Browse Prior Art Database

Method and Process for E-mail Servers to Handle Anomalies Common in Virus Spreading Situations

IP.com Disclosure Number: IPCOM000011468D
Original Publication Date: 2003-Feb-24
Included in the Prior Art Database: 2003-Feb-24
Document File: 2 page(s) / 44K

Publishing Venue

IBM

Abstract

Recognition of abnormal patterns of email activity for users can be used as a criteria to avoid the spread of viruses and worms.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 44% of the total text.

Page 1 of 2

  Method and Process for E-mail Servers to Handle Anomalies Common in Virus Spreading Situations

   A great many people rely on e-mail in their lives for various purposes. E-mail has become a critical communication medium for work as well as personal communication between individuals. Not only do we communicate simple text by e-mail these days, but its also has become an important transport mechanism for other data such as pictures, sound files, spreadsheets and various other data which we refer to as attachments. The ease with which we can move attachments as part of e-mail messages from person to person, over great distances, across a patch-work network, and through security screens such as firewalls, has revolutionized the way a great number of us live.

     Unfortunately this reliance on e-mail has opened an opportunity for people who like to cause disruption and trouble for others. The problem is that 'attachments' are often nothing more than 'programs'. Programs can be written to do damaging things such as erase files, retrieve and return confidential information, or even take over the computer and use it in attacks on other computers, for example, to enact distributed denial of service attacks. The common mode of transport for these damaging programs these days is as e-mail attachments. When the attachment program is run, it looks up people in the users e-mail directory and forwards a copy of itself to many of them before doing whatever it was designed to do to the local system. This allows rapid proliferation of the virus code. Its becoming increasingly common for these viruses to propagate all over the world, infecting 1000's to millions of computers and causing millions of dollars in lost productivity (or recreation) time for individuals. In extreme cases, entire company networks are shutdown, stopping the company dead in its tracks while the situation is resolved.

     The solution to this problem until this point has been virus scanning software. Software in this category has done a good job of keeping these viruses somewhat in check, but increasingly the viruses are multiplying faster and virus scanning software is having a hard time keeping up. Therefore, while not a replacement for virus scanning software, we propose a supplemental tool to help with controlling this situation.

     The problem with virus scanning is that it attacks the problem too late. Virus scanning software checks an end users computer and eliminates viruses from it. By the time the virus scan runs, the system is often already infected. We propose an additional, customizable, security layer at the e-mail server level. E-mail doesn't go directly from one users computer to another. It gets to its destination through servers. We propose adding a metadata facility to these servers such that a user's "typical" e-mailing practices can be tracked. By tracking anomalies in e-mailing patterns, servers should be able to often detect when a virus is being propagated. We propos...