IDENTIFYING APPLICATION REPUTATION BASED ON RESOURCE ACCESSES
First Claim
1. A method of executing applications on a device having a processor, the method comprising:
- executing on the processor instructions configured to;
while executing an application, detect at least one resource access of at least one remote resource accessed by the application;
send resource accesses for respective remote resources to a reputation service;
upon receiving from the reputation service an application reputation set identifying application reputations for respective applications, store the application reputation set; and
upon receiving a request to execute an application;
select an application policy according to the application reputation of the application; and
execute the application according to the application policy.
2 Assignments
0 Petitions
Accused Products
Abstract
Malware detection is often based on monitoring a local application binary and/or process, such as detecting patterns of malicious code, unusual local resource utilization, or suspicious application behavior. However, the volume of available software, variety of malware, and sophistication of evasion techniques may reduce the effectiveness of detection based on monitoring local resources. Presented herein are techniques for identifying malware based on the reputations of remote resources (e.g., web content, files, databases, IP addresses, services, and users) accessed by an application. Remote resource accesses may be reported to a reputation service, which may identify reputations of remote resources, and application reputations of applications that utilize such remote resources. These application reputations may be used to adjust the application policies of the applications executed by devices and servers. These techniques thereby achieve rapid detection and mitigation of newly identified malware through application telemetry in a predominantly automated manner.
-
Citations
20 Claims
-
1. A method of executing applications on a device having a processor, the method comprising:
executing on the processor instructions configured to; while executing an application, detect at least one resource access of at least one remote resource accessed by the application; send resource accesses for respective remote resources to a reputation service; upon receiving from the reputation service an application reputation set identifying application reputations for respective applications, store the application reputation set; and upon receiving a request to execute an application; select an application policy according to the application reputation of the application; and execute the application according to the application policy. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
11. A method of identifying, on a computer having a processor, application reputations for applications executed on behalf of at least one device, the method comprising:
executing on the processor instructions configured to; upon receiving from at least one device at least one resource access of a remote resource accessed by an application executing on a device, store the resource access of the remote resource; for respective remote resources, identify a resource reputation; and for respective applications, identify an application reputation of the application according to the resource reputations of the remote resources accessed by the application. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
20. A computer-readable storage medium comprising instructions that, when executed on a processor of a device, cause the processor to execute applications by:
-
while executing an application, detecting at least one resource access of at least one remote resource accessed by the application; sending resource accesses for respective remote resources to a reputation service; upon receiving from the reputation service an application reputation set identifying application reputations for respective applications, storing the application reputation set; and upon receiving a request to execute an application; selecting an application policy according to the application reputation of the application; and executing the application according to the application policy.
-
Specification