Detecting compromised computers by correlating reputation data with web access logs
First Claim
1. An automated method for detecting a compromised client computer in an enterprise network, the method comprising the steps of:
- arranging the enterprise network so that each of a plurality of endpoints in the enterprise network may communicate security assessments over a communication channel;
receiving reputation data associated with a resource from a reputation service;
analyzing, responsively to receiving, a log that is maintained by a traffic monitoring endpoint that is arranged to monitor traffic crossing a boundary of the enterprise network to retroactively identify any client computers that accessed the resource; and
generating a security assessment that includes results from the analyzing.
2 Assignments
0 Petitions
Accused Products
Abstract
Compromised host computers in an enterprise network environment comprising a plurality of security products called endpoints are detected in an automated manner by an arrangement in which a reputation service provides updates to identify resources including website URIs (Universal Resource Identifiers) and IP addresses (collectively “resources”) whose reputations have changed and represent potential threats or adversaries to the enterprise network. Responsively to the updates, a malware analyzer, which can be configured as a standalone endpoint, or incorporated into an endpoint having anti-virus/malware detection capability, or incorporated into the reputation service, will analyze logs maintained by another endpoint (typically a firewall, router, proxy server, or gateway) to identify, in a retroactive manner over some predetermined time window, those client computers in the environment that had any past communications with a resource that is newly categorized by the reputation service as malicious. Every client computer so identified is likely to be compromised.
-
Citations
20 Claims
-
1. An automated method for detecting a compromised client computer in an enterprise network, the method comprising the steps of:
-
arranging the enterprise network so that each of a plurality of endpoints in the enterprise network may communicate security assessments over a communication channel; receiving reputation data associated with a resource from a reputation service; analyzing, responsively to receiving, a log that is maintained by a traffic monitoring endpoint that is arranged to monitor traffic crossing a boundary of the enterprise network to retroactively identify any client computers that accessed the resource; and generating a security assessment that includes results from the analyzing. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An automated method for detecting a compromised client computer in an enterprise network, the method comprising the steps of:
-
arranging the enterprise network so that each of a plurality of endpoints in the enterprise network may communicate security assessments over a communication channel; receiving reputation data associated with a resource from a reputation service; monitoring access attempts to the resource which occur after receiving the reputation data; analyzing, responsively to the monitoring, a log that is maintained by a traffic monitoring endpoint that is arranged to monitor traffic crossing a boundary of the enterprise network to retroactively identify any client computers that accessed the resource before receiving the reputation data; and generating a security assessment that includes results from the analyzing. - View Dependent Claims (11, 12, 13, 14, 15, 17)
-
-
16. An automated method for detecting a compromised client computer in an enterprise network, the method comprising the steps of:
-
arranging the enterprise network so that each of a plurality of endpoints in the enterprise network may communicate security assessments over a communication channel; checking a resource with a reputation service to determine if the resource is malicious; analyzing, responsively to the checking, a log that is maintained by a traffic monitoring endpoint that is arranged to monitor traffic crossing a boundary of the enterprise network to retroactively identify any client computers that accessed the resource before the checking with the reputation service was performed; and generating a security assessment that includes results from the analyzing. - View Dependent Claims (18, 19, 20)
-
Specification