System and methods for detecting malicious email transmission
Abstract
A system and methods of detecting an occurrence of a violation of an email security policy of a computer system. A model relating to the transmission of prior emails through the computer system is defined which is derived from statistics relating to the prior emails. For selected emails to be analyzed, statistics concerning the selected email are gathered. Such statistics may refer to the behavior or other features of the selected emails, attachments to emails, or email accounts. The determination of whether a violation of an email security policy has occurred is performed by applying the model of prior email transmission to the statistics relating to the selected email. The model may be statistical or probabilistic. A model of prior email transmission may include grouping email recipients into cliques. A determination of a violation of a security policy may occur if email recipients for a particular email are in more than one clique.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A method for monitoring transmission of email through a computer system, said computer system comprising a server and one or more clients having an email account, the method comprising:
(a) gathering statistics relating to transmission behavior of prior emails relating to a first email account on said computer system; (b) generating a profile relating to the transmission behavior of email relating to said first email account based on said statistics, wherein said profile comprises a histogram of said normal transmission behavior of email through said computer system; and (c) determining if a violation of email security has occurred by comparing one or more select emails relating to said first email account to said histogram of said not nal transmission behavior.
2 . The method according to claim 1 , wherein gathering statistics relating to the transmission behavior of prior emails comprises gathering statistics relating to the email addresses of emails sent to said first email account.
3 . The method according to claim 1 , wherein gathering statistics relating to the transmission behavior of prior emails comprises gathering statistics relating to the email addresses of email sent by said first email account.
4 . The method according to claim 1 , wherein gathering statistics relating to the transmission behavior of prior emails comprises gathering statistics relating to the number of emails sent by said first email account.
5 . The method according to claim 1 , wherein gathering statistics relating to the transmission behavior of prior emails comprises gathering statistics relating to the transmission of email between said first email account and one or more additional email accounts.
6 . The method according to claim 5 , wherein gathering statistics relating to the transmission behavior of prior emails further comprises gathering statistics relating to the number of emails transmitted between said first email account and said one or more additional email accounts.
7 . The method according to claim 5 , wherein gathering statistics relating to the transmission behavior of prior emails further comprises assigning a unique identifier to each email sent between said first email account and one or more additional email accounts.
8 . The method according to claim 1 , wherein gathering statistics relating to the transmission behavior of prior emails further comprises assigning a unique identifier to each email sent to said first email account.
9 . The method according to claim 1 , wherein gathering statistics relating to the transmission behavior of prior emails further comprises assigning a unique identifier to each email sent by said first email account.
10 . The method according to claim 1 , wherein determining if a violation of email security has occurred further comprises generating a histogram of said one or more select emails.
11 . The method according to claim 10 , wherein comparing further comprises comparing said histogram of said one or more select emails to said histogram of said normal transmission behavior.
12 . The method according to claim 11 , wherein comparing said histogram of said one or more select emails to said histogram of said normal transmission behavior further comprises performing a Mahalanobis distance analysis.
13 . The method according to claim 11 , wherein comparing said histogram of said one or more select emails to said histogram of said normal transmission behavior further comprises performing a Kolmogorov-Simironov test.
14 . The method according to claim 11 , wherein comparing said histogram of said one or more select emails to said histogram of said normal transmission behavior further comprises performing a Chi-square test.
15 . The method according to claim 12 , further comprising setting a threshold value and comparing said histogram difference to said threshold value to determine whether selected email transmission behavior is normal.
16 . The method according to claim 13 , further comprising setting a threshold value and comparing said histogram difference to said threshold value to determine whether selected email transmission behavior is no mal.
17 . The method according to claim 14 , further comprising setting a threshold value and comparing said histogram difference to said threshold value to determine whether selected email transmission behavior is normal.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.