logo

For the Inventor, By the Inventor

The patent badge is an abbreviated version of the USPTO patent document. The patent badge does contain a link to the full patent document.

The patent badge is an abbreviated version of the USPTO patent document. The patent badge covers the following: Patent number, Date patent was issued, Date patent was filed, Title of the patent, Applicant, Inventor, Assignee, Attorney firm, Primary examiner, Assistant examiner, CPCs, and Abstract. The patent badge does contain a link to the full patent document (in Adobe Acrobat format, aka pdf). To download or print any patent click here.

Patent No.:

US 8438638 B1

PDFFull Text
Date of Patent:
May. 07, 2013

Filed:

Apr. 08, 2010

Bot-network detection based on simple mail transfer protocol (smtp) characteristics of e-mail senders within ip address aggregates

Applicants:

Willa Ehrlich, Highland Park, NJ (US);

David Hoeflin, Middletown, NJ (US);

Danielle Liu, Morganville, NJ (US);

Chaim Spielman, Spring Valley, NY (US);

Stephen K. Wood, Whitehouse Station, NJ (US);

Inventors:

Willa Ehrlich, Highland Park, NJ (US);

David Hoeflin, Middletown, NJ (US);

Danielle Liu, Morganville, NJ (US);

Chaim Spielman, Spring Valley, NY (US);

Stephen K. Wood, Whitehouse Station, NJ (US);

Assignee:

AT&T Intellectual Property I, L.P., Atlanta, GA (US);

Attorney:

Wolff & Samson PC

Primary Examiner:

Shin-Hon Chen

Int. Cl.
CPC ...
H04L 29/06 (2006.01); G06F 11/00 (2006.01); G06F 12/14 (2006.01); G06F 12/16 (2006.01); G08B 23/00 (2006.01);
U.S. Cl.
CPC ...
Abstract

A method and system for determining whether an IP address is part of a bot-network are provided. The IP-address-aggregate associated with the IP address of an e-mail sender is determined. The IP-address-aggregate is associated with an IP-address-aggregate-category based on the current SMTP traffic characteristics of the IP-address-aggregate and the known SMTP traffic characteristics of an IP-address-aggregate-category. A bot-likelihood score of the IP-address-aggregate-category is then associated with IP-address-aggregate. IP-address-aggregate-categories can be established based on historical SMTP traffic characteristics of the IP-address-aggregates. The IP-address-aggregates are grouped based on SMTP characteristics, and the IP-address-aggregate-categories are defined based on a selection of IP-address-aggregates with similar SMTP traffic characteristics that are diagnostic of spam bots vs. non-botnet-controllers spammers. Bot likelihood scores are determined for the resulting IP-address-aggregate-categories based on historically known bot IP addresses.

Find Patent Forward Citations

Loading…