One or more embodiments of the invention are related to the field of data processing and electronic messaging systems. More particularly, but not by way of limitation, one or more embodiments of the invention enable a malware detection system based on stored data that for example uses contact lists and message archives of a messaging system database to determine whether a message presents a potential threat, such as for example a phishing attack.
Existing systems that enable communication of electronic messages include email, instant message, text message, calendar, and audio and video messaging systems. Electronic messages may contain security threats such as attachments with viruses, or phishing attacks with links to websites that attempt to steal sensitive information or malware. Message recipients are often unable or unwilling to protect themselves sufficiently from these threats. Therefore, electronic message security systems have emerged in the art to provide a degree of protection against some threats embedded in messages. For example, systems that automatically scan message attachments for viruses are known in the art.
Threats in web page links, such as phishing attacks, present a more complex challenge. Blocking all links may be impractical. Checking a link prior to sending a message to a recipient provides incomplete protection, since it is possible for a site to become malicious or to be recognized as malicious after the initial check. For improved security there is a need for a system that checks links, and other resources or resource references embedded in electronic messages, at the time the message recipient accesses them. However, this solution presents an additional challenge since message recipients can easily copy and share protected resource references that incorporate security checks. The security checking resources and benefits are therefore made available to anyone. Moreover, security checking resources are consumed on each access to a protected reference; widespread distribution of copies of these protected references can therefore overwhelm security checking system resources such as processor capacity, memory, or network bandwidth. Social media sites and social messaging systems compound this problem because links or other references may be shared instantly with many thousands of users. Ideally the protection offered by a security system should be available only to authorized users of the system. There are no known systems that combine electronic message threat protection with user authorization, in order to limit threat protection to those users that the system intends to protect.
Existing threat protection systems generally analyze electronic messages using rules or threat signatures configured by administrators or obtained from security firms. For example, administrators may configure whitelists of websites known to be legitimate, and blacklists of websites known to be malicious. This approach is time-consuming and resource intensive. Moreover, rules and signatures are frequently out-of-date, providing inadequate threat protection. There are no known systems that create threat rules and signatures dynamically based on the messages previously received or the contacts added to a messaging system database.
For at least the limitations described above there is a need for a malware detection system based on stored data that protects against threats in electronic messages, and that for example uses stored data such as the contacts and message archives of a messaging system database to check a message for potential threats or malware.