Reputation-based authorization decisions

US 7,991,902 B2
Filed: 12/08/2006
Issued: 08/02/2011
Est. Priority Date: 12/08/2006
Status: Expired due to Fees

First Claim

Patent Images

1. One or more computer-readable storage devices having computer-readable instructions therein that, when executed by a computing device, cause the computing device to perform acts comprising:

allowing a software application to run on a client computing device, the software application, when running, being an executing software application;

receiving, from the executing software application that is allowed to run on the client computing device, a request to perform a particular operation on a file on the client computing device;

receiving an authorization input, the authorization input including a reputation value indicative of the executing software application'"'"'s reputation;

comparing the authorization input including the reputation value to an authorization rule;

in response to the comparing, outputting a granular authorization decision pertaining to the requested particular operation on the file on the client computing device, wherein the reputation value comprises a single reputation value aggregated from a plurality of reputation metadata from a plurality of different reputation metadata providers; and

wherein the reputation value is based on;

(i) input received from a group of human users indicating each human user'"'"'s experience with the executing software application, and (ii) input received from a group of computing entities indicating each computing entity'"'"'s review or analysis of the executing software application;

wherein;

in an event the authorization input meets or exceeds an authorization rule of a first type, in accordance with the authorization rule of the first type, the granular authorization decision allows the executing software application to perform the particular operation requested to be performed on the file on the client computing device;

in an event the authorization input meets or exceeds an authorization rule of a second type, in accordance with the authorization rule of the second type, the granular authorization decision presents a prompt for user input acceding to the executing software application performing the particular operation requested to be performed on the file on the client computing device; and

in an event the authorization input does not meet either the authorization rule of the first type or the authorization rule of the second type, in accordance with a third authorization rule, the granular authorization decision blocks the executing software application from performing the particular operation requested to be performed on the file on the client computing device.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This document describes tools capable of receiving reputation metadata effective to enable better decision making about whether or not to authorize operations. The tools may build a reputation value from this reputation metadata and, based on this value and an authorization rule, better decide whether or not to authorize an operation requested by some program, application, or other actor.

28 Citations

View as Search Results

14 Claims

1. One or more computer-readable storage devices having computer-readable instructions therein that, when executed by a computing device, cause the computing device to perform acts comprising:
- allowing a software application to run on a client computing device, the software application, when running, being an executing software application;
  
  receiving, from the executing software application that is allowed to run on the client computing device, a request to perform a particular operation on a file on the client computing device;
  
  receiving an authorization input, the authorization input including a reputation value indicative of the executing software application'"'"'s reputation;
  
  comparing the authorization input including the reputation value to an authorization rule;
  
  in response to the comparing, outputting a granular authorization decision pertaining to the requested particular operation on the file on the client computing device, wherein the reputation value comprises a single reputation value aggregated from a plurality of reputation metadata from a plurality of different reputation metadata providers; and
  
  wherein the reputation value is based on;
  
  (i) input received from a group of human users indicating each human user'"'"'s experience with the executing software application, and (ii) input received from a group of computing entities indicating each computing entity'"'"'s review or analysis of the executing software application;
  
  wherein;
  
  in an event the authorization input meets or exceeds an authorization rule of a first type, in accordance with the authorization rule of the first type, the granular authorization decision allows the executing software application to perform the particular operation requested to be performed on the file on the client computing device;
  
  in an event the authorization input meets or exceeds an authorization rule of a second type, in accordance with the authorization rule of the second type, the granular authorization decision presents a prompt for user input acceding to the executing software application performing the particular operation requested to be performed on the file on the client computing device; and
  
  in an event the authorization input does not meet either the authorization rule of the first type or the authorization rule of the second type, in accordance with a third authorization rule, the granular authorization decision blocks the executing software application from performing the particular operation requested to be performed on the file on the client computing device.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The computer-readable storage of claim 1, further comprising making the authorization decision based on the reputation value, a type of the operation requested, and a security level of the object.
  - 3. The computer-readable storage of claim 1 wherein the reputation value indicates that the reputation of the executing software application is good and the authorization decision is to allow the requested operation.
  - 4. The computer-readable storage of claim 1 wherein the authorization decision is to allow the executing software application to perform the requested operation on the file and to not allow another operation on the file.
  - 5. The computer-readable storage of claim 1, wherein the authorization input being received is from an access control module that is independent of a firewall.

6. One or more computer-readable storage devices having computer-readable instructions therein that, when executed by a computing device, cause the computing device to perform acts comprising:
- allowing code to run on a client computing device;
  
  receiving, from the code that is allowed to run on the client computing device, a request to perform a particular operation on an object on the client computing device;
  
  receiving an authorization input from an access control module, the authorization input including a single reputation value indicative of the code'"'"'s reputation, the single reputation value being aggregated from a plurality of reputation metadata from a plurality of different reputation metadata providers, and representing at least;
  
  reputation metadata input received from a group of human users indicating an experience of the human users with the code, andreputation metadata input received from a group of computing entities indicating a review or analysis by the computing entities of the code;
  
  comparing the authorization input including the reputation value to an authorization rule; and
  
  in response to the comparing, outputting a granular authorization decision pertaining to the particular requested operation on the object on the client computing device, wherein;
  
  in an event the authorization input meets or exceeds an authorization rule of a first type, in accordance with the authorization rule of the first type, the granular authorization decision allows the code to perform the particular operation requested to be performed on the object on the client computing device;
  
  in an event the authorization input meets or exceeds an authorization rule of a second type, in accordance with the authorization rule of the second type, the granular authorization decision presents a prompt for user input acceding to the code performing the particular operation requested to be performed on the object on the client computing device; and
  
  in an event the authorization input does not meet either the authorization rule of the first type or the authorization rule of the second type, in accordance with a third authorization rule, the granular authorization decision blocks the code from performing the particular operation requested to be performed on the object on the client computing device.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The computer-readable storage of claim 6 wherein the code is run on the client computing device.
  - 8. The computer-readable storage of claim 6 wherein the object on the client computing device is a file and the particular requested operation is selected from the group consisting of reading, writing, deleting, and opening the file.
  - 9. The computer-readable storage of claim 6 wherein the code is selected from the group consisting of a software application, a software program, an application, a dynamically linked library, an installation program, a file, a picture, a document, an applet, and an active control.
  - 10. The computer-readable storage of claim 6 wherein the single reputation value indicates that the code'"'"'s reputation is that of one selected from the group consisting of a software update, an obsolete software, a software no longer supported, a known security vulnerability, a software patch, a document digitally signed by a publisher of the document, and a network address from which the code was obtained.

11. One or more computer-readable storage devices having computer-readable instructions therein that, when executed by a computing device, cause the computing device to perform acts comprising:
- allowing code to run on a client computing device;
  
  receiving, from the code that is allowed to run on the client computing device, a request to perform a particular operation on an object on the client computing device;
  
  receiving an authorization input from an access control module, the authorization input including a single reputation value indicative of the code'"'"'s reputation aggregated from a plurality of reputation metadata from a plurality of different reputation metadata providers, the single reputation value being aggregated at least from;
  
  reputation metadata input received from a group of human users indicating an experience of the human users with the code, andreputation metadata input received from a group of computing entities indicating a review or analysis by the computing entities of the code;
  
  comparing the authorization input including the reputation value to an authorization rule;
  
  in response to the comparing, outputting a granular authorization decision pertaining to the particular requested operation on the object on the client computing device;
  
  wherein;
  
  in an event the authorization input meets or exceeds an authorization rule of a first type, in accordance with the authorization rule of the first type, the granular authorization decision allows the code to perform the particular operation requested to be performed on the object on the client computing device;
  
  in an event the authorization input meets or exceeds an authorization rule of a second type, in accordance with the authorization rule of the second type, the granular authorization decision presents a prompt for user input acceding to the code performing the particular operation requested to be performed on the object on the client computing device; and
  
  in an event the authorization input does not meet either the authorization rule of the first type or the authorization rule of the second type, in accordance with a third authorization rule, the granular authorization decision blocks the code from performing the particular operation requested to be performed on the object on the client computing device.

12. One or more computer-readable storage devices having computer-readable instructions therein that, when executed by a computing device, cause the computing device to perform acts comprising:
- allowing an actor to run on a client computing device, the actor, when running, being a running actor comprising at least one of;
  
  a software program, an application, a dynamically linked library, an installation program, a file, a picture, a document, an applet, or an ActiveX control;
  
  receiving, from the running actor, a request to perform a particular operation on an object on the client computing device;
  
  receiving an authorization input, the authorization input including a single reputation value indicative of a reputation of the running actor that is aggregated from a plurality of reputation metadata from a plurality of different reputation metadata providers, wherein the single reputation value is aggregated at least from;
  
  reputation metadata input received from a group of human users indicating experience of the human users with the running actor, andreputation metadata input received from a group of computing entities indicating a review or analysis of the computing entities of the running actor;
  
  comparing the authorization input including the single reputation value to an authorization rule, the authorization rule being one of a plurality of types of authorization rules;
  
  in response to the comparing, outputting a granular authorization decision that controls the requested particular operation on the object on the client computing device, wherein;
  
  in an event the authorization input meets or exceeds an authorization rule of a first type, in accordance with the authorization rule of the first type, the granular authorization decision allows the running actor to perform the particular operation requested to be performed on the object on the client computing device;
  
  in an event the authorization input meets or exceeds an authorization rule of a second type, in accordance with the authorization rule of the second type, the granular authorization decision presents a prompt for user input acceding to the running actor performing the particular operation requested to be performed on the object on the client computing device; and
  
  in an event the authorization input does not meet either the authorization rule of the first type or the authorization rule of the second type, in accordance with a third authorization rule, the granular authorization decision blocks the running actor from performing the particular operation requested to be performed on the object on the client computing device.
- View Dependent Claims (13, 14)
- - 13. The one or more computer-readable storage as recited in claim 12, wherein in the event in an event the authorization input meets or exceeds an authorization rule of the second type, in accordance with the authorization rule of the second type, the granular authorization decision presents the prompt for user input acceding to the running actor performing the particular operation requested to be performed on the object on the client computing device, and wherein:
    - responsive to user input acceding to the running actor performing the particular operation requested to be performed on the object on the client computing device, the granular authorization decision allowing the running actor to perform the particular operation requested to be performed on the object on the client computing device;
      
      responsive to user input not acceding to the running actor performing the particular operation requested to be performed on the object on the client computing device, the granular authorization decision blocking the running actor from performing the particular operation requested to be performed on the object on the client computing device; and
      
      responsive to not receiving user input acceding to the running actor performing the particular operation requested to be performed on the object on the client computing device, the granular authorization decision blocking the running actor from performing the particular operation requested to be performed on the object on the client computing device.
  - 14. The one or more computer-readable storage as recited in claim 12, wherein the authorization input being received is from an access control module that is independent of a firewall.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Cross, David, Kurien, Varugis, Field, Scott
Primary Examiner(s)
BARQADLE, YASIN M

Application Number

US11/608,757
Publication Number

US 20080141366A1
Time in Patent Office

1,698 Days
Field of Search

709201-203, 709217-232
US Class Current

709/229
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06Q 10/06   Resources, workflows, human...

H04L 63/102   Entity profiles

Reputation-based authorization decisions

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Reputation-based authorization decisions

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links