Proactive protection against e-mail worms and spam

No: 7373664
Application no: 10321079
Filed date: 2002-12-16
Issue date: 2008-05-13
Kind: B2
Claims: 24
Drawing sheets: 7
Abstract: Methods, apparati, and computer-readable media for detecting the presence of malicious computer code in a plurality of e-mails. In a method embodiment of the present invention, the following steps are performed for each e-mail: calculating a feature vector (80), said feature vector (80) being representative of a presence of at least one preselected feature in the e-mail; calculating at least one score (S) based upon said feature vector (80), each said score (S) being representative of a frequency of occurrence of an instance of a feature; determining whether any score (S) exceeds a preselected malicious threshold representative of malicious computer code; and when a score (S) exceeds a preselected malicious threshold, blocking said e-mail.
US Classes:
	No:713 - Electrical computers and digital processing systems: support / No:188 - COMPUTER VIRUS DETECTION BY CRYPTOGRAPHY
Inventors:
	Kissel Timo S. (2)
Primary examiner: Vu Kim
Assistant examiner: Patel Nirav
Agents:
	Fenwick & West LLP} (ORG) (556)
Assignees:
	Symantec Corporation} (ORG) (95)
Field of search:
	No:26 - Artificial intelligence (e.g., diagnostic expert system)
	No:25 - Fault locating (i.e., diagnosis or testing)
	No:100 - DATA PROCESSING SYSTEM ERROR OR FAULT HANDLING
	No:192 - In video or image signal
	No:194 - By mathematical attenuation (e.g., weighting, averaging)
	No:193 - By threshold comparison
	No:182 - Performance or efficiency evaluation
	No:25 - Learning method
	No:15 - NEURAL NETWORK
	No:47 - Rule-based reasoning system
	No:20 - Classification or recognition
	No:26
	No:25
	No:100
	No:203 - Client/server
	No:224 - Computer network monitoring
	No:225 - Computer network access regulating
	No:224.1
	No:223.5
	No:223.225
	No:223 - Computer network managing
	No:207 - Priority based messaging
	No:206 - Demand based messaging
	No:154 - Including filtering based on content or address
	No:153 - Particular node (e.g., gateway, bridge, router, etc.) for directing data and applying cryptography
	No:168 - Particular communication authentication technique
	No:188 - COMPUTER VIRUS DETECTION BY CRYPTOGRAPHY
Other references:
	outlook.spambully.com web pages [online]. Spam Bully [retrieved Jan. 16, 2003]. Copyright 2002. Retrieved from the Internet: .
	cauce.org web pages [online]. Coalition Against Unsolicited Commercial Email [retrieved Mar. 17, 2003]. Retrieved from the Internet: .
	“Enterprise Protection Strategy”, Trend Micro, Inc.; [online]; retrieved on Dec. 3, 2002. Retrieved from the internet:
	“How To Test Outbreak Commander”; Trend Micro, Inc., Aug. 2002, pp. 1-13, Cupertino, CA.
References:
	5495607
	5675710
	5694569
	5819226
	5826249
	5832208
	5832527
	5884033
	6006242
	6023723
	6052709
	6072942
	6088803
	6125459
	6161130
	6167434
	6253169
	6298351
	6347310
	6370526
	6397200
	6397215
	6401122
	6421709
	6424960
	6442606
	6456991
	6493007
	6502082
	6505167
	6546416
	6721721
	6732273
	6751789
	6757830
	6772346
	6778941
	6792412
	Method and system for detecting viruses on handheld computers
	Computer virus detection
	Communications architecture for intelligent electronic devices
	Copy/paste mechanism and paste buffer that includes source information for copied data
	System and method for risk detection and analysis in a computer network
	System, method and computer program product for process-based selection of virus detection actions
	Filter driver for identifying disk files by analysis of content

Proactive protection against e-mail worms and spam

No:

Application no:

Filed date:

Issue date:

Kind:

Claims:

Drawing sheets:

Abstract:

US Classes:

No:713 - Electrical computers and digital processing systems: support / No:188 - COMPUTER VIRUS DETECTION BY CRYPTOGRAPHY

Inventors:

Primary examiner:

Assistant examiner:

Agents:

Assignees:

Field of search:

No:26 - Artificial intelligence (e.g., diagnostic expert system)

No:25 - Fault locating (i.e., diagnosis or testing)

No:100 - DATA PROCESSING SYSTEM ERROR OR FAULT HANDLING

No:192 - In video or image signal

No:194 - By mathematical attenuation (e.g., weighting, averaging)

No:193 - By threshold comparison

No:182 - Performance or efficiency evaluation

No:25 - Learning method

No:15 - NEURAL NETWORK

No:47 - Rule-based reasoning system

No:20 - Classification or recognition

No:26

No:25

No:100

No:203 - Client/server

No:224 - Computer network monitoring

No:225 - Computer network access regulating

No:224.1

No:223.5

No:223.225

No:223 - Computer network managing

No:207 - Priority based messaging

No:206 - Demand based messaging

No:154 - Including filtering based on content or address

No:153 - Particular node (e.g., gateway, bridge, router, etc.) for directing data and applying cryptography

No:168 - Particular communication authentication technique

No:188 - COMPUTER VIRUS DETECTION BY CRYPTOGRAPHY

Other references:

outlook.spambully.com web pages [online]. Spam Bully [retrieved Jan. 16, 2003]. Copyright 2002. Retrieved from the Internet: .

cauce.org web pages [online]. Coalition Against Unsolicited Commercial Email [retrieved Mar. 17, 2003]. Retrieved from the Internet: .

“Enterprise Protection Strategy”, Trend Micro, Inc.; [online]; retrieved on Dec. 3, 2002. Retrieved from the internet:

“How To Test Outbreak Commander”; Trend Micro, Inc., Aug. 2002, pp. 1-13, Cupertino, CA.

References:

5495607

5675710

5694569

5819226

5826249

5832208

5832527

5884033

6006242

6023723

6052709

6072942

6088803

6125459

6161130

6167434

6253169

6298351

6347310

6370526

6397200

6397215

6401122

6421709

6424960

6442606

6456991

6493007

6502082

6505167