Browse Prior Art Database

Aggregated detection of virus patterns in a large email infrastructure

IP.com Disclosure Number: IPCOM000029504D
Original Publication Date: 2004-Jul-01
Included in the Prior Art Database: 2004-Jul-01
Document File: 3 page(s) / 61K

Publishing Venue

IBM

Abstract

Disclosed is a way to stop viruses that are spread via email attachments BEFORE virus has a known signature.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 52% of the total text.

Page 1 of 3

Aggregated detection of virus patterns in a large email infrastructure

Disclosed is a way to stop propagating viruses that are spread via email attachments BEFORE virus has a known signature.

     The idea is to create a watchdog program residing on a mail server that will monitor and detect patterns of transmitted email file attachments. When anomalies occur, a particular action can be taken. For example, on any given work day, a large email infrastructure's mail server may route a half million pieces of mail. Some portion of those mail transmissions will contain file attachments. The mail server antivirus software scans every file attached to a memo, but does not catch the initial spread of a virus because the new virus does not yet have a known pattern (aka signature) to detect. Taking action based upon increased volume and/or predictable virus spreading/transmission patterns would be an effective first response to halting the spread of viruses. Action taken can be halting or delaying delivery, sending the attachment in for review or simply notifying administrators

     This invention is to monitor the file name and/or file characteristics of the attachments being transmitted through the servers' mail boxes. There will be detectable patterns of file names as a virus propagates within the email systems. For example, within a large enterprise mail system, during a normal day with no new viruses spreading, we may see a single legitimate file transmitted 1-200 times among 8,500 users. The file might be detectable by a unique filename. The transmission would happen slowly as one person receives a memo with an attachment, reads the memo/attachment and acts upon it by forwarding to a single person or multiple persons. And most likely a single user will receive the file one time, perhaps 2 - 3 times.

     During times of virus propagation, a new virus can be released and quickly spread via email attachments. Server traffic may indicate the same file has been uniquely transmitted 2,000 times in a very short time period. And very often a single user will receive the file multiple times.

     Virus propagated files are often sent multiple times in a very short time period. When a human being forwards a file to 50 users, it is generally as one email memo to 50 users in a distribution list (i.e., one 'send' function to 50 users).

     Viruses often propagate themselves as 50 individual email memos to 50 individual users(i.e., 50 'send' functions to 50 users). Of those 50 users, some portion of the email recipients will become infected with the virus and keep the virus spreading and a virus propagation pattern emerges. The net result is that virus transmission patterns are detectable. During virus spreading periods there may be a noticeable increase in traffic, and there...