IDENTIFYING APPLICATION REPUTATION BASED ON RESOURCE ACCESSES

US 20130042294A1
Filed: 08/08/2011
Published: 02/14/2013
Est. Priority Date: 08/08/2011
Status: Active Grant

First Claim

Patent Images

1. A method of executing applications on a device having a processor, the method comprising:

executing on the processor instructions configured to;

while executing an application, detect at least one resource access of at least one remote resource accessed by the application;

send resource accesses for respective remote resources to a reputation service;

upon receiving from the reputation service an application reputation set identifying application reputations for respective applications, store the application reputation set; and

upon receiving a request to execute an application;

select an application policy according to the application reputation of the application; and

execute the application according to the application policy.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Malware detection is often based on monitoring a local application binary and/or process, such as detecting patterns of malicious code, unusual local resource utilization, or suspicious application behavior. However, the volume of available software, variety of malware, and sophistication of evasion techniques may reduce the effectiveness of detection based on monitoring local resources. Presented herein are techniques for identifying malware based on the reputations of remote resources (e.g., web content, files, databases, IP addresses, services, and users) accessed by an application. Remote resource accesses may be reported to a reputation service, which may identify reputations of remote resources, and application reputations of applications that utilize such remote resources. These application reputations may be used to adjust the application policies of the applications executed by devices and servers. These techniques thereby achieve rapid detection and mitigation of newly identified malware through application telemetry in a predominantly automated manner.

Citations

20 Claims

1. A method of executing applications on a device having a processor, the method comprising:
- executing on the processor instructions configured to;
  
  while executing an application, detect at least one resource access of at least one remote resource accessed by the application;
  
  send resource accesses for respective remote resources to a reputation service;
  
  upon receiving from the reputation service an application reputation set identifying application reputations for respective applications, store the application reputation set; and
  
  upon receiving a request to execute an application;
  
  select an application policy according to the application reputation of the application; and
  
  execute the application according to the application policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, respective resource accesses of remote resources requested automatically by the application without specification by a user of the application.
  - 3. The method of claim 1:
    - the device comprising a runtime configured to manage execution of applications on the processor of the device;
      
      detecting the at least one resource access comprising;
      
      configuring the runtime to detect at least one resource access of at least one remote resource accessed by the application; and
      
      executing the application comprising;
      
      configuring the runtime to execute the application according to the application policy.
  - 4. The method of claim 1:
    - the application comprising a web application; and
      
      at least one resource access comprising;
      
      an access of web content accessed by the application.
  - 5. The method of claim 1, at least one remote resource comprising:
    - at least one remote device that is contacted by the application.
  - 6. The method of claim 1, sending the resource accesses to the reputation service comprising:
    - sending the resource accesses upon detecting an event selected from an event set comprising;
      
      a periodic event;
      
      an application status change event;
      
      an application behavior change event;
      
      a system event; and
      
      a resource access event comprising a resource access of the remote resource by the application.
  - 7. The method of claim 1, the application policy selected from an application policy set comprising:
    - an unrestricted application policy specifying no restrictions of the application;
      
      a warning application policy specifying a warning to be presented to a user of the application;
      
      a consent application policy specifying;
      
      a notification to be presented to the user regarding resource accesses of the application with a consent option selectable by the user, anda prohibition of executing the application until the consent option is selected by the user;
      
      a restricted application policy specifying at least one restriction of at least one capability of the application;
      
      an isolation application policy specifying an isolated execution of the application; and
      
      a prohibited application policy specifying a prohibition of executing the application.
  - 8. The method of claim 1:
    - at least one application comprising at least one application component; and
      
      the instructions configured to apply the application policy to at least one application component of the application.
  - 9. The method of claim 1, the instructions configured to:
    - upon receiving from the reputation service a resource reputation set comprising at least one resource reputation of at least one remote resource, store the resource reputation set; and
      
      upon receiving a request to execute an application;
      
      select an application policy according to the resource reputations of the remote resources accessed by the application; and
      
      execute the application according to the application policy.
  - 10. The method of claim 1, the instructions configured to:
    - while executing an application, detect at least one application behavior indicator of at least one application behavior of the application; and
      
      send the at least one application behavior indicator to the reputation service.

11. A method of identifying, on a computer having a processor, application reputations for applications executed on behalf of at least one device, the method comprising:
- executing on the processor instructions configured to;
  
  upon receiving from at least one device at least one resource access of a remote resource accessed by an application executing on a device, store the resource access of the remote resource;
  
  for respective remote resources, identify a resource reputation; and
  
  for respective applications, identify an application reputation of the application according to the resource reputations of the remote resources accessed by the application.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The method of claim 11:
    - the computer configured to execute applications on behalf of at least one device; and
      
      the instructions configured to, upon receiving a request from a device to execute an application;
      
      select an application policy according to the application reputation of the application; and
      
      execute the application according to the application policy.
  - 13. The method of claim 11:
    - at least one application stored on the computer for delivery to devices; and
      
      the instructions configured to, upon receiving a request to deliver an application to a device;
      
      select an application policy according to the application reputation of the application; and
      
      deliver the application policy with the application to the device.
  - 14. The method of claim 11, the instructions configured to:
    - generate an application reputation set comprising application reputations of respective applications associated with the resource accesses of remote resources accessed by the applications; and
      
      send the application reputation set to at least one device.
  - 15. The method of claim 11, the instructions configured to:
    - generate a resource reputation set comprising resource reputations of remote resources that may be accessed by applications executing on a device; and
      
      send the resource reputation set to at least one device.
  - 16. The method of claim 11:
    - the application comprising a web application; and
      
      at least one resource access comprising;
      
      an access of web content accessed by the application.
  - 17. The method of claim 11, at least one remote resource comprising:
    - at least one remote device that is contacted by the application.
  - 18. The method of claim 11:
    - the instructions configured to;
      
      detect at least one resource access of at least one remote resource accessed by the application executing in a controlled environment, andgenerating a comparison of the resource accesses of the application executing in the controlled environment and the resource accesses of the application executing on at least one device; and
      
      identifying the application reputation comprising;
      
      identifying the application reputation based on the comparison.
  - 19. The method of claim 11:
    - the instructions configured to, upon receiving from at least one device at least one application behavior indicator of at least one application behavior of an application detected by the device while executing the application, store the at least one application behavior indicator; and
      
      identifying application reputations comprising;
      
      for respective applications, identify an application reputation of the application according to the resource reputations of the remote resources accessed by the application and the at least one application behavior indicated by the application behavior indicators of the application.

20. A computer-readable storage medium comprising instructions that, when executed on a processor of a device, cause the processor to execute applications by:
- while executing an application, detecting at least one resource access of at least one remote resource accessed by the application;
  
  sending resource accesses for respective remote resources to a reputation service;
  
  upon receiving from the reputation service an application reputation set identifying application reputations for respective applications, storing the application reputation set; and
  
  upon receiving a request to execute an application;
  
  selecting an application policy according to the application reputation of the application; and
  
  executing the application according to the application policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Colvin, Ryan Charles, Haber, Elliott Jeb, Bhatawdekar, Ameya, Penta, Anthony P.

Granted Patent

US 9,065,826 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 41/0893   Assignment of logical group...

H04L 63/10   for controlling access to d...

H04L 63/145   the attack involving the pr...

IDENTIFYING APPLICATION REPUTATION BASED ON RESOURCE ACCESSES

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

IDENTIFYING APPLICATION REPUTATION BASED ON RESOURCE ACCESSES

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links