Disclosed embodiments herein relate generally to the filtering of electronic messages transmitted across a computer network, and more particularly to systems and methods for filtering electronic messages suspected of containing zero-hour threats.
A “zero-day” or “zero-hour” vulnerability can be defined as a new vulnerability for which no anti-spam or anti-virus protection (or other appropriate means of protection) yet exists. Nearly every newly discovered vulnerability starts off this way, and in most cases a patch is available before the general public is made aware of the vulnerability. Recently, however, a significant rise in attacks that take advantage of zero-hour vulnerabilities has occurred, leaving a user or system unable to defend against the attack since no patch is available. Accordingly, protection against zero-hour attacks is becoming increasing desirable.
Unfortunately, current zero-hour protection is limited to zero-hour detection, not zero-hour disposition, of suspect messages. In such conventional approaches, messages suspected of containing zero-hour threats are typically just blocked or quarantined based on a perceived zero-hour threat. However, because of the very nature of zero-hour threats, detection is not very certain, thus resulting in a larger number of false-positives when filtering messages. If detection parameters are scaled back in an effort to reduce the number of false-positives, then often too many actual threats pass through the filtering system. As a result, since the detection of messages suspected of zero-hour threats falls short of adequately protecting against zero-hour threats, addressing the disposition of such messages addresses the false-positive problem.
The zero-hour quarantine disclosed herein, also referred to as the “penalty box,” in its earliest form began as a tool for anti-virus companies to get some advanced heuristics capabilities that would allow flagging an infected file as being suspect prior to having an anti-virus signature published for a particular virus. The suspect file would then go into the zero-hour quarantine and be scanned at a later point in time, giving the anti-virus companies time to create and publish a signature file that would then catch the virus. Disclosed herein is a description of advanced heuristics and message detection techniques for handling the disposition of such messages suspected of containing zero-hour threats.
In one embodiment, a method of filtering electronic messages from a network comprising a sending server and a destination server is provided. In such an embodiment, the method comprises receiving an incoming electronic message from the sending server, examining the electronic message for attributes indicative of its desirability or undesirability to an intended recipient of the electronic message, and assigning a threat score to the electronic message based on the examination. In addition, the method may comprise, disposing of the message according to a comparison of the threat score to first and second thresholds, wherein the message is sent to a permanent quarantine if the assigned threat score passes the first threshold. Alternatively, the message is sent to a temporary quarantine if the assigned threat score does not pass the second threshold but passes the second threshold, or the message is delivered to an intended recipient if the assigned threat score does not pass the first or second threshold.
In another embodiment, a system for filtering electronic messages from a network comprising a sending server and a destination server is provided. In such an embodiment, the system comprises a message handler configured to receive an incoming electronic message from the sending server, and a message filtering process in the message handler. The message filtering process may be configured to examine the electronic message for attributes indicative of its desirability or undesirability to an intended recipient of the electronic message, and assign a threat score to the electronic message based on the examination. The system may also include a message disposition process in the message handler, where the disposition process is configured to compare the assigned threat score to first and second thresholds. In addition, based on the comparison, the disposition process sends the message to a permanent quarantine if the assigned threat score passes the first threshold. sends the message to a temporary quarantine if the assigned threat score does not pass the second threshold but passes the second threshold, or sends the message to an intended recipient if the assigned threat score does not pass the first or second threshold.
In yet another embodiment, another method of filtering electronic messages from a network comprising a sending server and a destination server is provided. In this embodiment, the method comprises receiving an incoming electronic message from the sending server, examining the electronic message for attributes indicative of its desirability or undesirability to an intended recipient of the electronic message, and assigning a threat score to the electronic message based on the examination. In addition, such a method may comprise sending the message to a permanent quarantine if the revised threat score passes the first threshold, sending the message to a temporary quarantine if the assigned threat score does not pass the second threshold but passes the second threshold, or delivering the message to an intended recipient if the assigned threat score does not pass the first or second threshold. Moreover, the method may comprise periodically reexamining the message, if sent to the temporary quarantine, for attributes indicative of its desirability or undesirability to the intended recipient of the message, and revising the threat score based on the reexamination. In such an embodiment, the method may then include sending the message to a permanent quarantine if the revised threat score passes the first threshold, keeping the message in the temporary quarantine if the revised threat score does not pass the second threshold but passes the first threshold, or delivering the message to the intended recipient if the revised threat score does not pass the first or second threshold.
In still a further embodiment, another variation of a system for filtering electronic messages from a network comprising a sending server and a destination server is provided. In such an embodiment, the system may comprise a message handler configured to receive an incoming electronic message from the sending server. Also, the system may include a message filtering process in the message handler and configured to examine the electronic message for attributes indicative of its desirability or undesirability to an intended recipient of the electronic message, and assign a threat score to the electronic message based on the examination. Further, the system may also include a message disposition process in the message handler and configured to compare the assigned threat score to first and second thresholds, and then to send the message to a permanent quarantine if the assigned threat score passes the first threshold, send the message to a temporary quarantine if the assigned threat score does not pass the second threshold but passes the second threshold, or send the message to an intended recipient if the assigned threat score does not pass the first or second threshold. In such an embodiment of the system, the message filtering process may be further configured to periodically reexamine the message, if sent to the temporary quarantine, for attributes indicative of its desirability or undesirability to the intended recipient of the message, and revise the threat score based on the reexamination. Additionally, the message disposition process may be further configured to send the message to a permanent quarantine if the revised threat score passes the first threshold, send the message to a temporary quarantine if the revised threat score does not pass the second threshold but passes the second threshold, or send the message to an intended recipient if the revised threat score does not pass the first or second threshold.
In another aspect, yet another embodiment of a method of filtering electronic messages from a network comprising a sending server and a destination server is provided. In such an embodiment, the method may comprise receiving an incoming electronic message containing an attachment from the sending server, examining the attachment for attributes indicative of its harmfulness to an intended recipient of the electronic message, and assigning a threat score to the electronic message or the attachment based on the examination. In addition, such a method may include sending the message and attachment to a permanent quarantine if the revised threat score passes the first threshold, to a temporary quarantine if the assigned threat score does not pass the second threshold but passes the second threshold, or to an intended recipient if the assigned threat score does not pass the first or second threshold. The method may further include periodically reexamining the attachment, if sent to the temporary quarantine, for attributes indicative of its harmfulness to the intended recipient of the message, and revising the threat score based on the reexamination. As used herein, “harmfulness” means is the probability that the message or something associated with the message may harm, such as by rendering inoperable, hindering operation, or deleting files or other items from, a system associated with an intended recipient of on incoming message. Such harmfulness may be determined on a graduated scale, such as a predetermined threshold, and may be influenced by user- or administrator-based settings. Based on the revised threat score, the method may include sending the message and attachment to a permanent quarantine if the revised threat score passes the first threshold, keeping the message and attachment in the temporary quarantine if the revised threat score does not pass the second threshold but passes the first threshold, or delivering the message and attachment to the intended recipient if the revised threat score does not pass the first or second threshold.
In still another aspect, another embodiment of a system for filtering electronic messages from a network comprising a sending server and a destination server is provided. In such an embodiment, the system may include a message handler configured to receive an incoming electronic message containing an attachment from the sending server. Also, the system may include a message filtering process in the message handler and configured to examine the attachment for attributes indicative of its harmfulness to an intended recipient of the electronic message, and assign a threat score to the electronic message or the attachment based on the examination. In addition, such a system may include a message disposition process in the message handler and configured to compare the assigned threat score to first and second thresholds, and then to send the message and attachment to a permanent quarantine if the assigned threat score passes the first threshold, to a temporary quarantine if the assigned threat score does not pass the second threshold but passes the second threshold, or to an intended recipient if the assigned threat score does not pass the first or second threshold. Furthermore, the message filtering process may be further configured to periodically reexamine the attachment, if sent to the temporary quarantine, for attributes indicative of its harmfulness to the intended recipient of the message, and revise the threat score based on the reexamination. Additionally, the message disposition process may be further configured to send the message and attachment to a permanent quarantine if the revised threat score passes the first threshold, to a temporary quarantine if the revised threat score does not pass the second threshold but passes the second threshold, or to an intended recipient if the revised threat score does not pass the first or second threshold.
Turning briefly back to
Once received in the server cluster 105, the host queries the database 125 to identify the user and user preferences of, for example, the intended recipient of the incoming message(s). The step is represented by Block 210 in the flow diagram of
Among the processing of the incoming messages, a number of various message processing software programs, add-ons, etc. may be available depending on the specific configuration of the system 100. For example,
Good/clean messages 130 are addressed with one or more addresses in accordance with information specified in the user profile, and sent to the outbound mail server cluster to be sent out to a receiving mail server 110 associated with the intended recipient of the good message 130. Such passing of the good messages 130 via outbound mail servers is represented by Block 220 in the diagram of
As discussed above, through the various available filters for incoming messages 120, bad e-mails 135 (e.g., determined to be spam or contain a virus, etc.) are detected. Instead of being delivered to the users, such bad messages 135 are saved in a “permanent” quarantine 145, as illustrated in
In one embodiment, the filtering of messages into the permanent quarantine 145 may be done using a graduated scale with a threshold. In such an embodiment, the filtering system 100 would examine an incoming message based on attributes indicative of its desirability or undesirability to an intended recipient of the electronic message, and would then assign a score to the message. This might be called a “spam score” or a “threat score,” and would be based on both the filtering criteria of the system (e.g., virus detection programs, spam detection programs, blacklists, whitelists, greylists, message traffic analyzed by a message management system, etc.) and the user preferences established by the intended recipient of the message. Accordingly, if the threat score assigned to an incoming message passes a predetermined threshold (e.g., exceed or fall below a threshold, depending on the implemented scale), the attributes of that message have led to the determination that the message should be sent to the permanent quarantine because, according to the current settings and criteria, it is harmful to, or otherwise unwanted by, the user/user's system.
The above-described process for filtering “bad” messages 135 relates to the filtering of messages 135 which have affirmatively been found to be malicious, spam, etc. However, a “zero-hour threat” pertains to the those messages which are not positively identifiable (according to a given set of filtering criteria and settings) as harmful or otherwise unwanted by the user when first scanned/examined by the system 100. Since such messages are not positively determined to be a threat upon first inspection, perhaps because a specific virus definition has not yet been created, their immediate sending to the permanent quarantine 145 may be unwarranted. In addition, if the message is later determined to be “good” (e.g., a false positive), the delay in having the message reach the intended recipient once it has been cleared may be costly or generally annoying to the user. Accordingly, the disclosed principles provide a novel technique for handling those message that are not immediately identifiable as needing filtering, but that may nonetheless pose enough potential risk that further evaluation of the message before simply passing it on to the user is warranted.
As with the filtering of messages into the permanent quarantine 145, filtering of “zero-hour threat message” may be done using the graduated scale with a second threshold. As discussed above, the filtering system 100 examines an incoming message based on attributes indicative of its desirability or undesirability to an intended recipient of the electronic message, and would assign a threat score to the message. As discussed above, if the threat score of a message passes a the first threshold, the message would be sent to the permanent quarantine 145. However, if the threat score for the message did not pass that first threshold, but still passed a second threshold, then, according to the current settings and criteria, the attributes of that message have led to the determination that the message still might pose a threat or is harmful to, or otherwise unwanted by, the user/user's system. In such a case, the message would then be sent to a “temporary” or “zero-hour quarantine” 165 (or “penalty box”). Of course, if the attribute(s) of a message do not lead to a threat score that exceeds either the first or second thresholds, then the system 100 has determined that the message does not likely pose a threat/is unwanted, and may therefore be delivered to the intended recipient.
As used herein, the term “temporary quarantine” means that messages deemed to be a potential threat or potentially unwanted are sent there and held on a temporary basis so that they may be rescanned or otherwise reexamined by the system. The reexamination, which is discussed in greater detail below, is done to determine if a message can be positively determined to be a threat to or is unwanted by the intended recipient. For example, while a message sits in the temporary quarantine 165 and it was placed there because its attachment could be a malicious attachment, the filtering modules may have been updated with new virus definitions that positively identify that attachment as malicious. In the scaled exemplary system discussed above, an original threat score assigned to the message may not have passed the first threshold, but did pass the second threshold. Thus, the message's attributes were such that some potential threat was detected. Upon reexamination, the updated virus definition may now identify the attachment as a now-known virus, and thus the threat score of the message would be revised to reflect this determination. If the revised threat score now passes the first threshold, the message can be positively identified as malicious, and sent to the permanent quarantine 145 instead.
In one example of zero-hour threat prevention in accordance with the disclosed principles, the system 100 may be configured to quarantine any attachment in a message that is an executable file, an executable within another document, or an executable within an archives Thus, as represented by Block 240 in the diagram of
In order to catch all executables in incoming messages 120, the disclosed zero-hour process may scan attachments in binary scan mode. This could be extended to open up other non-executable documents and archives. In addition, the system may also trap any files that are found in a named list (e.g., MIME type style or extension name) of executables. For example, it is not likely that someone would rename a harmless document to be an executable; it is more likely that someone would rename a harmful executable to something else. The combination of filtering, shown collectively in
Also, because the disclosed zero-hour threat detection technique may be implemented with an e-mail management system, such as the one mentioned above, the type of attributes of incoming messages that are examined can be expanded, while still based on specific information obtained from the incoming message in question. More specifically, while an attachment or the identified source IP address sending the incoming message may be enough to classify the message as a potential or zero-hour threat, data detected from the message may also be used by such a management system to more accurately assess the potential threat of the message. As a result, even if the incoming message alone does not include an attribute sufficient to trigger the zero-hour threat process, attributes of the message can be used with the broader information provided by the management system. Accordingly, examples of attributes of an incoming message that may be examined by the zero-hour threat system for potential threats include:
Based on the above, in one exemplary configuration of the system 100, zero-hour threat scanning (e.g., advanced heuristics, primitive file typing) would simply be one of the scans in a chain of scans normally done by the intermediate preprocessing service 105 on incoming messages 120. In many embodiments, ‘attachment manager’ scanning 172, anti-virus heuristics 170, filtering based on the network-wide issue detector 174, the manual failsafe override 176, and scan by an anti-spam engine 185 could be used in combination or separately to scan for zero-hour threats. If an ‘attachment manager’ 172 has been enabled for a customer, its file-typing output could be saved and used for zero-hour scanning to optimize processing time. In many embodiments, the zero-hour signature scanning can be made more efficient than anti-virus scanning if it is conducted in front of the anti-virus scans. Detected zero-hour suspect e-mails 160 will go into a quarantine that is separate from “spam” and “virus” quarantine discussed above, and instead will go into the zero-hour quarantine 165 introduced above. In addition, such separate zero-hour quarantine 165 may be illustrated as a separate tab in a graphical user interface (not illustrated) to allow marketing of such zero-hour protection capabilities to users of the overall filtering system 100.
In other embodiments, distinct quarantines for each type of detected unwanted message may be established. For example, if there is a hit with the attachment manager 172 or an anti-spam engine 185, the e-mail could be sent to a ‘spam quarantine.’ If there is a hit with anti-virus scans or the zero-hour signature table, the e-mail could be sent to a ‘virus quarantine.’ If there is a hit with anti-virus heuristics 170, primitive file typing, or a zero-hour anti-virus engine, the e-mail could be sent to the zero-hour quarantine. For these zero-hour messages 160, signatures or hashes of the attachments may be created as they are passed into the zero-hour quarantine 165. To optimize creation of the hash, the zero-hour threat system can be configured to only create a hash on the first ‘n’ and/or last ‘n’ bytes of any attachment. The system can create a job that runs periodically and scans all hashes and “forwards” any attachment with multiple hits to, for example, the service provider's anti-virus ‘administrative quarantine.’ Alternatively, the system can simply forward all zero-hour messages 160 into the anti-virus administrative quarantine.
In addition, customer administrators can forward zero-hour messages 160 to the anti-virus administrator. In fact, in such embodiments, multiple hits on suspect messages may overlap with previously submitted messages. The anti-virus administrator could submit these messages as potential misses to anti-virus vendors. As the anti-virus administrator identifies zero-hour misses, the system could flag the misses and have their signatures deposited into the zero-hour signature table mentioned above. The anti-virus administrator would be able to mark any message deemed a zero-hour miss. Over time, the signatures will be promoted to anti-virus definition files, and thus may be retired from the zero-hour signature table. In such embodiments, if a zero-hour signature has already been retired from the signature table and an anti-virus administrator tries to add it back, a warning message could pop up. In related embodiments, the anti-virus administrator would still be able to override this warning, in case system resources are under attack and it is desirable to save system resources by placing a block before the anti-virus scan engines kick in. This could be implemented on future incoming messages using the manual failsafe override 176.
In addition, the filtering modules 170, 172, 174, 176, 185 may include a network-wide issue detector 174 for even further filtering of incoming messages 120. This detector 174 could be configured to detect if a substantially similar attachment is being transmitted from a large number of sources. For example, if the same file type, with the same or substantially similar file name or size has been detected as originating from a number of (typically unrelated) source IP addresses, then such an attachment could be deemed harmful or otherwise unwanted. This is because it is unlikely that a number various sources would be sending out the same attachment to various destinations, unless that attachment is a mass-mailing or other type of spam, or is being involuntarily mailed from these multiple sources (e.g., a replicating virus). In any of these situations, the detector 174 can be configured to filter such attachments (or perhaps the entire messages) as potentially harmful or unwanted.
An automated quarantine summary notification message 155 (if enabled) may be sent out immediately or perhaps at the nearest hour whenever any attachment goes into the penalty box quarantine 165. This is the case since it might be deemed important that customers be aware of the fact that they have a suspect e-mail 160 that has been trapped. Sending such a notification message is illustrated as Block 245 in the diagram in
If the user does not release the suspect message 160, the process passed to Block 320, and the system can retain any unreleased messages 160 in the zero-hour quarantine 165 for a user-specified period of time. The zero-hour system may then re-scan (Block 195 in diagram of
If the message 160 is not re-scanned, it may remain in the zero-hour quarantine 165 until it expires. Message expiration is illustrated in Block 330. If the message 160 does expire, the process for that message 160 would end after that. Message expiration time may again be established by the user, or it may be established by an administrator. These messages 160 are effectively dead and will typically go away upon quarantine expiration. Any dead messages in a quarantine will not typically be subsequently re-scanned 195, but could be if desired. In addition, dead messages could still be able to be forwarded until they roll out of the quarantine, if desired.
At Decision Block 325, if the attachment is re-scanned 195, the process for that message 160 moves to Decision Block 335, where it is determined whether a definite threat is now detected. For example, since the message 160 was held in the zero-hour quarantine 165, a virus definition or some other update may have occurred and the “potential” threat in the message 160 may now be verified as a definite threat based on the updated definitions, spam filters, etc. Such a re-scan 195 may occur for the first time after “n” hours in the penalty box 165. Then, the system could be configured to re-scan every hour, for example. If a threat is detected, the process would move to Block 340 in
In addition, if the re-scanning 195 of the message 160 in the penalty box has not verified a threat and the message 160 is not set for expiration, the re-scanning 195 could be set to continue for those messages 160 that haven't passed the holding period. In re-scan mode, in one embodiment, the system may be configured so that only anti-virus scans take place. When an anti-virus hit is registered, the signature for the zero-hour message can be removed (marked inactive) from the zero-hour signature table since this particular signature or definition is now verified. Alternatively, the system can re-scan 195 against the zero-hour signature table and move failing messages to the virus quarantine 145 upon a hit. The system could be configured to periodically re-scan 195 with both the zero-hour signature and the anti-virus scan engines in order to retire signatures, as well. The signatures may simply be kept in the table to save processing time. If no threat is detected upon re-scanning 195, the message 160 could simply be subject to the user-specified disposition, in accordance with the discussion set forth above and represented by Block 315 of
In yet another embodiment, if a possible zero-hour threat is detected in a message 160, the message 160 (or more likely, the suspect attachment) may be passed to a “sandbox” 190. This optional process is illustrated by Block 350 in
In a Virus Lab, the technicians there can evaluate the attachment, as needed. In the sandbox 190, the suspect executable program is actually executed to see what the program does, such that proper classification of the file(s) may be made. The “behavior” of the program upon execution is monitored to determine if it demonstrates threatening characteristics, such as those typically seen by viruses, worms, or other harmful programs. For example, if the program begins to replicate itself, tries to manipulate registry settings, or tries to send itself to other locations, these characteristics are most often associated with the behavior of a harmful program, and thus the file is likely a harmful file. If the sandbox 190 execution reveals that the attachment is likely a harmful program, then the attachment may be stripped from the message, as illustrated in Block 345 of
One benefit of configuring the disclosed zero-hour threat detection process with a sandbox 190 or other attachment analysis process is that the service provider of the detection process may submit such attachments to anti-virus companies for further analysis. In addition, if analysis in the sandbox 190 determines that the attachment is indeed harmful, the service provider could flag it as such in the zero-hour signature table or in its regular virus definitions, etc. If written to a zero-hour signature table, it could then be used as a stop-gap for further incoming messages being filtered, until proper definition files are released by the anti-virus vendors, as discussed above.
Since the system provides the ability to re-scan zero-hour suspect messages 160 multiple times, as well as allow users to choose a possible disposition of the message 160, the number of false positives seen by conventional zero-hour systems will be reduced or eliminated altogether. The trade-off between delayed delivery of messages vs. potential virus-laden messages being delivered in a timely manner is something that each customer will have to consider and adjust when enabling this feature. Since the system offers re-scanning and it may be set as automatic along with disposition management, there should be no issues that can occur when an attachment manager is used for this same purpose. Over time, the customer will adjust the maximum hold periods to fit their business or personal needs.
The disclosed zero-hour system will also have the ability to manually scan the zero-hour quarantined messages 160, publish early filtering (prior to anti-virus vendor definitions) upon virus acknowledgement, and provide that filtering for all customers (not just zero-hour enabled ones). Depending on how the zero-hour quarantine has been set up for specific implementations, either the end users or the system administrators may be managing their quarantines. When a user logs on to the web server 150, a web page is displayed that includes a link for displaying a summary of quarantined messages and/or attachments, including both regular quarantined messages and zero-hour quarantined messages. By clicking on a selected item, the user may be able to view the item and, depending on the attachment type, may be able to view the attachment. If the user so chooses, the user may be allowed to download an item suspected to contain a harmful program after the user has been given appropriate warning.
In view of the above features, a zero-hour quarantine system could be configured such that administrators could have the ability to do one or more of the following:
While various embodiments of the disclosed principles have been described above, it should be understood that they have been presented by way of example only, and not limitation. Thus, the breadth and scope of the invention(s) should not be limited by any of the above-described exemplary embodiments, but should be defined only in accordance with any claims and their equivalents issuing from this disclosure. Furthermore, the above advantages and features are provided in described embodiments, but shall not limit the application of such issued claims to processes and structures accomplishing any or all of the above advantages.
Additionally, the section headings herein are provided for consistency with the suggestions under 37 C.F.R. 1.77 or otherwise to provide organizational cues. These headings shall not limit or characterize the invention(s) set out in any claims that may issue from this disclosure. Specifically and by way of example, although the headings refer to a “Technical Field,” such claims should not be limited by the language chosen under this heading to describe the so-called technical field. Further, a description of a technology in the “Background” is not to be construed as an admission that technology is prior art to any invention(s) in this disclosure. Neither is the “Summary” to be considered as a characterization of the invention(s) set forth in issued claims. Furthermore, any reference in this disclosure to “invention” in the singular should not be used to argue that there is only a single point of novelty in this disclosure. Multiple inventions may be set forth according to the limitations of the multiple claims issuing from this disclosure, and such claims accordingly define the invention(s), and their equivalents, that are protected thereby. In all instances, the scope of such claims shall be considered on their own merits in light of this disclosure, but should not be constrained by the headings set forth herein.
This disclosure claims priority to U.S. Provisional Patent application No. 60/946,054, filed Jun. 25, 2007, which is commonly owned with the present disclosure and incorporated herein in its entirety.
Number | Date | Country | |
---|---|---|---|
60946054 | Jun 2007 | US |