USING HOST SYMPTOMS, HOST ROLES, AND/OR HOST REPUTATION FOR DETECTION OF HOST INFECTION
First Claim
1. A computer-implemented method for determining an infection risk of a host computer on a network, the computer-implemented method comprising:
- a) determining at least two of(1) host-centric symptom information for the host computer,(2) host-centric role information for the host computer, and(3) host-centric reputation information for the host computer,from the stored network data; and
b) determining the infection risk of the host computer using at least two of (1) the determined host-centric symptom information, (2) the determined host-centric role information, and (3) the determined host-centric reputation information.
1 Assignment
0 Petitions
Accused Products
Abstract
Detecting and mitigating threats to a computer network is important to the health of the network. Currently firewalls, intrusion detection systems, and intrusion prevention systems are used to detect and mitigate attacks. As the attackers get smarter and attack sophistication increases, it becomes difficult to detect attacks in real-time at the perimeter. Failure of perimeter defenses leaves networks with infected hosts. At least two of symptoms, roles, and reputations of hosts in (and even outside) a network are used to identify infected hosts. Virus or malware signatures are not required.
-
Citations
14 Claims
-
1. A computer-implemented method for determining an infection risk of a host computer on a network, the computer-implemented method comprising:
-
a) determining at least two of (1) host-centric symptom information for the host computer, (2) host-centric role information for the host computer, and (3) host-centric reputation information for the host computer, from the stored network data; and b) determining the infection risk of the host computer using at least two of (1) the determined host-centric symptom information, (2) the determined host-centric role information, and (3) the determined host-centric reputation information. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer-implemented method for assigning a reputation to a host, the computer-implemented method comprising:
-
a) receiving assigned reputation information of a set of other hosts; b) determining, from the set of other hosts, hosts associated with the host using at least one of (i) communications between the host and each of the other hosts, (ii) a bit-wise difference in IP addresses of the host and of each of the other hosts, (iii) domains of the host and of each of the other hosts, (iv) autonomous systems of the host and of each of the other hosts, and (v) countries of the host and each of the other hosts; and c) inferring a reputation value of the host using assigned reputation information of hosts from the set of other hosts, that were determined to be related to the host.
-
-
11. A computer-implemented method for determining whether a host is a spam bot mail-server, the computer-implemented method comprising:
-
a) determining whether or not a host has a mail-server role using at least one of (i) connection fan out of the host, and (ii) entropy of the fan out edges of the host; b) responsive to a determination that the host is a mail-server, further determining whether the host is a spam bot mail-server using at least one of (i) a determination of whether or not the host has been whitelisted, (ii) a determination of whether or not the host is a designated mail-server for a domain to which the host belongs, and (iii) an entropy of the host; and c) responsive to a determination that the host is a spam bot mail-server, identifying the host as a spam bot mail-server.
-
-
12. A computer-implemented method for determining whether a host is a peer-to-peer node, the computer-implemented method comprising:
-
a) tracking abnormal dynamic name to IP address resolutions by the host; b) determining whether or not the host is a peer-to-peer node using a number of abnormal dynamic name to IP address resolutions; and c) responsive to a determination that the host is a peer-to-peer node, identifying the host as a peer-to-peer node. - View Dependent Claims (13, 14)
-
Specification