Systems and methods for inspecting emails for malicious content
US-10243989-B1 · Mar 26, 2019 · US
Detection and mitigation of time-delay based network attacks
US2019007426A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2019007426-A1 |
| Application number | US-201715640381-A |
| Country | US |
| Kind code | A1 |
| Filing date | Jun 30, 2017 |
| Priority date | Jun 30, 2017 |
| Publication date | Jan 3, 2019 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Systems and methods for mitigation of time-delay based network attacks are provided. According to one embodiment, an email directed to a user of an enterprise and containing a potentially malicious link is received by a mail server of the enterprise. At a first time, a file to which the potentially malicious link points is evaluated within a sandbox environment and a first hash value is generated based on contents of the file. At a second time, a file to which the potentially malicious link points is again evaluated, including downloading the file to which the potentially malicious link points to at the second time and generating a second hash value based on contents of the file. When the two hash values differ, then the file is treated by the mail server as a suspicious or high risk file or is caused to be evaluated within the sandbox environment.
First claim
Opening claim text (preview).
What is claimed is: 1 . A method comprising: receiving, by a mail server of an enterprise, an electronic mail (email) directed to a user of the enterprise and containing a potentially malicious link; at a first time, causing, by the mail server, a file to which the potentially malicious link points at the first time to be evaluated within a sandbox environment and a first hash value to be generated based on contents of the file to which the potentially malicious link points at the first time; at a second time, causing, by the mail server, a file to which the potentially malicious link points to at the second time to be evaluated, including downloading the file to which the potentially malicious link points to at the second time and generating a second hash value based on contents of the file to which the potentially malicious link points to at the second time; when the first hash value and the second hash value differ, then (i) treating, by the mail server, the file to which the potentially malicious link points to at the second time as a suspicious or high risk file or (ii) causing, by the mail server, the file to which the potentially malicious link points to at the second time to be evaluated within the sandbox environment. 2 . The method of claim 1 , wherein the sandbox environment is provided by a sandbox device associated with the enterprise and coupled in communication with the mail server. 3 . The method of claim 2 , wherein when said causing, by the mail server, a file to which the potentially malicious link points at a first time to be evaluated within a sandbox environment results in the file to which the potentially malicious link points at a first time being deemed not to be a threat by the sandbox device, then causing, by the sandbox device, the mail server to deliver the email to the user. 4 . The method of claim 3 , wherein when the first hash value and the second hash value differ, the method further comprises sharing, by the sandbox device, threat information associated with the email with one or more other network security devices providing network security protection on behalf of the enterprise. 5 . The method of claim 3 , wherein when the first hash value and the second hash value differ, the method further comprises sending, by the mail server, a warning email to the user regarding the email possibly linking to malware. 6 . The method of claim 3 , wherein when the first hash value and the second hash value differ, the method further comprises sending, by the mail server, a warning email to an administrator of the mail server regarding the email possibly linking to malware. 7 . The method of claim 2 , wherein said causing, by the mail server, a file to which the potentially malicious link points to at a second time to be evaluated comprises downloading, by the mail server, the file to which the potentially malicious link points to at the second time and generating, by the mail server, a second hash value based on contents of the file to which the potentially malicious link points to at the second time. 8 . The method of claim 7 , wherein the sandbox device periodically performs bulk download of file hash values, which are accessible to the mail server. 9 . The method of claim 7 , wherein said causing, by the mail server, a file to which the potentially malicious link points to at a second time to be evaluated comprises causing, by the mail server, the sandbox device, to perform said downloading and said generating. 10 . The method of claim 1 , wherein the second time comprises a predetermined or configurable amount of time after the first time that is selected to subvert a link evasion technique in which the file to which the potentially malicious link points to at the first time is replaced with another file on or before the second time. 11 . The method of claim 1 , wherein the first hash value and the second hash value are produced by a cryptographic hash function. 12 . A mail server comprising: a non-transitory storage device having embodied therein instructions representing an electronic mail (email) evaluation module; and one or more processors coupled to the non-transitory storage device and operable to execute the email evaluation module to perform a method comprising: receiving an electronic mail (email) directed to a user of an enterprise and containing a potentially malicious link; at a first time, causing a file to which the potentially malicious link points at the first time to be evaluated within a sandbox environment and a first hash value to be generated based on contents of the file to which the potentially malicious link points at the first time; at a second time, causing a file to which the potentially malicious link points to at the second time to be evaluated, including downloading the file to which the potentially malicious link points to at the second time and generating a second hash value based on contents of the file to which the potentially malicious link points to at the second time; when the first hash value and the second hash value differ, then (i) treating the file to which the potentially malicious link points to at the second time as a suspicious or high risk file or (ii) causing the file to which the potentially malicious link points to at the second time to be evaluated within the sandbox environment. 13 . The mail server of claim 12 , wherein the sandbox environment is provided by a sandbox device associated with the enterprise and coupled in communication with the mail server. 14 . The mail server of claim 13 , wherein when said causing a file to which the potentially malicious link points at a first time to be evaluated within a sandbox environment results in the file to which the potentially malicious link points at a first time being deemed not to be a threat by the sandbox device, then deliver the email to the user. 15 . The mail server of claim 12 , wherein when the first hash value and the second hash value differ, the method further comprises sending a notification to the user regarding the email possibly linking to malware. 16 . The mail server of claim 12 , wherein when the first hash value and the second hash value differ, the method further comprises sending an alert an administrator of the mail server regarding the email possibly linking to malware. 17 . The mail server of claim 12 , wherein said causing a file to which the potentially malicious link points to at a second time to be evaluated comprises downloading the file to which the potentially malicious link points to at the second time and generating a second hash value based on contents of the file to which the potentially malicious link points to at the second time. 18 . The mail server of claim 12 , wherein the second time comprises a predetermined or configurable amount of time after the first time that is selected to subvert a link evasion technique in which the file to which the potentially malicious link points to at the first time is replaced with another file on or before the second time. 19 . The mail server of claim 12 , wherein the first hash value and the second hash value are produced by a cryptographic hash function.
Assignees
Inventors
Classifications
by executing in a restricted environment, e.g. sandbox or secure virtual machine · CPC title
Restricted operating environment · CPC title
involving the movement of software or configuration parameters (network booting or remote initial program loading [RIPL] G06F9/4416) · CPC title
service impersonation, e.g. phishing, pharming or web spoofing (detection of rogue wireless access points H04W12/12) · CPC title
specially adapted for file transfer, e.g. file transfer protocol [FTP] · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2019007426A1 cover?
- Systems and methods for mitigation of time-delay based network attacks are provided. According to one embodiment, an email directed to a user of an enterprise and containing a potentially malicious link is received by a mail server of the enterprise. At a first time, a file to which the potentially malicious link points is evaluated within a sandbox environment and a first hash value is generat…
- Who is the assignee on this patent?
- Fortinet Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1416. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Thu Jan 03 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 7 related publications on this page (citations in our corpus or others sharing the same primary CPC).