Multi-dimensional reputation scoring

US 8,214,497 B2
Filed: 01/24/2007
Issued: 07/03/2012
Est. Priority Date: 01/24/2007
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method operable to assign a reputation to a communications entity associated with a received communication, the method comprising:

dispersing a plurality of agents within a widely distributed network, each of the agents being associated with a respective security device operable to protect an associated network from communications that violate a policy associated with the associated network;

collecting data associated with communications from a plurality of entities originating communications, the plurality of entities including a reputable entity with a reputable reputation, a non-reputable entity with a non-reputable reputation and an unknown entity with an unknown reputation, wherein collecting data comprises using the plurality of agents to collect data associated with the communications;

aggregating the collected data;

analyzing the aggregated data to identify attributes respectively associated with the communications from the plurality of entities;

correlating the attributes to identify relationships between each of the plurality of entities, each identified relationship between entities is associated with a strength based on similarities between the attributes of communications from the entities;

attributing, by one or more data processors, a portion of reputable qualities from the reputable entity to the reputation of the unknown entity based on the strength of the relationship between the reputable entity and the unknown entity;

attributing, by the one or more data processors, a portion of non-reputable qualities from the non-reputable entity to the reputation of the unknown entity based on the strength of the relationship between the non-reputable entity and the unknown entity;

updating the reputation of the unknown entity based upon the portion of reputable qualities attributed to the unknown entity from the reputable entity and the portion of non-reputable qualities attributed to the unknown entity from the non-reputable entity, wherein the reputation of the unknown entity comprises indications of a reputation of the unknown entity in a plurality of categories representing types of activity in which the unknown entity or related entities have engaged; and

communicating data specifying the updated reputation information of the unknown entity to one or more of the plurality of agents.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for assigning reputation to communications entities include collecting communications data from distributed agents, aggregating the communications data, analyzing the communications data and identifying relationships between communications entities based upon the communications data.

569 Citations

39 Claims

1. A computer implemented method operable to assign a reputation to a communications entity associated with a received communication, the method comprising:
- dispersing a plurality of agents within a widely distributed network, each of the agents being associated with a respective security device operable to protect an associated network from communications that violate a policy associated with the associated network;
  
  collecting data associated with communications from a plurality of entities originating communications, the plurality of entities including a reputable entity with a reputable reputation, a non-reputable entity with a non-reputable reputation and an unknown entity with an unknown reputation, wherein collecting data comprises using the plurality of agents to collect data associated with the communications;
  
  aggregating the collected data;
  
  analyzing the aggregated data to identify attributes respectively associated with the communications from the plurality of entities;
  
  correlating the attributes to identify relationships between each of the plurality of entities, each identified relationship between entities is associated with a strength based on similarities between the attributes of communications from the entities;
  
  attributing, by one or more data processors, a portion of reputable qualities from the reputable entity to the reputation of the unknown entity based on the strength of the relationship between the reputable entity and the unknown entity;
  
  attributing, by the one or more data processors, a portion of non-reputable qualities from the non-reputable entity to the reputation of the unknown entity based on the strength of the relationship between the non-reputable entity and the unknown entity;
  
  updating the reputation of the unknown entity based upon the portion of reputable qualities attributed to the unknown entity from the reputable entity and the portion of non-reputable qualities attributed to the unknown entity from the non-reputable entity, wherein the reputation of the unknown entity comprises indications of a reputation of the unknown entity in a plurality of categories representing types of activity in which the unknown entity or related entities have engaged; and
  
  communicating data specifying the updated reputation information of the unknown entity to one or more of the plurality of agents.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1, wherein the indications comprise a reputation vector.
  - 3. The method of claim 2, further comprising using the communicated updated reputation information to determine whether to allow a voice over internet protocol connection or a short message service connection.
  - 4. The method of claim 3, further comprising comparing the reputation information to a policy to determine whether to allow a voice over internet protocol connection or a short message service connection.
  - 5. The method of claim 4, wherein the policy is defined by an administrator of the associated network to which the policy belongs.
  - 6. The method of claim 2, further comprising using the communicated reputation information to determine one or more selected interrogation engines selected from a plurality of interrogation engines, wherein the selected interrogation engines will interrogate a received communication.
  - 7. The method of claim 6, wherein the one or more selected interrogation engines omit any of the plurality of interrogation engines that test for risks that are not implicated by the reputation vector.
  - 8. The method of claim 2, further comprising using the communicated reputation information to determine which of a plurality of agents to use for interrogation of a received communication.
  - 9. The method of claim 8, wherein a communication associated with an entity that does not comply with a policy for the associated network is assigned to an agent based on the interrogation volume of the agent'"'"'s interrogation queue.
  - 10. The method of claim 8, wherein a communication associated with an entity that complies with a policy for the associated network is assigned to an agent based on the interrogation volume of the agent'"'"'s interrogation queue.
  - 11. The method of claim 2, wherein the reputation comprises one or more of a reputation for originating spam, a reputation for originating image spam, a reputation for originating attacks, a reputation for intrusion, a reputation for originating phishing communications, a geolocation-based reputation, or a reputation for originating bulk mail.
  - 12. The method of claim 2, wherein the plurality of agents include local reputation information, the local reputation information comprising one or more reputations respectively associated with one or more entities.
  - 13. The method of claim 12, further comprising:
    - aggregating the local reputation information; and
      
      deriving a global reputation vector based upon the aggregation of the local reputation information.
  - 14. The method of claim 13, further comprising:
    - receiving a reputation query from an agent;
      
      deriving the global reputation vector responsive to the reputation query; and
      
      communicating the global reputation vector to the agent originating the reputation query.
  - 15. The method of claim 14, wherein the local reputation information comprises a plurality of local reputations and confidence values associated with the local reputations, wherein aggregating the local reputation information comprises adjusting each of the local reputations by an associated confidence value and combining the adjusted local reputations to produce a native global reputation vector.
  - 16. The method of claim 15, further comprising applying a transform to the native global reputation vector to produce the global reputation vector.
  - 17. The method of claim 16, wherein the transform comprises a local bias associated with the agent originating the reputation query.
  - 18. The method of claim 17, wherein the local bias is operable to adjust the native global bias based upon preferences associated with the associated network.
  - 19. The method of claim 1, wherein the entities comprise web entities operable to receive hypertext transfer protocol requests and to communicate one or more web pages responsive to the hypertext transfer protocol requests, wherein the reputation associated with the web entities comprises a reputation for communication of non-reputable web pages.

20. A computer implemented method operable to assign a reputation to a communications entity associated with a received communication, comprising:
- collecting data associated with communications from a plurality of entities originating communications, the plurality of entities including a reputable entity with a reputable reputation, a non-reputable entity with a non-reputable reputation and an unknown entity with an unknown reputation, wherein collecting data comprises receiving data from a plurality of agents dispersed in a widely distributed network and associated with respective security devices to collect data associated with the communications;
  
  aggregating the collected data;
  
  analyzing the aggregated data to identify attributes respectively associated with the communications from the plurality of entities;
  
  correlating the attributes to identify relationships between each of the plurality of entities each identified relationship between entities is associated with a strength based on similarities between the attributes of communications from the entities;
  
  attributing, by one or more data processors, a portion reputable qualities from the reputable entity to the reputation of the unknown entity based on the strength of the relationship between the reputable entity and the unknown entity;
  
  attributing, by the one or more data processors, a portion of non-reputable qualities from the non-reputable entity to the reputation of the unknown entity based on the strength of the relationship between the non-reputable entity and the unknown entity;
  
  updating the reputation of the unknown entity based upon the portion of reputable qualities attributed to the unknown entity from the reputable entity and the portion of non-reputable qualities attributed to the unknown entity from the non-reputable entity, wherein the reputation of the unknown entity comprises indications of a reputation of the unknown entity in a plurality of categories representing types of activity in which the unknown entity or related entities have engaged; and
  
  handling communications based upon the updated reputation.

21. A distributed system operable to derive and communicate a reputation associated with a communications entity, comprising:
- a communications device operable to communicate with a plurality of agents dispersed within a global network, each of the agents being operable to derive respective local reputations associated with entities from which communications are received, wherein the plurality of agents are further operable to collect data associated with received communications;
  
  one or more data aggregation engines operable to aggregate the collected data via the communications device;
  
  computer memory operable to store the aggregated data;
  
  an analyzer operable to analyze the data to identify attributes respectively associated with entities originating the received communications, wherein the originating entities including a reputable entity with a reputable reputation, a non-reputable entity with a non-reputable reputation and an unknown entity with an unknown reputation;
  
  a correlation engine operable to correlate the attributes associated with the originating entities and to identify relationships between the entities, each identified relationship between originating entities associated with a strength based on similarities between the attributes of communications from the entities;
  
  a reputation engine operable to;
  
  identify relationships between the originating entities;
  
  attribute a portion of reputable qualities from the reputable entity to the reputation of the unknown entity based on the strength of the relationship between the reputable entity and the unknown entity;
  
  attribute a portion of non-reputable qualities from the non-reputable entity to the reputation of the unknown entity based on the strength of the relationship between the non-reputable entity and the unknown entity; and
  
  update the reputation associated with the unknown entity based upon the portion of reputable qualities attributed to the unknown entity from the reputable entity and the portions of non-reputable qualities attributed to the unknown entity from the non-reputable entity, wherein the reputation of the unknown entity comprises indications of a reputation of the unknown entity in a plurality of categories representing types of activity in which the unknown entity or related entities have engaged; and
  
  wherein the communications device is further operable to communicate the updated reputation information to devices operating on the global network.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 22. The system of claim 21, wherein the indications comprise a reputation vector.
  - 23. The system of claim 22, wherein the devices operating on the global network are operable to use the communicated updated reputation information to determine whether to allow a voice over interne protocol connection or a short message service connection.
  - 24. The system of claim 23, wherein the devices are operable to compare reputation information to a policy to determine whether to allow a voice over internet protocol connection or a short message service connection.
  - 25. The system of claim 24, wherein the policy is defined by an administrator of the associated network to which the device belongs.
  - 26. The system of claim 22, further comprising a load balancer operable to use the communicated reputation information to select one or more interrogation engines from a plurality of interrogation engines, wherein the one or more selected interrogation engines will interrogate a received communication.
  - 27. The system of claim 26, wherein the one or more selected interrogation engines comprise those of the plurality of interrogation engines that test for risks that are implicated by the reputation vector.
  - 28. The system of claim 22, further comprising a load balancer operable to use the communicated reputation information to determine which of a plurality of agents to use for interrogation of a received communication.
  - 29. The system of claim 28, wherein a communication associated with an entity that does not comply with a policy for the associated network is assigned to an agent based on an interrogation volume of an interrogation queue for the agent.
  - 30. The system of claim 28, wherein a communication associated with an entity that complies with policy for the associated network is assigned to an agent based on an interrogation volume of an interrogation queue for the agent.
  - 31. The system of claim 22, wherein the reputation comprises one or more of a reputation for originating spam, a reputation for originating image spam, a reputation for originating attacks, a reputation for intrusion, a reputation for originating phishing communications, or a reputation for originating bulk mail.
  - 32. The system of claim 22, wherein the plurality of agents include local reputation information, the local reputation information comprising one or more reputations respectively associated with one or more entities.
  - 33. The system of claim 32, further comprising a reputation aggregation engine operable to aggregate local reputation information retrieved from the plurality of agents, and to derive a global reputation vector based upon the aggregation of the local reputation information.
  - 34. The system of claim 33, wherein the communications device is operable to receive a reputation query from an agent, and the reputation aggregation engine is operable to derive the global reputation vector responsive to the reputation query, whereby the communications device can communicate the global reputation vector to the agent originating the reputation query.
  - 35. The system of claim 34, wherein the local reputation information comprises a plurality of local reputations and confidence values associated with the local reputations, wherein reputation aggregation engine is operable to adjust each of the local reputations by an associated confidence value and combining the adjusted local reputations to produce a native global reputation vector.
  - 36. The system of claim 35, wherein the reputation aggregation engine is further operable to apply a transform to the native global reputation vector to produce the global reputation vector.
  - 37. The system of claim 36, wherein the transform comprises a local bias associated with the agent originating the reputation query.
  - 38. The system of claim 37, wherein the local bias is operable to adjust the native global bias based upon preferences associated with the associated network.
  - 39. The system of claim 21, wherein the entities comprise web entities operable to receive hypertext transfer protocol requests and to communicate one or more web pages responsive to the hypertext transfer protocol requests, wherein the reputation associated with the web entities comprises a reputation for communication of non-reputable web pages.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Alperovitch, Dmitri, Foote-Lennox, Tomo, Gould, Jeremy, Greve, Paula, Hernandez, Alejandro Manuel, Judge, Paul, Krasser, Sven, Lange, Tim, Schneck, Phyllis Adele, Stecher, Martin, Tang, Yuchun, Trivedi, Aarjav Jyotindra Neeta, Willis, Lamar Lorenzo, Yang, Weilai, Zdziarski, Jonathan Alexander
Primary Examiner(s)
Colin, Carl
Assistant Examiner(s)
Thiaw, Catherine

Application Number

US11/626,603
Publication Number

US 20080175266A1
Time in Patent Office

1,987 Days
Field of Search

709/203, 709/206, 709223-226, 709/705, 709/706, 726/1, 726/14, 726/22, 705/1, 705/35
US Class Current

709/226
CPC Class Codes

G06F 21/554   involving event detection a...

G06Q 10/107   Computer-aided management o...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/22   comprising specially adapte...

H04L 51/212   using filtering or selectiv...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/1483   service impersonation, e.g....

Multi-dimensional reputation scoring

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

569 Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-dimensional reputation scoring

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

569 Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links