SYSTEM AND METHOD FOR MALWARE AND NETWORK REPUTATION CORRELATION

US 20130247201A1
Filed: 03/21/2011
Published: 09/19/2013
Est. Priority Date: 03/21/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving a reputation value based on a hash of a file attempting to establish a network connection and on a network address of a remote end of the network connection; and

taking a policy action on the network connection if the reputation value indicates the hash or the network address is associated with malicious activity, wherein the reputation value is based on a file reputation associated with the hash and on a connection reputation associated with the network address of the remote end of the network connection.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided in one example embodiment and includes receiving a reputation value based on a hash of a file making a network connection and on a network address of a remote end of the network connection. The network connection may be blocked if the reputation value indicates the hash or the network address is associated with malicious activity. In more specific embodiments, the method may also include sending a query to a threat analysis host to request the reputation value. Additionally or alternatively the reputation value may be based on query patterns in particular embodiments. In yet more specific embodiments, the network connection may be an inbound connection and/or an outbound connection, and the reputation value may be based on a file reputation associated with the hash and a connection reputation associated with the network address of the remote end of the network connection.

Citations

32 Claims

1. A method, comprising:
- receiving a reputation value based on a hash of a file attempting to establish a network connection and on a network address of a remote end of the network connection; and
  
  taking a policy action on the network connection if the reputation value indicates the hash or the network address is associated with malicious activity, wherein the reputation value is based on a file reputation associated with the hash and on a connection reputation associated with the network address of the remote end of the network connection.
- View Dependent Claims (2, 3, 4, 5, 6, 8, 9, 10)
- - 2. The method of claim 1, wherein the reputation value is further based on query patterns.
  - 3. The method of claim 1, further comprising sending a query to a threat analysis host to request the reputation value.
  - 4. The method of claim 1, further comprising intercepting the network connection and sending a query to a remote host to request the reputation value.
  - 5. The method of claim 1, wherein the network connection is an inbound connection.
  - 6. The method of claim 1, wherein the network connection is an outbound network connection.
  - 8. The method of claim 1, wherein the policy action comprises blocking the connection.
  - 9. The method of claim 1, wherein the policy action comprises alerting a user.
  - 10. The method of claim 1, wherein the policy action comprises creating a log of the network connection.

7. (canceled)

11. Logic encoded in one or more non-transitory tangible media that includes code for execution and when executed by one or more processors is operable to perform operations comprising:
- receiving a reputation value based on a hash of a file making a network connection and on a network address of a remote end of the network connection; and
  
  taking a policy action on the network connection if the reputation value indicates the hash or the network address is associated with malicious activity, wherein the reputation value is based on a file reputation associated with the hash and on a connection reputation associated with the network address of the remote end of the network connection.
- View Dependent Claims (12, 13, 14, 15, 16, 18, 19, 20)
- - 12. The encoded logic of claim 11, wherein the reputation value is further based on query patterns.
  - 13. The encoded logic of claim 11, wherein the operations further comprise sending a query to a remote host to request the reputation value.
  - 14. The encoded logic of claim 11, wherein the operations further comprise intercepting the network connection and sending a query to a remote host to request the reputation value.
  - 15. The encoded logic of claim 11, wherein the network connection is an inbound connection.
  - 16. The encoded logic of claim 11, wherein the network connection is an outbound network connection.
  - 18. The encoded logic of claim 11, wherein the policy action comprises blocking the network connection.
  - 19. The encoded logic of claim 11, wherein the policy action comprises alerting a user.
  - 20. The encoded logic of claim 11, wherein the policy action comprises creating a log of the network connection.

17. (canceled)

21. An apparatus, comprising:
- an analyzer module;
  
  one or more processors operable to execute instructions associated with the analyzer module, the one or more processors being operable to perform further operations comprising;
  
  receiving a reputation value based on a hash of a file making a network connection and on a network address of a remote end of the network connection; and
  
  taking a policy action on the network connection if the reputation value indicates the hash or the network address is associated with malicious activity, wherein the reputation value is based on a file reputation associated with the hash and on a connection reputation associated with the network address of the remote end of the network connection.
- View Dependent Claims (22, 23, 24, 25, 26, 28, 29, 30)
- - 22. The apparatus of claim 21, wherein the reputation value is further based on query patterns.
  - 23. The apparatus of claim 21, wherein the operations further comprise sending a query to a remote host to request the reputation value.
  - 24. The apparatus of claim 21, wherein the operations further comprise intercepting the network connection and sending a query to a remote host to request the reputation value.
  - 25. The apparatus of claim 21, wherein the network connection is an inbound connection.
  - 26. The apparatus of claim 21, wherein the network connection is an outbound network connection.
  - 28. The apparatus of claim 21, wherein the policy action comprises blocking the network connection.
  - 29. The apparatus of claim 21, wherein the policy action comprises alerting a user.
  - 30. The apparatus of claim 21, wherein the policy action comprises creating a log of the network connection.

27. (canceled)

31. A method comprising:
- receiving a reputation query from an endhost, the reputation query having a hash of a file making a network connection and a network address of a remote end of the network connection;
  
  assigning a reputation value to the network connection based on behavior history associated with the hash and the network address; and
  
  sending the reputation value to the endhost.
- View Dependent Claims (32)
- - 32. The method of claim 31, wherein the hash is a cryptographic hash.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Alperovitch, Dmitri, Krasser, Sven

Granted Patent

US 9,122,877 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 16/148   File search processing

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

H04L 2463/144   Detection or countermeasure...

H04L 63/14   for detecting or protecting...

H04L 63/145   the attack involving the pr...

SYSTEM AND METHOD FOR MALWARE AND NETWORK REPUTATION CORRELATION

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR MALWARE AND NETWORK REPUTATION CORRELATION

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links