitness function represents a cost associated with an error made in attempting to correctly classify a message vector in a set of pre-classified data. 37. The method of claim 36, wherein the fitness function is

And
Where N _CAT1 is the number of message vectors from the entire data set belonging to the first category,
Where N _CAT2 is the number of message vectors from the entire data set belonging to the second category,
Where C is a constant multiplier for messages incorrectly classified from the second category;
Where S _{CAT1_MIKSTAKEi} is the message profiler score for the message vector i from the first message category that has been misclassified to belong to the other category,
Where S _{CAT2_MISTAKEi} is the message profiler score for the message vector i from the second message category that was misclassified to belong to the other category,
Here, T is a message profiler numerical threshold, and if the threshold is exceeded, the message is considered to belong to the first category. 40. The method of claim 36, wherein the method is configured to operate with adaptive message blocking and white listing.

Images