Detecting compromised computers by correlating reputation data with web access logs

US 7,882,542 B2
Filed: 06/30/2007
Issued: 02/01/2011
Est. Priority Date: 04/02/2007
Status: Active Grant

First Claim

Patent Images

1. An automated method for detecting a compromised client computer in an enterprise network, the method comprising the steps of:

arranging the enterprise network so that each of a plurality of endpoints in the enterprise network may communicate security assessments over a communication channel;

receiving reputation data associated with a resource from a reputation service;

analyzing, responsively to receiving, a log that is maintained by a traffic monitoring endpoint that is arranged to monitor traffic crossing a boundary of the enterprise network to retroactively identify any client computers that accessed the resource; and

generating a security assessment that includes results from the analyzing, wherein the security assessment is arranged for providing an assignment of context by an endpoint to security-related information using a pre-defined taxonomy having a schematized vocabulary comprising object types and assessment categories.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Compromised host computers in an enterprise network environment comprising a plurality of security products called endpoints are detected in an automated manner by an arrangement in which a reputation service provides updates to identify resources including website URIs (Universal Resource Identifiers) and IP addresses (collectively “resources”) whose reputations have changed and represent potential threats or adversaries to the enterprise network. Responsively to the updates, a malware analyzer, which can be configured as a standalone endpoint, or incorporated into an endpoint having anti-virus/malware detection capability, or incorporated into the reputation service, will analyze logs maintained by another endpoint (typically a firewall, router, proxy server, or gateway) to identify, in a retroactive manner over some predetermined time window, those client computers in the environment that had any past communications with a resource that is newly categorized by the reputation service as malicious. Every client computer so identified is likely to be compromised.

98 Citations

View as Search Results

19 Claims

1. An automated method for detecting a compromised client computer in an enterprise network, the method comprising the steps of:
- arranging the enterprise network so that each of a plurality of endpoints in the enterprise network may communicate security assessments over a communication channel;
  
  receiving reputation data associated with a resource from a reputation service;
  
  analyzing, responsively to receiving, a log that is maintained by a traffic monitoring endpoint that is arranged to monitor traffic crossing a boundary of the enterprise network to retroactively identify any client computers that accessed the resource; and
  
  generating a security assessment that includes results from the analyzing, wherein the security assessment is arranged for providing an assignment of context by an endpoint to security-related information using a pre-defined taxonomy having a schematized vocabulary comprising object types and assessment categories.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The automated method of claim 1 in which the traffic monitoring endpoint is one of a firewall, proxy server, gateway or router.
  - 3. The automated method of claim 1 in which the resource is an IP address or a website URI.
  - 4. The automated method of claim 1 including a further step of raising an alert in response to the security assessment.
  - 5. The automated method of claim 4 in which the alert is communicated via an endpoint in the enterprise network that is arranged for centralized logging of security assessments and auditing.
  - 6. The automated method of claim 1 in which the analyzing of the log maintained by the traffic monitoring endpoint identifies resources that were accessed by client computers during a time window.
  - 7. The automated method of claim 6 in which the time window is defined having a predetermined proximity to a time associated with the detected security incident.
  - 8. The automated method of claim 5 in which the endpoint for centralized logging and auditing is configured with an interface for accepting user input to block access to the resource.
  - 9. The automated method of claim 1 in which the security assessment triggers a response at an endpoint, the response being one of performing a scan, cleaning an infection, or quarantining an identified client computer.

10. An automated method for detecting a compromised client computer in an enterprise network, the method comprising the steps of:
- arranging the enterprise network so that each of a plurality of endpoints in the enterprise network may communicate security assessments over a communication channel;
  
  receiving reputation data associated with a resource from a reputation service;
  
  monitoring access attempts to the resource which occur after receiving the reputation data;
  
  analyzing, responsively to the monitoring, a log that is maintained by a traffic monitoring endpoint that is arranged to monitor traffic crossing a boundary of the enterprise network to retroactively identify any client computers that accessed the resource before receiving the reputation data; and
  
  generating a security assessment that includes results from the analyzing, wherein the security assessment is arranged for providing an assignment of context by an endpoint to security-related information using a pre-defined taxonomy having a schematized vocabulary comprising object types and assessment categories.
- View Dependent Claims (11, 12, 13, 14, 15, 17)
- - 11. The automated method of claim 10 in which the traffic monitoring endpoint is one of a firewall, proxy server, gateway or router.
  - 12. The automated method of claim 10 in which the resource is an IP address or a website URI.
  - 13. The automated method of claim 10 including a further step of raising an alert in response to the security assessment.
  - 14. The automated method of claim 13 in which the alert is communicated via an endpoint in the enterprise network that is arranged for centralized logging of security assessments and auditing.
  - 15. The automated method of claim 10 in which the security assessment triggers a response at an endpoint, the response being one of performing a scan, cleaning an infection, or quarantining an identified client computer.
  - 17. The automated method of claim 10 in which the resource is an IP address or a website URI.

16. An automated method for detecting a compromised client computer in an enterprise network, the method comprising the steps of:
- arranging the enterprise network so that each of a plurality of endpoints in the enterprise network may communicate security assessments over a communication channel;
  
  checking a resource with a reputation service to determine if the resource is malicious;
  
  analyzing, responsively to the checking, a log that is maintained by a traffic monitoring endpoint that is arranged to monitor traffic crossing a boundary of the enterprise network to retroactively identify any client computers that accessed the resource before the checking with the reputation service was performed; and
  
  generating a security assessment that includes results from the analyzing, wherein the security assessment is arranged for providing an assignment of context by an endpoint to security-related information using a pre-defined taxonomy having a schematized vocabulary comprising object types and assessment categories.
- View Dependent Claims (18, 19)
- - 18. The automated method of claim 16 in which the analyzing is performed over a time window that may be adjusted by user input.
  - 19. The automated method of claim 16 in which the security assessment triggers a response at an endpoint, the response being one of performing a scan, raising an alert, cleaning an infection, or quarantining an identified client computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Neystadt, John, Hudis, Efim, Helman, Yair, Faynburd, Alexandra
Primary Examiner(s)
Song; Hosuk

Application Number

US11/824,649
Publication Number

US 20080244748A1
Time in Patent Office

1,312 Days
Field of Search

726 1- 6, 726 11- 15, 726 22- 26, 713/150, 713153-154, 709223-225
US Class Current

726/3
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

H04L 63/308 retaining data, e.g. retain...

Detecting compromised computers by correlating reputation data with web access logs

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

98 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting compromised computers by correlating reputation data with web access logs

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

98 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links