One major issue facing modern communications systems, such as the Internet, is the prevalence and propagation of spam and/or scam electronic mail (e-mail), e-mail and/or files that include malicious content, and various other forms of malware that is propagated via e-mail, instant messages (IMs), or any other forms of file transfer from computing system to computing system and/or from web-pages/web-based function to computing systems.
Herein, malicious content includes, but is not limited to: any content that promotes and/or is associated with fraud; any content that promotes and/or is associated with various financial scams; any content that promotes and/or is associated with any criminal activity; and/or any content that promotes and/or is associated with harmful and/or otherwise undesirable content, whether illegal in a given jurisdiction or not.
Herein, spam includes any messages, such as, but not limited to e-mail or instant messages, that are not desired by the intended receiver of the message.
Herein, malware includes, but is not limited to, any software and/or code designed to infiltrate a user's computing system without the user's informed and/or explicit consent. Some of the better known forms of malware include computer viruses and spyware.
Herein, spam, scam e-mails, malicious content containing messages and/or files, and malware, and/or any data and/or files obtained from and/or through one or more computing systems, and/or one or more websites, web-pages, and/or web-based functions, and/or from any other source, are collectively referred to as “undesirable content” and/or “e-mails”, “IMs”, and/or “files” containing undesirable content.
In order to combat the seemingly ever increasing volume of undesirable content, numerous security systems are currently available that include two or more filters, or “stages”, with each filter/stage being implemented to block, or filter out, a specific type of undesirable content. Typically, using these multiple filter/stage security systems, a given e-mail, IM, or file is subjected to each filter/stage in a defined sequence. However, each filter/stage of a multiple filter/stage security system has an associated filter/stage cost. This filter/stage cost is typically made up of, but is not limited to, one or more of the following filter/stage cost components: the cost of capital equipment necessary to implement the given filter/stage, e.g., the cost of the servers, routers, and other hardware necessary to implement the given filter/stage; the hosting costs associated with the given filter/stage, such as data center costs associated with the given filter/stage; the processing costs associated with the given filter/stage, e.g., the processor time and/or cycles associated with implementing the given filter/stage; database access and access time associated with implementing the given filter/stage; disk access time associated with implementing the given filter/stage; Input/Output (I/O) latencies associated with implementing the given filter/stage; and/or various other costs associated with implementing each filter/stage.
As a result of the costs associated with implementing each filter/stage of a multiple filter/stage security system, once a given e-mail, IM, or file is blocked/filtered by a given filter/stage, the given e-mail, IM, or file is typically taken out of the filtering sequence of the multiple filter/stage security system to avoid wasting further filtering resources on a determined problematic e-mail, IM, or file.
Currently, the order in which each filter/stage of a multiple filter/stage security system is applied, i.e., the sequence of the filters/stages of a multiple filter/stage security system a given e-mail, IM, or file is subjected to, is typically statically defined, often based on the known environment at the time the multiple filter/stage security system is initially implemented. Then, once the multiple filter/stage security system is implemented, the sequence in which each filter/stage of a multiple filter/stage security system is applied remains the same unless the order in which each filter/stage of a multiple filter/stage security system is applied is manually changed/updated.
Given the highly dynamic nature, volume, and variety of undesirable content currently being propagated, this static nature of currently available multiple filter/stage security systems often results in significant amounts of resources being inefficiently, and often ineffectively, allocated. For instance, as particular types of threats, such as viruses, surface, and/or the nature of the most significant threat changes, such as a shift from virus threats to spam-based issues, a static multiple filter/stage security system may waste significant amounts of time and other resources performing virus checks on e-mails that will eventually be deemed to be spam at a later filter/stage, and therefore will be discarded anyway.
In addition, the nature and priority of the filtering desired/necessary can be different, and change at different rates, based on the individual user of the multiple filter/stage security system and the type of undesirable content that specific user must deal with.
As a simple example, a given user may initially purchase and implement a multiple filter/stage security system for the purpose of virus detection/blocking, and perhaps a specific type of malware, such as a Trojan, that is prevalent at the time of purchase. However, as a new company, with a relatively unknown e-mail address, the user may be less concerned with spam. As a result, the initial set up of a multiple filter/stage security system for the user may include a sequence whereby a given e-mail, IM, or file is first subjected to a virus detection/blocking filter/stage and then a spam detection/blocking filter/stage. It may further be the case that the cost of the virus detection/blocking filter/stage, in terms of the one or more filter/stage cost components discussed above, is relatively high while the cost of spam detection/blocking filter/stage is relatively low. However, given the user's emphasis on virus protection desired at the time of implementation of the multiple filter/stage security system, the initial sequence may be desirable. However, over time, and in some cases a relatively short period of time, it is quite possible that spam will become a far bigger issue for the user than viruses and/or it may be that many viruses are now being transmitted via spam. As a result of this change in circumstances, and the nature of the treat to this user, it might be highly advantageous to change the sequence of the multiple filter/stage security system so that the relatively low cost spam detection/blocking filter/stage is implemented before the relatively high cost virus detection/blocking filter/stage. This is particularly true given that, in this specific example, many viruses, i.e., those included in spam, would be blocked by application of the spam detection/blocking filter/stage before resources were used to analyze and perform virus detection/blocking. However, using currently available multiple filter/stage security systems, the initial sequence is basically static until manually changed and it is highly unlikely, using currently available multiple filter/stage security systems, that the user would ever even become aware of the change in circumstances and/or nature of the threat. Consequently, using currently available multiple filter/stage security systems, the user would continue to perform the costly, and now largely unnecessary, virus detection/blocking filter/stage on e-mails, IMs, and/or files that will eventually be blocked at the relatively “cheap” spam detection/blocking filter/stage anyway.
As another simple example, spam, or other undesired content, may change its nature over time from primarily text-based to primarily image-based. As a result, an initial set up of a multiple filter/stage security system may include a text-based detection/blocking filter/stage that is initially effective at the time of installation, and is relatively low “cost”. However, as the nature of the spam or other undesired content, changes from primarily text-based to primarily image-based, the text-based detection/blocking filter/stage may prove less effective than an image-based detection/blocking filter/stage, despite a higher “cost” of the image-based detection/blocking filter/stage. In this instance, it might be in the user's best interest to implement the image-based detection/blocking filter/stage before, or as a replacement for, the text-based detection/blocking filter/stage, despite the higher “cost” of the image-based detection/blocking filter/stage. However, once again using currently available multiple filter/stage security systems, the initial sequence is basically static until manually changed and it is highly likely, using currently available multiple filter/stage security systems, that the user would never even become aware of the change in circumstances and/or nature of the threat.
As a result of the situation described above, and the largely static nature of currently available multiple filter/stage security systems, many users of currently available multiple filter/stage security systems inefficiently, and often ineffectively, allocate their security system resources. As result, time and money are currently often wasted on: capital equipment necessary to implement the unnecessary application of one or more filter/stages; hosting unnecessary applications of one or more filter/stages; processing associated with the unnecessary application of one or more filter/stages; database access and access time associated with the unnecessary application of one or more filter/stages; disk access time associated with the unnecessary application of one or more filter/stages; Input/Output (I/O) latencies associated with the unnecessary application of one or more filter/stages; and/or various other costs associated with the unnecessary application of one or more filter/stages. This situation is undesirable for both the user and the providers of multiple filter/stage security systems.