Hygiene-Based Computer Security

US 20090282476A1
Filed: 12/29/2006
Published: 11/12/2009
Est. Priority Date: 12/29/2006
Status: Active Grant

First Claim

Patent Images

1. A method of providing computer security, comprising:

determining hygiene scores associated with a plurality of clients, the hygiene scores representing assessments of the trustworthiness of the clients;

receiving data describing an entity encountered by one or more of the plurality of clients; and

calculating a reputation score for the entity responsive to the client hygiene scores, the reputation score representing an assessment of whether the entity is malicious.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A reputation server is coupled to multiple clients via a network. Each client has a security module that detect malware at the client. The security module computes a hygiene score based on detected malware and provides it to the reputation server. The security module monitors client encounters with entities such as files, programs, and websites. When a client encounters an entity, the security module obtains a reputation score for the entity from the reputation server. The security module evaluates the reputation score and optionally cancels an activity involving the entity. The reputation server computes reputation scores for the entities based on the clients'"'"' hygiene scores and operations performed in response to the evaluations. The reputation server prioritizes malware submissions from the client security modules based on the reputation scores.

Citations

34 Claims

1. A method of providing computer security, comprising:
- determining hygiene scores associated with a plurality of clients, the hygiene scores representing assessments of the trustworthiness of the clients;
  
  receiving data describing an entity encountered by one or more of the plurality of clients; and
  
  calculating a reputation score for the entity responsive to the client hygiene scores, the reputation score representing an assessment of whether the entity is malicious.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - providing the reputation score for the entity to a client that encounters the entity.
  - 3. The method of claim 1, wherein determining hygiene scores comprises:
    - receiving the hygiene scores from the plurality of clients via a computer network.
  - 4. The method of claim 1, wherein receiving data describing an entity encountered by one or more of the plurality of clients comprises:
    - receiving data identifying a file and/or a website encountered by the clients.
  - 5. The method of claim 1, wherein calculating the reputation score for the entity comprises:
    - determining whether the entity is likely to be malicious responsive to the hygiene scores of the one or more clients that encountered the entity.
  - 6. The method of claim 5, wherein the entity is a computer file and wherein determining whether the file is likely to be malicious comprises:
    - determining whether clients with hygiene scores indicating that the clients are trustworthy download, install, and/or execute the file.
  - 7. The method of claim 1, wherein calculating the reputation score for the entity comprises:
    - identifying a set of super clients from the plurality of clients that have hygiene scores indicating that the clients are very trustworthy and have encountered the entity; and
      
      determining whether the entity is likely to be malicious responsive to the hygiene scores of the super clients and operations the super clients performed responsive to evaluating the reputation score of the entity.
  - 8. The method of claim 1, further comprising:
    - receiving submissions of entities representing possible malware detected on the plurality of clients;
      
      determining reputation scores for the submitted entities representing possible malware; and
      
      prioritizing the submitted entities responsive to the reputation scores.

9. A system for providing computer security, comprising:
- a hygiene cache module for storing hygiene scores associated with a plurality of clients, the hygiene scores representing assessments of the trustworthiness of the clients;
  
  a state information module for storing data describing an entity encountered by one or more of the plurality of clients; and
  
  a reputation computation module for calculating a reputation score for the entity responsive to the client hygiene scores, the reputation score representing an assessment of whether the entity is malicious.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, further comprising:
    - a client communication module for providing the reputation score for the entity to a client that encounters the entity.
  - 11. The system of claim 9, wherein the hygiene cache module receives the hygiene scores from the plurality of clients via a computer network.
  - 12. The system of claim 9, wherein the state information module stores data identifying a file and/or a website encountered by one or more of the plurality of clients.
  - 13. The system of claim 9, wherein the reputation computation module is further adapted to determine whether the entity is likely to be malicious responsive to the hygiene scores of the one or more clients that encountered the entity.
  - 14. The system of claim 13, wherein the entity is a computer file and wherein the reputation computation module determines whether clients with hygiene scores indicating that the clients are trustworthy download, install, and/or execute the file.
  - 15. The system of claim 9, wherein the reputation computation module is further adapted to:
    - identify a set of super clients from the plurality of clients that have hygiene scores indicating that the clients are very trustworthy and have encountered the entity; and
      
      determine whether the entity is likely to be malicious responsive to the hygiene scores of the super clients and operations the super clients performed responsive to evaluating the reputation score of the entity.
  - 16. The system of claim 9, further comprising:
    - a malware receipt module for receiving submissions of entities representing possible malware detected on the plurality of clients, determining reputation scores for the submitted entities representing possible malware, and prioritizing the submitted entities responsive to the reputation scores.

17. A method of providing security for a client, comprising:
- monitoring a state of the client to detect an encounter with an entity;
  
  receiving a reputation score for the entity encountered by the client from a reputation server, the reputation score representing an assessment of whether the entity is malicious and calculated responsive to hygiene scores of other clients that encountered the entity, the hygiene scores representing assessments of the trustworthiness of the clients; and
  
  evaluating the reputation score for the entity to determine whether the entity is malicious.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25)
- - 18. The method of claim 17, further comprising:
    - calculating a hygiene score for the client, the hygiene score representing an assessment of the trustworthiness of the client; and
      
      providing the hygiene score for the client to the reputation server.
  - 19. The method of claim 18, wherein calculating the hygiene score for the client comprises:
    - determining a frequency at which malware is detected on the client; and
      
      calculating the hygiene score responsive to the frequency at which malware is detected on the client, wherein more frequent detections of malware result in a hygiene score indicating that the client is less trustworthy.
  - 20. The method of claim 17, further comprising:
    - providing data describing an operation performed on the client in response to the evaluation to the reputation server.
  - 21. The method of claim 17, wherein the entity is a file, program, or website.
  - 22. The method of claim 17, further comprising:
    - identifying the entity encountered by the client using a unique identifier; and
      
      providing the unique identifier to the reputation server;
      
      wherein the reputation score for the entity is received from the reputation server responsive to providing the server with the unique identifier.
  - 23. The method of claim 22, wherein the entity is a file and wherein the unique identifier is a hash of the file.
  - 24. The method of claim 17, wherein evaluating the reputation score for the entity comprises:
    - suspending an activity involving the entity;
      
      comparing the reputation score for the entity to a threshold; and
      
      canceling the suspended activity responsive to the comparison.
  - 25. The method of claim 17, wherein evaluating the reputation score for the entity comprises:
    - suspending an activity involving the entity;
      
      displaying a message describing the reputation score for the entity to a user of the client; and
      
      displaying a user interface to the user enabling the user to cancel the activity.

26. A computer program product having a computer-readable medium with computer program instructions embodied therein for providing security on a client, the computer program instructions comprising:
- a state monitoring module for monitoring a state of the client to detect an encounter with an entity;
  
  a server communication module for receiving a reputation score for the entity encountered by the client from a reputation server, the reputation score representing an assessment of whether the entity is malicious and calculated responsive to hygiene scores of other clients that encountered the entity, the hygiene scores representing assessments of the trustworthiness of the clients; and
  
  a reputation evaluation module for evaluating the reputation score for the entity to determine whether the entity is malicious.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34)
- - 27. The method of claim 26, further comprising:
    - a hygiene computation module for calculating a hygiene score for the client, the hygiene score representing an assessment of the trustworthiness of the client;
      
      wherein the server communication module provides the hygiene score for the client to the reputation server.
  - 28. The computer program product of claim 27, further comprising:
    - a malware detection module for detecting malware at the client;
      
      wherein the hygiene computation module determines a frequency at which malware is detected on the client and calculates the hygiene score responsive to the frequency at which malware is detected on the client, wherein more frequent detections of malware result in a hygiene score indicating that the client is less trustworthy.
  - 29. The computer program product of claim 26, wherein the server communication module provides data describing an operation performed on the client in response to the evaluation to the reputation server.
  - 30. The computer program product of claim 26, wherein the entity is a file, program, or website.
  - 31. The computer program product of claim 26, further comprising:
    - a state monitoring module for identifying the entity encountered by the client using a unique identifier and providing the unique identifier to the reputation server;
      
      wherein the server communication module receives the reputation score for the entity from the reputation server responsive to providing the server with the unique identifier.
  - 32. The computer program product of claim 31, wherein the entity is a file and wherein the unique identifier is a hash of the file.
  - 33. The computer program product of claim 26, further comprising:
    - a state monitoring module for suspending an activity involving the entity;
      
      wherein the reputation evaluation module compares the reputation score for the entity to a threshold and cancels the suspended activity responsive to the comparison.
  - 34. The computer program product of claim 26, further comprising:
    - a state monitoring module for suspending an activity involving the entity;
      
      wherein the reputation evaluation module displays a message describing the reputation score for the entity to a user of the client and displays a user interface to the user enabling the user to cancel the activity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Nachenberg, Carey S., Griffin, Kent E.

Granted Patent

US 8,312,536 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/50 Monitoring users, programs ...

G06F 21/577 Assessing vulnerabilities a...

Hygiene-Based Computer Security

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Hygiene-Based Computer Security

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links