-
公开(公告)号:US07979907B2
公开(公告)日:2011-07-12
申请号:US12338479
申请日:2008-12-18
CPC分类号: H04L63/145 , G06F21/562
摘要: A system and methods for detecting malicious executable attachments at an email processing application of a computer system using data mining techniques. The email processing application may be located at the server or at the client or host. The executable attachments are filtered from said email, and byte sequence features are extracted from the executable attachment. The executable attachments are classified by comparing the byte sequence feature of the executable attachment to a classification rule set derived from byte sequence features of a data set of known executables having a predetermined class in a set of classes, e.g., malicious or benign. The system is also able to classify executable attachments as borderline when the difference between the probability that the executable is malicious and the probability that the executable is benign are within a predetermined threshold. The system can notify the user when the number of borderline attachments exceeds the threshold in order to refine the classification rule set.
摘要翻译: 一种用于在使用数据挖掘技术的计算机系统的电子邮件处理应用中检测恶意可执行附件的系统和方法。 电子邮件处理应用程序可能位于服务器或客户端或主机。 从所述电子邮件过滤可执行附件,并从可执行附件中提取字节序列特征。 可执行附件通过将可执行附件的字节序列特征与从一组类别(例如恶意或良性)中具有预定类别的已知可执行程序的数据集的字节序列特征导出的分类规则集进行比较来分类。 当可执行文件的恶意程度与可执行文件的良性概率在预定的阈值内时,系统还能将可执行附件分类为边界。 为了优化分类规则集,系统可以通知用户边界附件的数量超过阈值。
-
公开(公告)号:US20090254992A1
公开(公告)日:2009-10-08
申请号:US12338479
申请日:2008-12-18
IPC分类号: G06F21/00
CPC分类号: H04L63/145 , G06F21/562
摘要: A system and methods for detecting malicious executable attachments at an email processing application of a computer system using data mining techniques. The email processing application may be located at the server or at the client or host. The executable attachments are filtered from said email, and byte sequence features are extracted from the executable attachment. The executable attachments are classified by comparing the byte sequence feature of the executable attachment to a classification rule set derived from byte sequence features of a data set of known executables having a predetermined class in a set of classes, e.g., malicious or benign. The system is also able to classify executable attachments as borderline when the difference between the probability that the executable is malicious and the probability that the executable is benign are within a predetermined threshold. The system can notify the user when the number of borderline attachments exceeds the threshold in order to refine the classification rule set.
摘要翻译: 一种用于在使用数据挖掘技术的计算机系统的电子邮件处理应用中检测恶意可执行附件的系统和方法。 电子邮件处理应用程序可能位于服务器或客户端或主机。 从所述电子邮件过滤可执行附件,并从可执行附件中提取字节序列特征。 可执行附件通过将可执行附件的字节序列特征与从一组类别(例如恶意或良性)中具有预定类别的已知可执行程序的数据集的字节序列特征导出的分类规则集进行比较来分类。 当可执行文件的恶意程度与可执行文件的良性概率在预定的阈值内时,系统还能将可执行附件分类为边界。 为了优化分类规则集,系统可以通知用户边界附件的数量超过阈值。
-
公开(公告)号:US07487544B2
公开(公告)日:2009-02-03
申请号:US10208432
申请日:2002-07-30
IPC分类号: G06F21/00
CPC分类号: H04L63/145 , G06F21/562
摘要: A system and methods for detecting malicious executable attachments at an email processing application of a computer system using data mining techniques. The email processing application may be located at the server or at the client or host. The executable attachments are filtered from said email, and byte sequence features are extracted from the executable attachment. The executable attachments are classified by comparing the byte sequence feature of the executable attachment to a classification rule set derived from byte sequence features of a data set of known executables having a predetermined class in a set of classes, e.g., malicious or benign. The system is also able to classify executable attachments as borderline when the difference between the probability that the executable is malicious and the probability that the executable is benign are within a predetermined threshold. The system can notify the user when the number of borderline attachments exceeds the threshold in order to refine the classification rule set.
摘要翻译: 一种用于在使用数据挖掘技术的计算机系统的电子邮件处理应用中检测恶意可执行附件的系统和方法。 电子邮件处理应用程序可能位于服务器或客户端或主机。 从所述电子邮件过滤可执行附件,并从可执行附件中提取字节序列特征。 可执行附件通过将可执行附件的字节序列特征与从一组类别(例如恶意或良性)中具有预定类别的已知可执行程序的数据集的字节序列特征导出的分类规则集进行比较来分类。 当可执行文件的恶意程度与可执行文件的良性概率在预定的阈值内时,系统还能将可执行附件分类为边界。 为了优化分类规则集,系统可以通知用户边界附件的数量超过阈值。
-
公开(公告)号:US07657935B2
公开(公告)日:2010-02-02
申请号:US10222632
申请日:2002-08-16
CPC分类号: H04L63/1425 , H04L51/12 , H04L63/145
摘要: A system and methods of detecting an occurrence of a violation of an email security policy of a computer system. A model relating to the transmission of prior emails through the computer system is defined which is derived from statistics relating to the prior emails. For selected emails to be analyzed, statistics concerning the selected email are gathered. Such statistics may refer to the behavior or other features of the selected emails, attachments to emails, or email accounts. The determination of whether a violation of an email security policy has occurred is performed by applying the model of prior email transmission to the statistics relating to the selected email. The model may be statistical or probabilistic. A model of prior email transmission may include grouping email recipients into cliques. A determination of a violation of a security policy may occur if email recipients for a particular email are in more than one clique.
摘要翻译: 检测违反计算机系统的电子邮件安全策略的发生的系统和方法。 与通过计算机系统传输以前的电子邮件相关的模型被定义为从与先前的电子邮件相关的统计数据得出的。 对于要分析的所选电子邮件,将收集有关所选电子邮件的统计信息。 这样的统计数据可以指所选电子邮件的行为或其他功能,附件到电子邮件或电子邮件帐户。 通过将先前的电子邮件传输模型应用于与所选择的电子邮件相关的统计数据来确定是否发生了电子邮件安全策略的违规。 该模型可能是统计或概率。 先前电子邮件传输的模型可以包括将电子邮件收件人分组成团体。 如果特定电子邮件的电子邮件收件人在多个集团中,则可能会发生违反安全政策的决定。
-
公开(公告)号:US08443441B2
公开(公告)日:2013-05-14
申请号:US12633493
申请日:2009-12-08
IPC分类号: G06F21/00
CPC分类号: H04L63/1425 , H04L51/12 , H04L63/145
摘要: A system and methods of detecting an occurrence of a violation of an email security policy of a computer system. A model relating to the transmission of prior emails through the computer system is defined which is derived from statistics relating to the prior emails. For selected emails to be analyzed, statistics concerning the selected email are gathered. Such statistics may refer to the behavior or other features of the selected emails, attachments to emails, or email accounts. The determination of whether a violation of an email security policy has occurred is performed by applying the model of prior email transmission to the statistics relating to the selected email. The model may be statistical or probabilistic. A model of prior email transmission may include grouping email recipients into cliques. A determination of a violation of a security policy may occur if email recipients for a particular email are in more than one clique.
-
公开(公告)号:US20100169970A1
公开(公告)日:2010-07-01
申请号:US12633493
申请日:2009-12-08
CPC分类号: H04L63/1425 , H04L51/12 , H04L63/145
摘要: A system and methods of detecting an occurrence of a violation of an email security policy of a computer system. A model relating to the transmission of prior emails through the computer system is defined which is derived from statistics relating to the prior emails. For selected emails to be analyzed, statistics concerning the selected email are gathered. Such statistics may refer to the behavior or other features of the selected emails, attachments to emails, or email accounts. The determination of whether a violation of an email security policy has occurred is performed by applying the model of prior email transmission to the statistics relating to the selected email. The model may be statistical or probabilistic. A model of prior email transmission may include grouping email recipients into cliques. A determination of a violation of a security policy may occur if email recipients for a particular email are in more than one clique.
摘要翻译: 检测违反计算机系统的电子邮件安全策略的发生的系统和方法。 与通过计算机系统传输以前的电子邮件相关的模型被定义为从与先前的电子邮件相关的统计数据得出的。 对于要分析的所选电子邮件,将收集有关所选电子邮件的统计信息。 这样的统计数据可以指所选电子邮件的行为或其他功能,附件到电子邮件或电子邮件帐户。 通过将先前的电子邮件传输模型应用于与所选择的电子邮件相关的统计数据来确定是否发生了电子邮件安全策略的违规。 该模型可能是统计或概率。 先前电子邮件传输的模型可以包括将电子邮件收件人分组成团体。 如果特定电子邮件的电子邮件收件人在多个集团中,则可能会发生违反安全政策的决定。
-
-
-
-
-
搜索结果
6 条记录 (耗时 0.013 秒)
