Method and apparatus for controlling access to network resources based on reputation

US 20080082662A1
Filed: 05/15/2007
Published: 04/03/2008
Est. Priority Date: 05/19/2006
Status: Abandoned Application

First Claim

Patent Images

1. An apparatus, comprising:

one or more processors;

a first network interface that is coupled to a first network that includes a plurality of clients;

a second network interface that is coupled to a second network that includes a plurality of resources;

a computer-readable storage medium that comprises one or more stored sequences of instructions which, when executed by the processor, cause the processor to perform;

receiving a client request that includes a particular network resource identifier;

retrieving, from a database that associates a plurality of network resource indicators with attributes of the network resource identifiers, values of particular attributes that are associated with the particular network resource identifier;

determining a reputation score value for the particular network resource identifier based on the particular attributes;

performing a responsive action for the client request based on the reputation score value.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Access to network resources is controlled based on reputation of the network resources. In an embodiment, a data processing apparatus is coupled to a first protected network and to a second network, and comprises logic configured to cause receiving a client request that includes a particular network resource identifier; retrieving, from a database that associates a plurality of network resource indicators with attributes of the network resource identifiers, values of particular attributes that are associated with the particular network resource identifier; determining a reputation score value for the particular network resource identifier based on the particular attributes; and performing a responsive action for the client request based on the reputation score value.

786 Citations

20 Claims

1. An apparatus, comprising:
- one or more processors;
  
  a first network interface that is coupled to a first network that includes a plurality of clients;
  
  a second network interface that is coupled to a second network that includes a plurality of resources;
  
  a computer-readable storage medium that comprises one or more stored sequences of instructions which, when executed by the processor, cause the processor to perform;
  
  receiving a client request that includes a particular network resource identifier;
  
  retrieving, from a database that associates a plurality of network resource indicators with attributes of the network resource identifiers, values of particular attributes that are associated with the particular network resource identifier;
  
  determining a reputation score value for the particular network resource identifier based on the particular attributes;
  
  performing a responsive action for the client request based on the reputation score value.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The apparatus of claim 1, wherein the client request is an HTTP request, wherein the network resource identifier is a URL.
  - 3. The apparatus of claim 1, wherein the responsive action comprises denying access to a resource that is identified in the network resource identifier.
  - 4. The apparatus of claim 1, wherein the responsive action comprises performing one or more other tests on resources or network resource identifiers.
  - 5. The apparatus of claim 1, further comprising an HTTP proxy and an e-mail server.
  - 6. The apparatus of claim 1, wherein the computer-readable medium further comprises instructions which when executed cause performing determining the reputation score value by:
    - providing the particular network resource identifier to a reputation service;
      
      receiving a plurality of prefix reputation score values for each of a plurality of prefixes that form parts of the network resource identifier;
      
      determining the reputation score value by combining and weighting the received prefix reputation score values.

7. An apparatus, comprising:
- one or more processors;
  
  a first network interface that is coupled to a first network that includes a plurality of clients;
  
  a second network interface that is coupled to a second network that includes a plurality of resources;
  
  means for receiving a client request that includes a particular network resource identifier;
  
  means for retrieving, from a database that associates a plurality of network resource indicators with attributes of the network resource identifiers, values of particular attributes that are associated with the particular network resource identifier;
  
  means for determining a reputation score value for the particular network resource identifier based on the particular attributes;
  
  means for performing a responsive action for the client request based on the reputation score value.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The apparatus of claim 7, wherein the client request is an HTTP request, wherein the network resource identifier is a URL.
  - 9. The apparatus of claim 7, wherein the responsive action comprises denying access to a resource that is identified in the network resource identifier.
  - 10. The apparatus of claim 7, wherein the responsive action comprises performing one or more other tests on resources or network resource identifiers.
  - 11. The apparatus of claim 7, further comprising an HTTP proxy and an e-mail server.
  - 12. The apparatus of claim 7, further comprising:
    - means for providing the particular network resource identifier to a reputation service;
      
      means for receiving a plurality of prefix reputation score values for each of a plurality of prefixes that form parts of the network resource identifier;
      
      means for determining the reputation score value by combining and weighting the received prefix reputation score values.

13. An apparatus, comprising:
- one or more processors;
  
  a network interface that is coupled to a network that includes a plurality of resources;
  
  a computer-readable storage medium that comprises one or more stored sequences of instructions which, when executed by the processor, cause the processor to perform;
  
  receiving information about a plurality of network resource identifiers from one or more reputation data sources;
  
  processing the network resource identifiers to determine a web reputation score value representing an overall probability that the network resource identifiers are associated with malware;
  
  storing the web reputation score value in a database that associates a plurality of network resource indicators with attributes of the network resource identifiers;
  
  repeating the receiving, processing, transforming and storing as new information becomes available for the same network resource identifiers.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The apparatus of claim 13, wherein the information about the plurality of network resource identifiers comprises any of how long the domain in a URL has been registered, what country the website is hosted in, whether the domain is owned by a Fortune 500 company, and whether the Web server is using a dynamic IP address.
  - 15. The apparatus of claim 13, wherein the processing comprises evaluating one or more parameters selected from among the group consisting of:
    - URL categorization data;
      
      the presence of downloadable code at a web site;
      
      the presence of long, obfuscated End User License Agreements (EULAs);
      
      global traffic volume and changes in volume;
      
      network owner information;
      
      history of a URL;
      
      age of a URL;
      
      the presence of a URL on a blacklist of sites that provide viruses, spam, spyware, phishing, or pharming;
      
      the presence of a URL on a whitelist of sites that provide viruses, spam, spyware, phishing, or pharming;
      
      whether the URL is a typographical corruption of a popular domain name;
      
      domain registrar information;
      
      IP address information.
  - 16. The apparatus of claim 13, wherein the instructions when executed cause assigning a weight to each of the parameters.
  - 17. The apparatus of claim 13, wherein the instructions when executed cause assigning a high weight to a parameter indicating the presence of URLs on a trusted blacklist, and assigning a low weight to network owner information from a “
    - whois”
      
      database.
  - 18. The apparatus of claim 13, wherein the computer-readable medium further comprises instructions which when executed cause performing determining the reputation score value by:
    - receiving the network resource identifiers from a messaging apparatus;
      
      determining a plurality of prefixes that form parts of the network resource identifier;
      
      submitting each of the prefixes to the reputation data sources;
      
      receiving feed score values for the prefixes from the reputation data sources;
      
      determining a plurality of prefix reputation score values for each of the prefixes based on the feed score values;
      
      sending the prefix reputation score values to the messaging apparatus.
  - 19. The apparatus of claim 18, wherein the computer-readable medium further comprises instructions which when executed cause performing determining the reputation score value by weighting the received prefix reputation score values based on source reputation values associated with the reputation data sources.

20-37. -37. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ironport Systems (Cisco Systems, Inc.)
Original Assignee
Ironport Systems (Cisco Systems, Inc.)
Inventors
Lau, Jed, Gadre, Ambika, Mohan, Shalabh, Dandliker, Richard

Application Number

US11/804,017
Publication Number

US 20080082662A1
Time in Patent Office

Days
Field of Search
US Class Current

709/225
CPC Class Codes

H04L 63/10   for controlling access to d...

H04L 63/1441   Countermeasures against mal...

H04L 63/1483   service impersonation, e.g....

Method and apparatus for controlling access to network resources based on reputation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

786 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for controlling access to network resources based on reputation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

786 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links