WO2004015954A1 - Server for sending electronics messages - Google Patents
Server for sending electronics messages Download PDFInfo
- Publication number
- WO2004015954A1 WO2004015954A1 PCT/GB2003/003468 GB0303468W WO2004015954A1 WO 2004015954 A1 WO2004015954 A1 WO 2004015954A1 GB 0303468 W GB0303468 W GB 0303468W WO 2004015954 A1 WO2004015954 A1 WO 2004015954A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- identified
- electronic messages
- server
- user
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L51/00—User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
- H04L51/21—Monitoring or handling of messages
- H04L51/212—Monitoring or handling of messages using filtering or selective blocking
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L51/00—User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
- H04L51/21—Monitoring or handling of messages
- H04L51/234—Monitoring or handling of messages for tracking messages
Definitions
- the present invention relates to methods of, and apparatus for, controlling propagation of electronic messages through a network, and has particular application in identifying email activity within an organisation.
- Email is the most widely used application because it offers a fast, convenient method of transferring information. Its ability to communicate information quickly, seemingly independent of distance between sender and receiver, is one of the key features that makes email so attractive. Typically, these features can be exploited in a positive manner - e.g. to improve and increase the quality and quantity of business transactions. However, these features can also be exploited in a negative manner - by so-called "viruses" - to cause disruption and even loss of data to the email recipient.
- a virus is a piece of programming code, usually disguised as something else, that causes some unexpected and usually undesirable event, and which is often designed so that it is automatically spread to other computer users.
- the most common transmission means for a virus is by e-mail, usually as an attachment. Some viruses are invoked as soon as their code is executed; other viruses lie dormant until circumstances cause their code to be executed by a computer.
- Known methods applied to virus detection include maintaining a library of known viruses, together with software for searching for these known viruses (e.g. McAfeeTM and
- Dr Solomons TM generally referred to as "anti-viral” software
- anti-viral software uses the software to scan incoming emails.
- Such software essentially carries out analysis of byte-signatures of files in order to identify files having signatures corresponding to the known viruses.
- a virus is often a minor, yet difficult to predict, modification of previously seen viruses.
- Known methods used to catch such viruses have recently been reviewed in an article, published on the BBC website on 22 nd May 2002, entitled “Waging war on computer viruses" (website address at date of filing is http:Wnews.bbc.co.Uk/1/hi/sci/tech/1999854.stm.
- a website address takes the form of a first part indicating the network delivery mechanism (e.g. http.7/ or file:// for the hypertext transfer protocol or file transfer protocol respectively) followed by the network address of the server (e.g. www.server l.com) suffixed with the name of the file that is being requested. Note that, in this example, such names are, for typographical reasons, shown with the 7/" replaced by " ⁇ ”)).
- a server configured to send outgoing electronic messages on behalf of terminals connected thereto and to deliver incoming electronic messages to the terminals, each terminal being accessed by one or more users.
- the server comprises: receiving means arranged to receive or generate log data relating to one or more traffic characteristics associated with electronic messages; analysing means arranged to analyse the log data in accordance with a criterion, so as to identify those electronic messages that satisfy the criterion; identifying means arranged to identify the destination of the identified electronic messages; and processing means arranged to send a message to each of the identified destinations, requesting suspension of delivery of the identified electronic messages.
- the log data may relate to the volume of data passing at a point along a data path or link in a time interval, in particular the volume of data originating from the same user or location in a time interval.
- the log data relating to a target electronic message may indicate the volume of data or the number of messages originating (or received) from a common user, terminal, router or other topological position within a time interval.
- the log data may indicate the size of a message, as the message size is normally an indication of the minimum amount of data sent by a user in a time interval.
- the time interval is a time interval during which the taget message was sent or received.
- the log data may include an indication of the type or format of an electronic message, such that for example the number of messages of a given type or format originating from a user in a time interval at a topological location can be ascertained.
- log data will be understood to include data which can be associated with the content of an electronic message.
- An example of an electronic message is a so-called email.
- Another example of an electronic message is a file, which is stored, for example, on a file server, and which contains a message.
- an electronic message may be data generated by a web browser.
- the analysing means could be arranged to analyse log data each electronic message sent from a terminal connected to the server, and to identify those that satisfy the criterion.
- An example of the specified criterion is any one, or some, of type of electronic message, size of electronic message and number of electronic messages emanating from a user.
- type of electronic message in the context of email, we mean whether the email contains plain text; whether it contains an attachment, and if so, what type of attachment there is; whether there is a URL embedded therein; and where the email originated from, etc.
- the analysing means thus identifies potentially suspicious emails.
- a specified criterion may be met when the log data relating to a target electronic message indicates that a threshold number of electronic messages and/or a threshold data volume originates from a common terminal or user, in a time interval during which the target electronic message was sent. This will allow bursts of data flow which can be associated with the propagation of viruses to be detected, so that the presence of a virus can be inferred.
- the server includes first means arranged to receive a signal identifying whether or not an identified electronic message is related to an electronic message virus.
- This signal could come from, for example, an email virus laboratory; the server could be arranged to send the identified electronic messages to such a laboratory, and receive the results therefrom.
- the server includes second means arranged to receive data indicative of the success or otherwise of the suspension request.
- the second means triggers deletion of the said electronic message. This could involve sending a message to the destinations that have been confirmed to have received a virus, and causing the said server to delete such an electronic message.
- the second means is arranged to trigger operation of identifying means and processing means running on a server corresponding to the destination of the identified electronic message.
- server S1 will monitor the result of the suspension request sent to server S4. If the suspension request sent to email server S4 is unsuccessful, the second means running on server S1 will send a message to email server S4, invoking operation of the identifying means and processing means running thereon, in respect of any emails sent from user U2.
- the second means is arranged to permit delivery of the identified electronic message.
- the second means running on S1 sends a message to server S4, permitting delivery of these emails.
- the above-described servers comprises: receiving means arranged to receive a request to suspend delivery of an identified electronic message; polling means arranged to check whether or not the identified electronic message has been delivered, and if it has not, to block retrieval thereof by a respective terminal connected thereo; wherein, in response to receipt of a said request, the polling means is arranged to check delivery of the identified electronic message, and in the event that it has not been delivered, to block retrieval thereof.
- server S4 would implement this functionality.
- Server S4 would also include deleting means arranged to check whether retrieval of the identified electronic message has been blocked, and, in the event that the identified electronic message is both identified to be a virus and has been blocked, the deleting means deletes it.
- Suspension of delivery can take many forms, and in a preferred arrangement, involves blocking retrieval of an email by user U2.
- Blocking retrieval can be effected by either changing the permissions of these identified emails, so that the user U2 cannot see these emails, or it can be effected by removing the identified emails from the user U2's mailbox.
- the server S4 When a message is received, permitting delivery, the server S4 either changes the permissions in respect thereof, so that the user U2 can now see the email, or the server moves the email into the user U2's mailbox.
- the server is additionally or alternatively provided with the following features: first storage for storing details relating to such electronic messages; further storage for storing a mapping between users and the organisational units to which the users belong, display means for displaying a plurality of images, each representative of an organisational unit; wherein the server is arranged, in use, such that in response to a request for data relating to a user, the first storage is arranged to output data identifying electronic messages emanating from that user; the further storage is arranged to output data identifying which of the organisational units that user belongs to; and, for those electronic messages that are identified to satisfy the criterion, the display means is arranged to insert, on the image corresponding to the identified organisational unit, a visual identifier representative of the volume or type of identified electronic messages.
- the display means is arranged to display a list of users on an associated image, and for each user on the list, to display details of the volume and/or type of identified electronic messages emanating therefrom.
- the display means is arranged to insert a link between the identified organisational unit and the organisational unit corresponding to the identified destination.
- the display means is arranged to display an indication of the success or failure of controlling the spread of a virus.
- the present invention collates and presents email activity as a function of the position, within an organization, of the origin of an email.
- the email activity can be presented graphically, thus providing an enhanced user interface to email data within a company.
- awareness of movement of emails within a company is greatly improved.
- This is an improvement over known email virus identification methods, because it provides a faster way of identifying potential viral damage within, for example, a company intranet.
- client - a requesting program, computer, or user in a client/server relationship
- host any computer that has two-way access to other computers in a network such as the Internet or an Intranet; a client is a particular type of host.
- Intranet a private network that is contained within an organisation. It may consist of many interlinked local area networks and also use leased lines in the Wide
- an intranet typically includes connections through one or more gateway computers to the outside Internet.
- the main purpose of an intranet is to share company information and computing resources among employees in the organisation.
- device any machine that is operable to receive data delivered over a network.
- devices include hosts, clients, routers, switches, and servers.
- Email data - packet data that has emanated from an email application running on a first device en route for an email application running on a second device.
- Email data includes overhead data, which enables the packet to arrive at its destination, and is retrieved from the header part of a packet.
- email data includes at least protocol type, source address of packet, destination address of packet, size of payload of packet, and type of payload packet (which can be used to determine whether there is an attachment).
- a packet is identified as an email data type from examination of the protocol part of the header.
- the phrase "email packet data” and “email data” are used interchangeably in the following description.
- Figure 1a is a schematic diagram of a network, within which embodiments of the invention operate;
- Figure 1b is a schematic diagram of processes and parts constituting a conventional email server;
- Figure 2 is a schematic diagram of components of a virus detector according to the invention
- Figure 3 is a flow diagram showing a method of identifying email behaviour according to an embodiment of the invention
- Figure 4 is a flow diagram showing aspects of managing email traffic in dependence on the behaviour outlined in the method of Figure 3;
- Figure 5 is a graphical representation of the form of output generated by the virus detector shown in Figure 2;
- Figure 6 is a flow diagram showing further aspects of managing email traffic in dependence on the behaviour outlined in the method of Figure 3;
- Figure 7 is a graphical representation of the output of one of the steps shown in Figure 3;
- Figure 8 is a graphical representation of the output of one of the steps shown in
- Figure 9 is a further graphical representation of the form of output generated by the virus detector shown in Figure 2.
- Figure 10 is a flow diagram showing aspects of managing email traffic according to a second embodiment
- Figure 11 is a flow diagram showing further aspects of managing email traffic according to a second embodiment
- Figure 12 is a schematic block diagram showing interrelationship between virus detectors according to embodiments of the invention. and, Figure 13 shows a further embodiment.
- Figure 1a shows part of a network N1, having various devices operating therein.
- a network such as that shown in Figure 1a can be perceived as comprising a plurality of functional networks, one of which is an email network.
- An email network can be separated into a plurality of logical email domains, each of which comprises a plurality of server machines and client machines communicating therewith.
- Figure 1a shows part of a single logical email domain.
- the network N1 could be a corporate network, typically comprising many interconnected Local Area Networks (LAN).
- the network N1 includes routers R (only one of which is shown, for clarity), which route data to devices in the network in a manner known in the art and host machines H1 ... H7, which send and receive data, including email data, in a manner well known in the art. In the Figure, only a nominal number of host machines H1 ... H7 are shown for clarity.
- the network N1 additionally includes several email servers S1...Sn (only 3 shown for clarity), which receive and forward email from and to host machines H1... H7 or to and from other email servers, and provide temporary storage of emails that are in transit to another destination.
- Each email server Si stores details of emails passing through it in a log file LFj .
- the dashed links shown in Figure 1a indicate email traffic passing between email server and host machine; for other communications, each of the host machines H1...H7 may communicate directly with the router R.
- a public land mobile network (PLMN) (e.g. a GSM - compatible digital cellular network) N2 is connected via a gateway G to the LAN N1.
- a base station B1 of the PLMN provides a cell in the vicinity of terminal T1 , which is enabled to send and receive email messages (typically by having an email client running thereon) to hosts H1 ... H7 in the network N1. Since terminal T1 can send and receive emails in the same manner as hosts H1 ... H7, for the purposes of the following description it is considered to be a host.
- FIG. 1b shows parts of a conventional email server S1.
- An email server (also known as a messaging server) comprises processes adapted to attend to both outgoing and incoming email requests.
- the email server comprises means S01 for receiving and processing incoming email requests, which reads the destination address on incoming messages and delivers them to an appropriate mailbox stored on the server S1.
- Means S01 provides what is commonly referred to as "destination server” functionality.
- the email server S1 also comprises means S03 for sending and processing outgoing email requests, which is configured to interact with other servers, or nodes, through which a message is passed, until the email reaches the network corresponding to its destination.
- Means S03 provides what is commonly referred to as "client server” functionality.
- An email server can thus act as both client and destination server.
- Each email server S1 has a message store ST1 , which comprises mailboxes MBi for each host Hi for which the email server S1 acts as client server (in the case of server S1 , hosts H1 ... H4).
- the receiving means or logging means S01 identifies the recipient and stores the message in the mailbox corresponding to the recipient.
- the message is copied to the host when the recipient clicks on the message.
- viruses can cause large-scale disruption in terms of device loading and loss of data.
- Most known methods applied to virus detection maintain a library of known viruses, together with software for searching for these known viruses (e.g. McAfeeTM and Dr Solomons TM, generally referred to as "anti-viral" software). These methods essentially perform analysis of byte-signatures of files in order to identify files having signatures corresponding to the known viruses.
- a problem with these known approaches is that they are reactive - if a virus arrives at one of the hosts, say H1, then typically only if the virus has been seen before (and assuming that the host H1 has installed anti-viral software in respect of that virus) will the anti-viral software be effective.
- host H1 were to receive an email that spawned a virus hitherto unseen, it would cause harm to the host H1 , as there is currently no reliable means of detecting and halting the virus activity until it has been identified - i.e. after it has caused harm.
- PCT/GB2002/003295 takes a significant step from the above-described methods by analysing patterns in previously seen email data in order to identify a plurality of classification groups, or profiles, each of which is indicative of particular type of email behaviour.
- embodiments of that method attempt to classify the email data into one of the known profiles. If the data falls within one of the known profiles, a predetermined action can be carried out - e.g. alerting a system administrator, or running a further diagnostic application, if the email data is of a particular type.
- PCT/GB2002/003295 also describes visualising the distribution of email traffic around the network, as a function of the relationship between email server and hosts (email clients).
- the visualisation is not scalable for a network comprising, e.g. 70 email servers, since only a snapshot of the client/servers can be visualised on the screen.
- a further problem with this method is that classification can lead to false positives and indecision, and general failure to reliably classify unseen email data, whilst the method can only alert a network administrator to the presence of a virus, and cannot stop the spread of the virus.
- the approach disclosed in PCT/GB2002/003295 attempts to look at the macroscopic behaviour of email traffic, there is a number of shortcomings that limit its usefulness.
- Embodiments of the present invention are concerned with proactively detecting email viruses, and make use of a crucial realisation that the spread of, and thus damage due to, email viruses is dependent on transmission from one machine to other machines.
- embodiments of the invention provide a user interface to email data within a company, thereby presenting information on the movement of emails within a company in terms of the origin of the email.
- One advantage of the approach described herein is that email activity within an entire company (comprising upwards of 120,000 employees) can be viewed on a single screen.
- the origin of an email can be traced to an employee (who has a well defined position within a company), information relating to the sector within an organization from which emails are emanating can easily be retrieved.
- the invention represents an improvement over the current state of the art by virtue of the fact that known email virus detection methods do not parse email log files and represent them in terms of employee/company structure.
- Embodiments of the invention can be applicable to scenarios where users can be categorised in terms of their position within an organisation, such as a company.
- a company can be organised into organisational units, and each employee is then assigned to one of the organisational units.
- Such organisational units are referred to as "OUC”, meaning organisational unit code, in the following description.
- embodiments may analyse previously seen email data (in the form of email log files, stored, e.g. in email server log files LFi) and identify hosts that are sending an uncharacteristically large number of emails, and/or emails of a particular type and/or size.
- email log files stored, e.g. in email server log files LFi
- hosts that are sending an uncharacteristically large number of emails, and/or emails of a particular type and/or size.
- the presence of a virus can be inferred.
- the position of the associated email user is identified, and an identifier identifying the number/size/type of emails sent by that user is displayed on a bespoke graphical user interface.
- emails sent from the identified hosts are recalled, or temporarily quarantined, whilst an example of the email is retrieved from the email server (which is the "client server" of the identified host) and analysed by one or some of the above mentioned known email virus analysers (e.g. by sending the virus to SymantecTM analysis centre (discussed below)).
- the recalling feature thus has the benefit of halting the spread of the virus.
- the results of the analysis show the emails to be viruses, the recalled emails are then deleted. Conversely, if the emails are not viruses, the recalled emails can be re-sent.
- Figure 2 is a block diagram showing elements of the first embodiment, generally referred to as virus detector 200, while Figures 3 and 4 are flow diagrams showing steps carried out by the virus detector 200 (which is an example of inference means for inferring the presence of a virus).
- the direction of arrows indicate the order in which steps are performed, and the dotted line in Figure 4 indicates input of data.
- Figures 5, 7 and 8 are schematic diagrams showing a graphical representation of detected email activity
- Figure 6 is a flow diagram showing further steps carried out by the virus detector 600, specifically in relation to recalling emails suspected to be virus-related.
- the virus detector 200 runs on an email server S1 , such as that shown in Figures 1a and 1b.
- the email server S1 comprises a central processing unit (CPU) 201 , a memory unit 203, an input/output device 205 for connecting the server S1 to the network N1 , storage 207, and a suite of operating system programs 209, which control and co-ordinate low level operation of the server S1.
- CPU central processing unit
- memory unit 203 for connecting the server S1 to the network N1
- storage 207 storage 207
- suite of operating system programs 209 which control and co-ordinate low level operation of the server S1.
- the virus detector 200 comprises at least some of programs 211, 213, 215, 217. These programs are stored on storage 207 and are processable by the CPU 201.
- the programs include a program 211 for gathering data, which collects unprocessed email data (log data), typically accessible from either the log file LF1 associated with the server S1 or from processes embedded in the email network whose purpose it is to gather such data (not shown).
- the virus detector 200 includes a program 213 for processing the gathered data in order to identify host machines that are sending an abnormal number/type/size of emails, and a visualising program 215, arranged to represent such identified hosts in the context of an organisational structure, together with recall program 217, which attempts to recall emails that have been sent from such identified clients.
- virus detectors 200 each of which runs on a destination email server.
- the interaction between virus detectors is described at the end of the description.
- the gathering program 211 accesses 501 the email log file LF1 and identifies 503 the email accounts (hereinafter referred to as email sender identifiers (ESIj)) from which emails have been sent.
- the log file LF1 will store details of emails sent within a network, such as an intranet, or a Virtual Private Network (VPN), within a certain time period.
- a network such as an intranet, or a Virtual Private Network (VPN)
- VPN Virtual Private Network
- An email sender identifier ESIj can be a user ID or a conventional email address.
- the processing program 213 selects a first email sender identifier ESh, and identifies 507 the organisational unit (OUC) corresponding to the selected email identifier ESh (that is the organisational unit corresponding to the user having email identifier ESI-i).
- Such identification may involve querying a database in respect of the user corresponding to email identifier ESI-i so as to retrieve a data identifying the unit to which he/she belongs.
- the processing program 213 creates a first sender email list L 1t and the user's details, including OUC identified at step 507 and email sender account details (including ESh), are stored in the list L
- the processing program 213 parses email log file LF1 in order to calculate 511 the number of destinations, each having a respective email identifier (DEI k ), that have been sent emails from the sender's email account ESh ⁇ Then for each of the destination email identifier DEIj, the number, size and type of emails sent thereto are evaluated and saved to the list L, (step 513).
- the processing program 213 selects 505 the next email sender identifier ESI 2 from the log file LF1 and repeats steps 507 - 513 in respect thereof. These steps are repeated until data in respect of all of the email sender identifiers identified by the gathering program 211 at step 503 have been analysed.
- steps 501 - 513 are parsing steps, the output of which is one or more lists, each comprising details of emails sent from an email account, together with data indicating the position, within an organisation, of the user associated with the email account.
- the processing program 213 analyses the content of each of the lists Li in order to identify email senders for whom a certain percentage of sent emails are of the same size, and/or are of the same type (the size of emails is not always used to identify viral activity because a clever virus could easily generate variable sized replications appending, for example, randomly generated data to an email before sending it). This percentage could be expected to vary depending on the level of paranoia.
- type of email, we mean whether the email contains plain text; whether it contains an attachment, and if so, what type of attachment there is; whether there is a URL embedded therein; and where the email originated from.
- the processing program 213 parses the lists identified at step 515, and, for each list so identified, compares the number of outgoing emails with an email behaviour profile for the user associated with the sender identifier.
- An email behaviour profile may take the following form:
- a profile may be created manually, or could be created by a supervised learning method (not shown), such as a neural network, cluster analysis and pattern matching or unsupervised learning methods such as Kohonen's Feature Mapping. Other methods include reinforcement learning methods.
- a supervised learning method such as a neural network, cluster analysis and pattern matching or unsupervised learning methods such as Kohonen's Feature Mapping.
- Other methods include reinforcement learning methods.
- each email sender would be expected, at the very least, to enter details of times at which he/she expects to send a large number of emails, and the times at which he/she expects to send the same email to a large number of people.
- the learning means receives, as input, data from the email log file corresponding to a day of the week and time slots within each day - e.g. data corresponding to a typical Monday morning, 9:00 - 10:O0 slot - whereupon it learns a pattern corresponding to each day and timeslots within the day.
- the visualising program 215 is arranged to present information graphically via a graphical user interface (GUI), specifically in response to receipt of data from the processing program 213.
- GUI graphical user interface
- the visualising program 215 creates a window 501 showing a two dimensional representation of a company structure, where each unit within the company is represented by a rectangle 503, and the rectangles are arranged in, e.g.
- the visualising program 215 receives data from the processing program 213, it converts the data received at step 521 into a format suitable for representation (described below), identifies which of the organisational units the received data corresponds to, and modifies the window 501 at a location corresponding to the identified organisational unit (also described below).
- the GUI could comprise a plurality of windows.
- each window could correspond to a level in the hierarchy and selection of a window could be provided by menu options, or similar.
- the visualising program 215 identifies, in the window being displayed, the organisational unit that the received data relates to, and enters data at a location corresponding to the identified unit (part of step 523).
- the data received by the visualising program 215 essentially identifies a number of emails sent from an email account.
- the conversion of data mentioned above involves converting the number such that it can be represented graphically.
- the visualising program 215 normalises numbers by the largest number received hitherto (or by a predetermined maximum), selects a colour depending on the normalised value (e.g. 0.8 - 1.0 could be red while 0.0 - 0.2 could be green), and paints the rectangle corresponding to the identified organisational unit the selected colour.
- the virus detector 200 can control the spread of suspect emails.
- the recalling program 217 receives alert data (step 525), which is indicative of email sender identifiers from which an uncharacteristically large number of emails have been sent, from the processing program 213.
- the recalling program 217 retrieves 527 at least one of the messages sent from these identified email senders.
- a copy, or a "sample" of messages sent by the email senders is stored locally, on the client servers associated with the email sender identifiers, and is thus accessible by the retrieving means 217. (e.g. referring to Figure 1a, if an email were sent from host H1 a copy of the email would be retrieved from server S1).
- a sample is sent 529 to a dedicated analysis centre such as the SymantecTM AntiVirus Research Center (SARC) (at July 2002, suspect viruses could be submitted to SARC for analysis thereof via a form posted at the following webpage:
- SARC SymantecTM AntiVirus Research Center
- such a request takes the form of a first part indicating the network delivery mechanism (e.g. http:// or file:// for the hypertext transfer protocol or file transfer protocol respectively) followed by the network address of the server (e.g. www.server com) suffixed with the name of the file that is being requested. Note that, in this example, such names are, for typographical reasons, shown with the "//" replaced by "W”)).
- the network delivery mechanism e.g. http:// or file:// for the hypertext transfer protocol or file transfer protocol respectively
- the server e.g. www.server com
- the recalling program 217 recalls all of the emails sent from email accounts corresponding to the email sender identifiers for which data was received at step 525.
- the important point to note is that suspect emails are recalled as soon as possible; if it turns out later, in light of the results from the email analyser, that some of the recalled emails were not virus related, then those emails can be re-sent. It could therefore be said that the disadvantage of the recall feature is late delivery of those emails that have been misclassified as suspicious.
- the recalling program 217 selects 601 a first destination identifier EDh from the list L and looks up 603 an email server corresponding to that destination identifier EDh (i.e. the email server that has mailboxes corresponding to destination identifier EDh).
- this lookup typically involves accessing a so-called "Global address book", where each user is listed, together with an email server corresponding thereto.
- the recalling program 217 then sends 605 a recall message to the identified server, whereupon the server checks 607 whether the email being recalled is still stored thereon (i.e. whether it is still in the mailbox), or whether the message has already been copied to the host of its intended recipient (EDh).
- Microsoft OutlookTM already offers a "recall” facility, which can be activated from the email client running on a host.
- recall a "recall" facility, which can be activated from the email client running on a host.
- an email can be recalled only if its recipient is logged on and has neither read the message nor moved it from the email Inbox.
- the software enabling the recall functionality is only implemented on a host machine, partly because recalling of emails is perceived to be a personal choice.
- the virus detector 200 can recall messages whether a user is logged on or not, by virtue of the fact that the recalling program 217 is invoked from an email server rather than from an email client.
- the recalling program 217 can send messages in respect of a plurality of email sender addresses. This is due to the fact that the recalling program 217, running on an email server, is unconstrained by individual user permissions, and can effect "mass recall" of suspicious emails.
- effecting recall from an email server is a surprising feature of the embodiment.
- a protocol that could be used to recall and respond to receipt of recall messages is the Messaging Application Program Interface (MAPI), which is a Microsoft Windows program interface that enables e-mail to be sent from within a Windows application.
- MAPI can be utilised in embodiments wherein the virus detector 200 is a windows application.
- the recalling program 217 could send and receive messages using Remote Procedure calls (RPC) or TCP/IP, which is an Internet Protocol transport layer protocol.
- RPC Remote Procedure calls
- TCP/IP which is an Internet Protocol transport layer protocol.
- SMTP Simple Mail Transfer Protocol
- POP3 Post Office Protocol v3
- the identified server sends 609 the said email back to the recalling program 217 (using MAPI); however, if the suspect email has already been copied to the email client, the server sends 611 a failure message to the recalling program 217.
- This process (steps 601- 611) is repeated for all destination identifiers EDI j in the first list L ⁇ and then the whole process is repeated for any other lists identified at step 525.
- the recalling program 217 maintains a record of the success or otherwise of recalling the emails (step 533, Figure 4). Once the results of the email virus analysis have been received, at step 534, the recalling program 217 proceeds to review the results. For those emails that are apparently not linked to a virus, the recalling program 217 identifies the recall status thereof (step 535), and, if the emails have been successfully recalled, the recalling program 217 causes the emails to be re-sent 537. Clearly, if the recall was unsuccessful there is no need to recall them and no further action is taken.
- the recalling program 217 identifies the recall status thereof (step 535), and, if the emails have been successfully recalled, deletes 539 them. For those emails for which the recall was unsuccessful, an alert is sent (e.g. in the form of an email alert, at step 541) to the email administrator, including details of the infected emails and their destination identifiers.
- the recalling program 217 could send a notification to each server from which a failure message was identified at step 535.
- a notification could trigger operation of the virus detector, as described above with reference to Figures 2 - 6, on that server.
- FIG. 7 examples of the output generated by the visualising program 215 will be discussed.
- four organisational units AE, BF, CH, DE are shown in grey, indicating that one or more email senders within each of these groups are sending large numbers of suspected email viruses.
- the numbers of emails emanating from senders within all groups for which data was received at step 521 have been normalised, as described above in relation to step 523, and classified according to their normalised values; accordingly, those organisational units from which the highest number of suspicious emails have been sent are shown in grey, whilst those from which the next highest number of suspicious emails have been sent are shown hatched. Those organisational units for which no suspicious emails have been recorded are omitted from the figure.
- Figure 8 combines output from the visualising program 215 with details of the path that emails emanating from the senders were identified to have taken through the network (the path is identified using the WINS resolution of email server, described above.
- Email servers S1 ... S4 are shown separately from the window 501 so as to avoid confusion between the information about email emanation, in terms of units within a company, and information about routes taken by those emails.
- the visualising program 215 can also be adapted to display details of the email sender identifiers (email account) from which the suspect emails have originated.
- the window created by the visualising program 215 can include menu options, and/or link certain functionality with mouse clicks.
- the visualising program 215 is a windows application, such functionality is provided by Java Foundation Classes (for information on writing windows applications in Java, the reader is referred to "The JavaTM Virtual machine specification", Sun Microsystems Chapter 1.2, Lindholm, T., Yellin, F. 1999).
- each rectangle 503 on the window 501 can be associated with display objects (e.g.
- the visualising program 215 can be arranged to display details from each of the lists L, that were received at step 521 in a dialogue box, as shown in Figure 9.
- a second embodiment will now be described with reference to Figures 10, 11 and 12.
- the second embodiment is generally similar to that of Figures 2 to 9 such that like parts have been given like reference numerals and will not be described further in detail.
- the recalling program 217 instead of recalling suspect emails, sends a message to the email servers to which such suspect emails have been sent, triggering a quarantine process to be run on the said email servers.
- the quarantine process involves preventing the means S01 from distributing incoming emails to a respective mailbox until the results of email virus analysis have been received.
- the virus detector 200 includes a restraining program 219.
- a virus detector 200 includes the gathering, processing, visualising, recalling and restraining programs 211 , 213, 215, 217, 219
- a recalling program 215 of one virus detector 200 running on a first server S1
- co- operates with a restraining program 21 9 of another virus detector running on a second server S2 - i.e. the email server to which emails have been sent.
- the recalling program 215 running on the first server S1 will co-operate with a plurality of restraining programs 219, each running on a respective email server.
- Steps 601 and 603 progress as described for the first embodiment - i.e. at step 601 , upon receipt of a first list Li, the recalling program 217 selects 601 a first destination identifier EDh from the list Li and identifies 603 an email server corresponding to that destination identifier EDh (i- ⁇ . the email server that has mailboxes corresponding to destination identifier EDh).
- the recalling program 217 then sends 1001 a restraining message, which contains data identifying the suspect emails, to the identified server.
- the restraining program 219 running on the identified server checks whether emails emanating from the sending server are stored thereon, or whether the emails have already been copied to the host of its intended recipient (EDh).
- the restraining program 219 removes the or each message from the mailbox, and stores it elsewhere on the server. I n the event that any message has been copied to the recipient, the restraining program 219 sends a failure message to the recalling program 217 running on the sending email server. Alternatively, the restraining program 219 could send a single response to the said recalling program 217, listing all of the emails that have been copied to their recipients, when it has processed all of the restraining messages.
- step 601 - 10O5 This process (steps 601 - 10O5) is repeated for each destination identifier EDI j in each list L.
- the recalling program 217 progresses as shown in Figure 11. For those emails that are not viruses and have been stored by the restraining program(s) 219, the recalling program 217 sends 1103 a message to the or each restraining program 219, instructing delivery of the said emails.
- the recalling program 217 sends 1105 a message to the or each restraining program 219, instructing deletion of the said emails.
- the recalling program 217 sends 1107 a message to the or each email server, triggering operation of its virus detector 200 (i.e. triggering the gathering program 211 running on the server identified at step 603 to perform step 501).
- the processing program 215 merely identifies those destination email identifiers EDIj to which the virus has been sent. Furthermore the analysis steps (steps 527, 529, 534) are redundant, since it has already been established that those emails are viruses. As a result, the only steps that have to be carried out by the server identified at step 603, once the destination identifiers EDIj have been identified, is recall or quarantining of the virus forwarded by hosts connected thereto. This also applies to the first embodiment.
- viruses could be analysed (step 534) on the email server to which the suspect emails have been sent, and the restraining program
- step 1005 is redundant, while steps 1103, 1105, 1107 are run by the restraining program 219.
- the second embodiment has an advantage of generating less traffic (because emails are not actually being recalled) than is generated with the first embodiment.
- a record of email traffic is stored in a log file LF associated with an email server, so that there are as many log files as email servers, and each log file stores data relating to the email or other data traffic that has passed through its associated server.
- records of email traffic, connections or other data traffic could be stored in a file. That file may be monitored to detect when a criterion relating to the data traffic is met, for example, when data is sent to a threshold number of destinations.
- a central log file that is associated with a firewall may be provided.
- the virus detector 200 could be distributed over a plurality of devices, such that the visualising program 215 is located separate from the other programs making up the virus detector 200.
- the visualising program 215 is located separate from the other programs making up the virus detector 200.
- a single visualisation program 215 could be located at a central server, and each virus detector 200 could be arranged to output data to the central server.
- all of the email activity within a network N1 could be visualised at a central location, which facilitates easier email administration.
- a user terminal H1 has a user interface
- a graphical user interface configured to request the user to input a confirmation instruction when one or more predetermined criteria are met relating to the emails the user wishes to send, which confirmation instruction causes the terminal H1 to send authentication data 138 towards a sever S1.
- the server S1 connected to terminal H1 directly or through a network can then use the authentication data 138 to check whether unusual email behaviour is genuine, thereby reducing the likelihood that unusual but valid email behaviour will be mistaken for a virus.
- the server S1 in particular the processing program 213 can be configured to infer, for emails meeting the predetermined criteria requiring confirmation instructions by the user, that those emails are virus emails unless authentication data is received for those emails.
- the user interface 131 will preferably be configured to only permit emails meeting the predetermined criterion or criteria to be sent if the user has input the requested confirmation instruction.
- the user will preferably not be required to input a confirmation instruction unless the predetermined criteria are met, so that the user is not inconvenienced when only sending a few emails or emails which would not normally cause the processing program 213 to infer that the emails are caused by a virus.
- the predetermined criteria may be met for example when the user sends more than a threshold number of emails.
- the threshold number may relate to the number of emails having the same text sent to different recipients as a batch, or the threshold number may relate to the number of emails sent from the user terminal, in particular the user, over a period of time. In this way, the predetermined criteria can invoke the confirmation requirement when suspiciously large emails or numbers of emails are sent.
- a processor 132 running an email or messaging program such as Outlook (TM) will normally be provided on the terminal H1 , the processor being additionally configured to calculate the threshold number.
- the user interface 131 is arranged such that the confirmation instruction from the user is mapped to data indicative of one or more characteristics or other attributes of the emails to be sent, such that the terminal H1 is able to output or otherwise produce authentication data indicative of user-confirmed attributes relating to the emails to be sent.
- the authentication data may simply confirm that the user has sent a number of emails as a batch.
- the authentication data will confirm the size of the email (more or less) sent by the user.
- the server S1 connected to the user terminal H1 receives the authentication data, which is stored in a user database 135 located on the server S1.
- the processing program 213 running on the server S1 detects unusual email behaviour originating from the terminal H1 , or in particular from a user operating from that terminal, the processing program 213 including a comparison stage 139 compares the attributes of the email behaviour with corresponding attributes entered in the user database 135 relating to that email behaviour. The processing program 213 thereby determines if the sent emails are genuinely sent by the user. In this example, the attributes to be compared are simply the number of emails sent as a batch email.
- the processing program 213 infers that the emails are genuine and does not generate alert data. Otherwise, alert data is generated and passed to the recalling program 217, which identifies the address or addresses to which the emails have been sent, and attempts to recall or suspend delivery of these emails.
- the authentication data is preferably stored in the user database 135 in an encrypted form, the processor program 213 being configured to decrypt the authentication data.
- a virus email may be configured to appear as if it has been sent by a user, it will be more difficult for a virus to include the authentication data, since this data is encrypted. Furthermore, because physical user action is required for the authentication data to be generated, it will be more difficult for an email virus to trigger the generation of this data.
- a user may be required to enter a password with the confirmation instructions.
- the e-mail program may be configured to display a dialogue box for the user to type in the password.
- a virus may be able to trigger existing messaging software into sending virus e- mails on behalf of a user, such a virus will not have reference to the password data, since the password data is not stored on the terminal, nor is it accessible to the terminal. This makes it yet less likely that a virus will be able to trigger the authentication data to be sent, and will yet further reduce the risk that a virus will propagate from the terminal.
- the password data need only be kept secret from the authors of a virus, and hence may be more widely disseminated and/or simpler than personal passwords.
- the password may consist of three characters or less, or possibly one or two characters, depending on the complexity of the virus the e-mail program is to be protected against.
- a user terminal having an existing email or messaging program may conveniently be adapted by improvement software or other plug-in, the plug-in having improvement software which causes the email program to display a dialogue box with a confirmation button for a user to click and/or a password to enter in order to permit the emails of the user to be sent.
- existing messaging software a user is simply invited by the presence of a dialog box or window on a display to send specified emails, the dialog box or window having a button therein for the user to click.
- the behaviour of the existing messaging program is altered, such that when a user wishes to send emails over a predetermined size or to a large number of recipients, the user is obliged perform the additional action of registering these emails as bulk mailings through the confirmation button and/or password.
- the user database 135 can then be checked for legality.
- the authentication data may include the password data input by the user, in which case the password may but need not be encrypted before it is sent by the terminal to a server.
- the password is simply included in an email or the header of an email intended for more than a threshold number of recipients, the server being configured to read the password and treat the password as authentication data if the password matches password data stored in the server.
- the server being configured to read the password and treat the password as authentication data if the password matches password data stored in the server.
- the email is treated as valid.
- This simpler embodiment allows existing messaging software to be used without modification, allowing the invention to be more easily implemented.
- the user since in this embodiment the user is neither invited nor obliged to confirm that the email is valid, it will be more likely that valid bulk emails will be erroneously treated as virus emails by the server.
- this embodiment requires the password data to be stored on the server. This requirement is not necessary where the aforementioned plug-in used, since the authentication data can be made independent of the password data, with the result that the password data can be updated without updating the server software responsible for reading and/or decrypting the authentication data.
- the invention described above may be embodied in one or more computer programs.
- These programmes can be contained on various transmission and/or storage mediums such as a floppy disc, CD- ROM, or magnetic tape so that the programmes can be loaded onto one or more general purpose computers or could be downloaded over a computer network using a suitable transmission medium.
Abstract
Description
Claims
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CA002493787A CA2493787A1 (en) | 2002-08-07 | 2003-08-07 | Server for sending electronics messages |
AU2003251371A AU2003251371A1 (en) | 2002-08-07 | 2003-08-07 | Server for sending electronics messages |
EP03784275A EP1527592A1 (en) | 2002-08-07 | 2003-08-07 | Server for sending electronics messages |
US10/522,919 US20060010209A1 (en) | 2002-08-07 | 2003-08-07 | Server for sending electronics messages |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB0218315.0 | 2002-08-07 | ||
GB0218315A GB0218315D0 (en) | 2002-08-07 | 2002-08-07 | Server for sending electronic messages |
GB0302631A GB0302631D0 (en) | 2003-02-05 | 2003-02-05 | Server for sending electronic messages |
GB0302631.7 | 2003-02-05 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2004015954A1 true WO2004015954A1 (en) | 2004-02-19 |
Family
ID=31716919
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/GB2003/003468 WO2004015954A1 (en) | 2002-08-07 | 2003-08-07 | Server for sending electronics messages |
Country Status (5)
Country | Link |
---|---|
US (1) | US20060010209A1 (en) |
EP (1) | EP1527592A1 (en) |
AU (1) | AU2003251371A1 (en) |
CA (1) | CA2493787A1 (en) |
WO (1) | WO2004015954A1 (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103096418A (en) * | 2011-11-04 | 2013-05-08 | 中兴通讯股份有限公司 | Access control implementation method and system |
CN103200618A (en) * | 2012-01-05 | 2013-07-10 | 中兴通讯股份有限公司 | Wireless local area network (WLAN) hotspot function control method and device |
EP2814276A1 (en) * | 2012-02-10 | 2014-12-17 | ZTE Corporation | Access authentication method and device for wireless local area network hotspot |
Families Citing this family (30)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7539729B1 (en) | 2003-09-15 | 2009-05-26 | Cloudmark, Inc. | Method and apparatus to enable mass message publications to reach a client equipped with a filter |
US20050086526A1 (en) * | 2003-10-17 | 2005-04-21 | Panda Software S.L. (Sociedad Unipersonal) | Computer implemented method providing software virus infection information in real time |
US7343624B1 (en) * | 2004-07-13 | 2008-03-11 | Sonicwall, Inc. | Managing infectious messages as identified by an attachment |
US9154511B1 (en) | 2004-07-13 | 2015-10-06 | Dell Software Inc. | Time zero detection of infectious messages |
JP4559295B2 (en) * | 2005-05-17 | 2010-10-06 | 株式会社エヌ・ティ・ティ・ドコモ | Data communication system and data communication method |
US8533778B1 (en) * | 2006-06-23 | 2013-09-10 | Mcafee, Inc. | System, method and computer program product for detecting unwanted effects utilizing a virtual machine |
US20080098072A1 (en) * | 2006-10-23 | 2008-04-24 | International Business Machines Corporation | Method and process to add recipients to an on-going electronic message thread |
US8590002B1 (en) | 2006-11-29 | 2013-11-19 | Mcafee Inc. | System, method and computer program product for maintaining a confidentiality of data on a network |
US20100107236A1 (en) * | 2007-03-09 | 2010-04-29 | Shozo Fujino | Network system, communication method, communication terminal, and communication program |
US8621008B2 (en) | 2007-04-26 | 2013-12-31 | Mcafee, Inc. | System, method and computer program product for performing an action based on an aspect of an electronic mail message thread |
US20080273699A1 (en) * | 2007-05-03 | 2008-11-06 | Notification Technologies, Inc. | System for controlling the transmission of mass notifications |
US20080313285A1 (en) * | 2007-06-14 | 2008-12-18 | Microsoft Corporation | Post transit spam filtering |
US8073122B2 (en) * | 2007-06-20 | 2011-12-06 | Microsoft Corporation | Message recall using digital rights management |
US8199965B1 (en) * | 2007-08-17 | 2012-06-12 | Mcafee, Inc. | System, method, and computer program product for preventing image-related data loss |
US20130276061A1 (en) | 2007-09-05 | 2013-10-17 | Gopi Krishna Chebiyyam | System, method, and computer program product for preventing access to data with respect to a data access attempt associated with a remote data sharing session |
JP2009071657A (en) * | 2007-09-14 | 2009-04-02 | Ricoh Co Ltd | Communication device and communication method |
US8446607B2 (en) * | 2007-10-01 | 2013-05-21 | Mcafee, Inc. | Method and system for policy based monitoring and blocking of printing activities on local and network printers |
CN101878473B (en) * | 2007-11-28 | 2013-05-08 | 日本电气株式会社 | E-mail management device, communication device, e-mail management method, and program |
US8893285B2 (en) | 2008-03-14 | 2014-11-18 | Mcafee, Inc. | Securing data using integrated host-based data loss agent with encryption detection |
US9077684B1 (en) * | 2008-08-06 | 2015-07-07 | Mcafee, Inc. | System, method, and computer program product for determining whether an electronic mail message is compliant with an etiquette policy |
US8788597B2 (en) * | 2009-03-24 | 2014-07-22 | Barracuda Networks, Inc. | Recalling spam email or viruses from inboxes |
US20100251372A1 (en) * | 2009-03-24 | 2010-09-30 | Barracuda Networks, Inc | Demand scheduled email virus afterburner apparatus, method, and system |
US20110041179A1 (en) * | 2009-08-11 | 2011-02-17 | F-Secure Oyj | Malware detection |
US9292600B2 (en) * | 2011-09-30 | 2016-03-22 | Microsoft Technology Licensing, Llc | Message classification and management |
US9882929B1 (en) | 2014-09-30 | 2018-01-30 | Palo Alto Networks, Inc. | Dynamic selection and generation of a virtual clone for detonation of suspicious content within a honey network |
US10044675B1 (en) | 2014-09-30 | 2018-08-07 | Palo Alto Networks, Inc. | Integrating a honey network with a target network to counter IP and peer-checking evasion techniques |
US9860208B1 (en) | 2014-09-30 | 2018-01-02 | Palo Alto Networks, Inc. | Bridging a virtual clone of a target device in a honey network to a suspicious device in an enterprise network |
US9495188B1 (en) | 2014-09-30 | 2016-11-15 | Palo Alto Networks, Inc. | Synchronizing a honey network configuration to reflect a target network environment |
US11271907B2 (en) | 2019-12-19 | 2022-03-08 | Palo Alto Networks, Inc. | Smart proxy for a large scale high-interaction honeypot farm |
US11265346B2 (en) | 2019-12-19 | 2022-03-01 | Palo Alto Networks, Inc. | Large scale high-interactive honeypot farm |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2002005072A2 (en) * | 2000-07-07 | 2002-01-17 | Messagelabs Limited | Method of and system for, processing email |
Family Cites Families (43)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5319776A (en) * | 1990-04-19 | 1994-06-07 | Hilgraeve Corporation | In transit detection of computer virus with safeguard |
GB9103349D0 (en) * | 1991-02-18 | 1991-04-03 | King Reginald A | Artificial neural network systems |
DK170490B1 (en) * | 1992-04-28 | 1995-09-18 | Multi Inform As | Data Processing Plant |
GB9303527D0 (en) * | 1993-02-22 | 1993-04-07 | Hewlett Packard Ltd | Network analysis method |
US5537488A (en) * | 1993-09-16 | 1996-07-16 | Massachusetts Institute Of Technology | Pattern recognition system with statistical classification |
US5414833A (en) * | 1993-10-27 | 1995-05-09 | International Business Machines Corporation | Network security system and method using a parallel finite state machine adaptive active monitor and responder |
US5675711A (en) * | 1994-05-13 | 1997-10-07 | International Business Machines Corporation | Adaptive statistical regression and classification of data strings, with application to the generic detection of computer viruses |
US6046988A (en) * | 1995-11-16 | 2000-04-04 | Loran Network Systems Llc | Method of determining the topology of a network of objects |
US5926462A (en) * | 1995-11-16 | 1999-07-20 | Loran Network Systems, Llc | Method of determining topology of a network of objects which compares the similarity of the traffic sequences/volumes of a pair of devices |
US6453327B1 (en) * | 1996-06-10 | 2002-09-17 | Sun Microsystems, Inc. | Method and apparatus for identifying and discarding junk electronic mail |
US5832208A (en) * | 1996-09-05 | 1998-11-03 | Cheyenne Software International Sales Corp. | Anti-virus agent for use with databases and mail servers |
DE69739017D1 (en) * | 1996-11-28 | 2008-11-13 | Nec Corp | Card-type registration means, registration method and apparatus for the registration means, system for generating such registration means, ciphering system and decoder therefor, and registration means |
WO1998029833A1 (en) * | 1996-12-25 | 1998-07-09 | Hitachi, Ltd. | Pattern recognition apparatus and pattern recognition method |
US6473787B2 (en) * | 1997-02-06 | 2002-10-29 | Genesys Telecommunications Laboratories, Inc. | System for routing electronic mails |
US6178442B1 (en) * | 1997-02-20 | 2001-01-23 | Justsystem Corp. | Electronic mail system and electronic mail access acknowledging method |
US6073165A (en) * | 1997-07-29 | 2000-06-06 | Jfax Communications, Inc. | Filtering computer network messages directed to a user's e-mail box based on user defined filters, and forwarding a filtered message to the user's receiver |
JP3777025B2 (en) * | 1997-08-20 | 2006-05-24 | インターナショナル・ビジネス・マシーンズ・コーポレーション | System resource display device and method thereof |
US6006179A (en) * | 1997-10-28 | 1999-12-21 | America Online, Inc. | Audio codec using adaptive sparse vector quantization with subband vector classification |
US6353689B1 (en) * | 1997-11-11 | 2002-03-05 | Sony Corporation | Apparatus for and method of processing image and information recording medium |
US6052709A (en) * | 1997-12-23 | 2000-04-18 | Bright Light Technologies, Inc. | Apparatus and method for controlling delivery of unsolicited electronic mail |
US6167402A (en) * | 1998-04-27 | 2000-12-26 | Sun Microsystems, Inc. | High performance message store |
US7047423B1 (en) * | 1998-07-21 | 2006-05-16 | Computer Associates Think, Inc. | Information security analysis system |
US6711127B1 (en) * | 1998-07-31 | 2004-03-23 | General Dynamics Government Systems Corporation | System for intrusion detection and vulnerability analysis in a telecommunications signaling network |
US6321338B1 (en) * | 1998-11-09 | 2001-11-20 | Sri International | Network surveillance |
US6370648B1 (en) * | 1998-12-08 | 2002-04-09 | Visa International Service Association | Computer network intrusion detection |
US20010044719A1 (en) * | 1999-07-02 | 2001-11-22 | Mitsubishi Electric Research Laboratories, Inc. | Method and system for recognizing, indexing, and searching acoustic signals |
US6996843B1 (en) * | 1999-08-30 | 2006-02-07 | Symantec Corporation | System and method for detecting computer intrusions |
US6769066B1 (en) * | 1999-10-25 | 2004-07-27 | Visa International Service Association | Method and apparatus for training a neural network model for use in computer network intrusion detection |
US7181768B1 (en) * | 1999-10-28 | 2007-02-20 | Cigital | Computer intrusion detection system and method based on application monitoring |
US6701440B1 (en) * | 2000-01-06 | 2004-03-02 | Networks Associates Technology, Inc. | Method and system for protecting a computer using a remote e-mail scanning device |
AU2001263503A1 (en) * | 2000-05-16 | 2001-11-26 | America Online, Inc. | E-mail sender identification |
US7127743B1 (en) * | 2000-06-23 | 2006-10-24 | Netforensics, Inc. | Comprehensive security structure platform for network managers |
US20020162017A1 (en) * | 2000-07-14 | 2002-10-31 | Stephen Sorkin | System and method for analyzing logfiles |
US6757830B1 (en) * | 2000-10-03 | 2004-06-29 | Networks Associates Technology, Inc. | Detecting unwanted properties in received email messages |
US20020059432A1 (en) * | 2000-10-26 | 2002-05-16 | Shigeto Masuda | Integrated service network system |
US20030051026A1 (en) * | 2001-01-19 | 2003-03-13 | Carter Ernst B. | Network surveillance and security system |
US7089592B2 (en) * | 2001-03-15 | 2006-08-08 | Brighterion, Inc. | Systems and methods for dynamic detection and prevention of electronic fraud |
US20020133604A1 (en) * | 2001-03-19 | 2002-09-19 | Alok Khanna | Instruction set file generation for online account aggregation |
US7024400B2 (en) * | 2001-05-08 | 2006-04-04 | Sunflare Co., Ltd. | Differential LSI space-based probabilistic document classifier |
US6892193B2 (en) * | 2001-05-10 | 2005-05-10 | International Business Machines Corporation | Method and apparatus for inducing classifiers for multimedia based on unified representation of features reflecting disparate modalities |
US7458094B2 (en) * | 2001-06-06 | 2008-11-25 | Science Applications International Corporation | Intrusion prevention system |
US7389537B1 (en) * | 2001-10-09 | 2008-06-17 | Juniper Networks, Inc. | Rate limiting data traffic in a network |
US7484097B2 (en) * | 2002-04-04 | 2009-01-27 | Symantec Corporation | Method and system for communicating data to and from network security devices |
-
2003
- 2003-08-07 WO PCT/GB2003/003468 patent/WO2004015954A1/en not_active Application Discontinuation
- 2003-08-07 AU AU2003251371A patent/AU2003251371A1/en not_active Abandoned
- 2003-08-07 CA CA002493787A patent/CA2493787A1/en not_active Abandoned
- 2003-08-07 EP EP03784275A patent/EP1527592A1/en not_active Withdrawn
- 2003-08-07 US US10/522,919 patent/US20060010209A1/en not_active Abandoned
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2002005072A2 (en) * | 2000-07-07 | 2002-01-17 | Messagelabs Limited | Method of and system for, processing email |
Non-Patent Citations (1)
Title |
---|
HOWLETT D: "SCREENING YOUR E-MAIL CONTENTS", PC USER, LONDON, GB, no. 266, 6 September 1995 (1995-09-06), pages 58, XP000617461 * |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103096418A (en) * | 2011-11-04 | 2013-05-08 | 中兴通讯股份有限公司 | Access control implementation method and system |
CN103096418B (en) * | 2011-11-04 | 2018-11-27 | 中兴通讯股份有限公司 | A kind of realization method and system of access control |
CN103200618A (en) * | 2012-01-05 | 2013-07-10 | 中兴通讯股份有限公司 | Wireless local area network (WLAN) hotspot function control method and device |
CN103200618B (en) * | 2012-01-05 | 2020-03-10 | 中兴通讯股份有限公司 | Wireless local area network WLAN hotspot function control processing method and device |
EP2814276A1 (en) * | 2012-02-10 | 2014-12-17 | ZTE Corporation | Access authentication method and device for wireless local area network hotspot |
EP2814276A4 (en) * | 2012-02-10 | 2014-12-17 | Zte Corp | Access authentication method and device for wireless local area network hotspot |
US9420461B2 (en) | 2012-02-10 | 2016-08-16 | Zte Corporation | Access authentication method and device for wireless local area network hotspot |
Also Published As
Publication number | Publication date |
---|---|
US20060010209A1 (en) | 2006-01-12 |
AU2003251371A1 (en) | 2004-02-25 |
EP1527592A1 (en) | 2005-05-04 |
CA2493787A1 (en) | 2004-02-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20060010209A1 (en) | Server for sending electronics messages | |
US10326777B2 (en) | Integrated data traffic monitoring system | |
US6507866B1 (en) | E-mail usage pattern detection | |
US6941348B2 (en) | Systems and methods for managing the transmission of electronic messages through active message date updating | |
US7603472B2 (en) | Zero-minute virus and spam detection | |
US9338026B2 (en) | Delay technique in e-mail filtering system | |
US7809796B1 (en) | Method of controlling access to network resources using information in electronic mail messages | |
US7249175B1 (en) | Method and system for blocking e-mail having a nonexistent sender address | |
US9648038B2 (en) | Propagation of viruses through an information technology network | |
US20050081059A1 (en) | Method and system for e-mail filtering | |
US20050251862A1 (en) | Security arrangement, method and apparatus for repelling computer viruses and isolating data | |
AU782333B2 (en) | Electronic message filter having a whitelist database and a quarantining mechanism | |
US8046624B2 (en) | Propagation of viruses through an information technology network | |
US7822818B2 (en) | Methods and systems for detecting and preventing the spread of malware on instant messaging (IM) networks by using automated IM users | |
US20080120704A1 (en) | Identifying unwanted electronic messages | |
US20070006026A1 (en) | Methods and systems for detecting and preventing the spread of malware on instant messaging (IM) networks by using Bayesian filtering | |
JP2012511842A (en) | Electronic messaging integration engine | |
US20070006027A1 (en) | Methods and systems for detecting and preventing the spread of malware on instant messaging (IM) networks by analyzing message traffic patterns | |
EP1369766B1 (en) | Propogation of viruses through an information technology network | |
US20220239676A1 (en) | Cyber-safety threat detection system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2003784275 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2493787 Country of ref document: CA |
|
ENP | Entry into the national phase |
Ref document number: 2006010209 Country of ref document: US Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 10522919 Country of ref document: US |
|
WWP | Wipo information: published in national office |
Ref document number: 2003784275 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 10522919 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: JP |
|
WWW | Wipo information: withdrawn in national office |
Country of ref document: JP |