LOCAL REPUTATION TO ADJUST SENSITIVITY OF BEHAVIORAL DETECTION SYSTEM

US 20130246605A1
Filed: 04/27/2011
Published: 09/19/2013
Est. Priority Date: 04/27/2011
Status: Active Grant

First Claim

Patent Images

1. A method performed by a data processing apparatus, the method comprising:

monitoring source assets in a network for activities that are indicative of potential security compromises, the network being an internet protocol based network that is logically independent from other internet protocol networks, and each activity that is being monitored being associated with a corresponding activity weight that is indicative of the reliability of the activity being the result of an actual security compromise;

in response to monitoring an source asset performing an activity indicative of a potential security compromise, instantiating an source asset tracking instance in a computer memory, the source asset tracking instance including data identifying the source asset and the monitored activity;

for each source asset tracking instance in the computer memory;

updating the source asset tracking instance with data identifying subsequently monitored activities indicative of a potential security compromise in response to each monitoring of the source asset performing the subsequently monitored activity;

determining a reputation value for an activity weight of a monitored activity;

adjusting, only for the source asset, the activity weight of the monitored activity by the reputation value associated with the activity weight;

determining an asset reputation for the source asset from the activity weights associated with the monitored activities; and

determining that the source asset is a security risk when the asset reputation exceeds a threshold.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for adjusting the sensitivity of a behavior detection process on a per-device basis based on a local reputation for each device.

Citations

22 Claims

1. A method performed by a data processing apparatus, the method comprising:
- monitoring source assets in a network for activities that are indicative of potential security compromises, the network being an internet protocol based network that is logically independent from other internet protocol networks, and each activity that is being monitored being associated with a corresponding activity weight that is indicative of the reliability of the activity being the result of an actual security compromise;
  
  in response to monitoring an source asset performing an activity indicative of a potential security compromise, instantiating an source asset tracking instance in a computer memory, the source asset tracking instance including data identifying the source asset and the monitored activity;
  
  for each source asset tracking instance in the computer memory;
  
  updating the source asset tracking instance with data identifying subsequently monitored activities indicative of a potential security compromise in response to each monitoring of the source asset performing the subsequently monitored activity;
  
  determining a reputation value for an activity weight of a monitored activity;
  
  adjusting, only for the source asset, the activity weight of the monitored activity by the reputation value associated with the activity weight;
  
  determining an asset reputation for the source asset from the activity weights associated with the monitored activities; and
  
  determining that the source asset is a security risk when the asset reputation exceeds a threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein:
    - at least one monitored activity is a communication from the source asset to a destination address external to the network; and
      
      determining a reputation value for the activity weight of the monitored activity comprises;
      
      determining a reputation associated with the destination address;
      
      determining the reputation value for the source asset based on the reputation associated with the destination address.
  - 3. The method of claim 2, wherein adjusting, only for the source asset, an activity weight of a monitored activity by the reputation value comprises:
    - adjusting the activity weight only for the at least one monitored activity by the reputation value.
  - 4. The method of claim 1, wherein:
    - at least one monitored activity is a download of an executable having a malicious reputation; and
      
      determining a reputation value for the activity weight of the monitored activity comprises determining the reputation value based on the malicious reputation of the executable so that the reputation value is indicative of the malicious reputation.
  - 5. The method of claim 4, wherein adjusting, only for the source asset, an activity weight of a monitored activity by the reputation value comprises:
    - adjusting the activity weight for monitored activities performed in response to execution of the executable by the source asset.
  - 6. The method of claim 1, wherein:
    - the monitored activities include a plurality of communication attempts to destination computer devices external to the network; and
      
      determining a reputation value for the activity weight of the monitored activity comprises;
      
      determining a number of responses from the destination computer devices that are indicative of a denied request due to a determination that the communication attempt from the source asset is indicative of a potential security compromise; and
      
      determining the reputation value based on the number.
  - 7. The method of claim 6, wherein adjusting, only for the source asset, an activity weight of a monitored activity by the reputation value comprises:
    - adjusting the activity weight for each of the plurality of communication attempts by the reputation value.
  - 8. The method of claim 1, wherein:
    - the monitored activities include a plurality of communication attempts to destination computer devices; and
      
      determining a reputation value for the activity weight of the monitored activity comprises;
      
      determining a number of responses from the destination computer devices that are indicative of a non-existent destination address to which the communication attempt was directed; and
      
      determining the reputation value based on the number.
  - 9. The method of claim 8, wherein adjusting, only for the source asset, an activity weight of a monitored activity by the reputation value comprises:
    - adjusting the activity weight for each of the plurality of communication attempts by the reputation value.
  - 10. The method of claim 1, wherein:
    - the monitored activities include an incoming attack detect on the source asset and an outgoing attack detected from the source asset; and
      
      determining a reputation value for the activity weight of the monitored activity comprises determining the reputation value based on the number.
  - 11. The method of claim 10, wherein adjusting, only for the source asset, an activity weight of a monitored activity by the reputation value comprises:
    - adjusting the activity weight for each of the outgoing communication attempts by the reputation value.
  - 12. The method of claim 1, wherein:
    - each activity weight is one a low weight, medium weight or high weight, wherein a low weight is indicative of a low security risk, a medium weight is indicative of a medium security risk, and a high weight is indicative of a high security risk; and
      
      determining from the activity weights associated with the monitored activities a security score for the source asset comprises;
      
      summing each of the activity weights so that at least two low weights are equal to a medium weight, two medium weights are equal to a high weight, and two high weights constitute a security risk.
  - 13. The method of claim 1, wherein the monitored activities include communications that use one or more of the following protocols:
    - SSL, HTTP, FTP, IRC, DNS, P2P, SMB/Netbios, and SMTP.
  - 14. The method of claim 1, further comprising, for each source asset tracking instance in computer memory:
    - in response to not monitoring an activity that is indicative of a potential security compromise for a predefined time period, purging the source asset tracking instance from the computer memory.

15. Software stored in a non-transitory computer readable medium comprising instructions executable by a data processing apparatus and that cause the data processing apparatus to perform operations comprising:
- monitoring source assets in a network for activities that are indicative of potential security compromises, the network being an internet protocol based network that is logically independent from other internet protocol networks, and each activity that is being monitored being associated with a corresponding activity weight that is indicative of the reliability of the activity being the result of an actual security compromise;
  
  in response to monitoring an source asset performing an activity indicative of a potential security compromise, instantiating an source asset tracking instance in a computer memory, the source asset tracking instance including data identifying the source asset and the monitored activity;
  
  for each source asset tracking instance in the computer memory;
  
  updating the source asset tracking instance with data identifying subsequently monitored activities indicative of a potential security compromise in response to each monitoring of the source asset performing the subsequently monitored activity;
  
  determining a reputation value for an activity weight of a monitored activity;
  
  adjusting, only for the source asset, the activity weight of the monitored activity by the reputation value associated with the activity weight;
  
  determining an asset reputation for the source asset from the activity weights associated with the monitored activities; and
  
  determining that the source asset is a security risk when the asset reputation exceeds a threshold.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The software of claim 15, wherein:
    - at least one monitored activity is a communication from the source asset to a destination address external to the network; and
      
      determining a reputation value for the activity weight of the monitored activity comprises;
      
      determining a reputation associated with the destination address;
      
      determining the reputation value for the source asset based on the reputation associated with the destination address.
  - 17. The software of claim 15, wherein:
    - at least one monitored activity is a download of an executable having a malicious reputation; and
      
      determining a reputation value for the activity weight of the monitored activity comprises determining the reputation value based on the malicious reputation of the executable so that the reputation value is indicative of the malicious reputation.
  - 18. The software of claim 15, wherein:
    - the monitored activities include a plurality of communication attempts to destination computer devices external to the network; and
      
      determining a reputation value for the activity weight of the monitored activity comprises;
      
      determining a number of responses from the destination computer devices that are indicative of a denied request due to a determination that the communication attempt from the source asset is indicative of a potential security compromise; and
      
      determining the reputation value based on the number.
  - 19. The software of claim 15, wherein:
    - the monitored activities include a plurality of communication attempts to destination computer devices; and
      
      determining a reputation value for the activity weight of the monitored activity comprises;
      
      determining a number of responses from the destination computer devices that are indicative of a non-existent destination address to which the communication attempt was directed; and
      
      determining the reputation value based on the number.
  - 20. The software of claim 15, wherein:
    - the monitored activities include an incoming attack detect on the source asset and an outgoing attack detected from the source asset; and
      
      determining a reputation value for the activity weight of the monitored activity comprises determining the reputation value based on the number.
  - 21. The software of claim 15, wherein:
    - each activity weight is one a low weight, medium weight or high weight, wherein a low weight is indicative of a low security risk, a medium weight is indicative of a medium security risk, and a high weight is indicative of a high security risk; and
      
      determining from the activity weights associated with the monitored activities a security score for the source asset comprises;
      
      summing each of the activity weights so that at least two low weights are equal to a medium weight, two medium weights are equal to a high weight, and two high weights constitute a security risk.

22. A system comprising:
- a data processing apparatus; and
  
  a non-transitory computer readable medium storing instructions executable by the data processing apparatus and that cause the data processing apparatus to perform operations comprising;
  
  monitoring source assets in a network for activities that are indicative of potential security compromises, the network being an internet protocol based network that is logically independent from other internet protocol networks, and each activity that is being monitored being associated with a corresponding activity weight that is indicative of the reliability of the activity being the result of an actual security compromise;
  
  in response to monitoring an source asset performing an activity indicative of a potential security compromise, instantiating an source asset tracking instance in a computer memory, the source asset tracking instance including data identifying the source asset and the monitored activity;
  
  for each source asset tracking instance in the computer memory;
  
  updating the source asset tracking instance with data identifying subsequently monitored activities indicative of a potential security compromise in response to each monitoring of the source asset performing the subsequently monitored activity;
  
  determining a reputation value for an activity weight of a monitored activity;
  
  adjusting, only for the source asset, the activity weight of the monitored activity by the reputation value associated with the activity weight;
  
  determining an asset reputation for the source asset from the activity weights associated with the monitored activities; and
  
  determining that the source asset is a security risk when the asset reputation exceeds a threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Mahadik, Vinay, Madhusudan, Bharath

Granted Patent

US 8,650,287 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

H04L 63/1433 Vulnerability analysis

LOCAL REPUTATION TO ADJUST SENSITIVITY OF BEHAVIORAL DETECTION SYSTEM

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

LOCAL REPUTATION TO ADJUST SENSITIVITY OF BEHAVIORAL DETECTION SYSTEM

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links