SYSTEM AND METHOD FOR MALWARE AND NETWORK REPUTATION CORRELATION
First Claim
1. A method, comprising:
- receiving a reputation value based on a hash of a file attempting to establish a network connection and on a network address of a remote end of the network connection; and
taking a policy action on the network connection if the reputation value indicates the hash or the network address is associated with malicious activity, wherein the reputation value is based on a file reputation associated with the hash and on a connection reputation associated with the network address of the remote end of the network connection.
10 Assignments
0 Petitions
Accused Products
Abstract
A method is provided in one example embodiment and includes receiving a reputation value based on a hash of a file making a network connection and on a network address of a remote end of the network connection. The network connection may be blocked if the reputation value indicates the hash or the network address is associated with malicious activity. In more specific embodiments, the method may also include sending a query to a threat analysis host to request the reputation value. Additionally or alternatively the reputation value may be based on query patterns in particular embodiments. In yet more specific embodiments, the network connection may be an inbound connection and/or an outbound connection, and the reputation value may be based on a file reputation associated with the hash and a connection reputation associated with the network address of the remote end of the network connection.
-
Citations
32 Claims
-
1. A method, comprising:
-
receiving a reputation value based on a hash of a file attempting to establish a network connection and on a network address of a remote end of the network connection; and taking a policy action on the network connection if the reputation value indicates the hash or the network address is associated with malicious activity, wherein the reputation value is based on a file reputation associated with the hash and on a connection reputation associated with the network address of the remote end of the network connection. - View Dependent Claims (2, 3, 4, 5, 6, 8, 9, 10)
-
-
7. (canceled)
-
11. Logic encoded in one or more non-transitory tangible media that includes code for execution and when executed by one or more processors is operable to perform operations comprising:
-
receiving a reputation value based on a hash of a file making a network connection and on a network address of a remote end of the network connection; and taking a policy action on the network connection if the reputation value indicates the hash or the network address is associated with malicious activity, wherein the reputation value is based on a file reputation associated with the hash and on a connection reputation associated with the network address of the remote end of the network connection. - View Dependent Claims (12, 13, 14, 15, 16, 18, 19, 20)
-
-
17. (canceled)
-
21. An apparatus, comprising:
-
an analyzer module; one or more processors operable to execute instructions associated with the analyzer module, the one or more processors being operable to perform further operations comprising; receiving a reputation value based on a hash of a file making a network connection and on a network address of a remote end of the network connection; and taking a policy action on the network connection if the reputation value indicates the hash or the network address is associated with malicious activity, wherein the reputation value is based on a file reputation associated with the hash and on a connection reputation associated with the network address of the remote end of the network connection. - View Dependent Claims (22, 23, 24, 25, 26, 28, 29, 30)
-
-
27. (canceled)
-
31. A method comprising:
-
receiving a reputation query from an endhost, the reputation query having a hash of a file making a network connection and a network address of a remote end of the network connection; assigning a reputation value to the network connection based on behavior history associated with the hash and the network address; and sending the reputation value to the endhost. - View Dependent Claims (32)
-
Specification