Systems providing a network resource address reputation service

US 8,370,407 B1
Filed: 06/28/2011
Issued: 02/05/2013
Est. Priority Date: 06/28/2011
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

A) one or more network security device being communicatively coupled to a network and;

i) storing a plurality of event signatures; and

ii) configured to determine whether an event associated with a first network resource having a first network resource address matches one or more of said plurality of event signatures;

B) a first malicious network resource address database being communicatively coupled to said network and storing a plurality of malicious network resource addresses determined to be malicious by one or more external feeds;

C) one or more server computer being communicatively coupled to said network and configured to, responsive to a determination that said event matches one or more of said plurality of event signatures;

i) generate a reputation score for said first network resource address by;

a) determining a quantity of event signature matches associated with each of a plurality of network resource addresses, wherein said plurality of network resource addresses includes said first network resource address;

b) sequencing each of said plurality of network resource addresses amongst each of said plurality of network resource addresses according to said quantity of event signature matches associated with each of said plurality of network resource addresses;

c) grouping said quantity of event signature matches associated with each of said plurality of network resource addresses according to a common quantity of event signature matches;

d) generating a rolling count for each grouping of said common quantity of event signature matches;

e) assigning a percentile score to each of said quantity of event signature matches associated with each of said plurality of network resource addresses according to said rolling count; and

f) assigning the percentile score assigned to the quantity of event signature matches associated with said network resource addresses as said reputation score for said first network resource address;

ii) determine whether said first network resource address is present in said first malicious network resource address database;

iii) responsive to a determination that said first network resource address is present in said first malicious network resource address database, modify said reputation score to indicate a more negative reputation for said first network resource address; and

iv) store, in a second malicious network resource address database, said first network resource address in association with said reputation score; and

D) said second malicious network resource address database being communicatively coupled to said network.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An exemplary system for providing a network resource address reputation service may comprise a server computer configured to determine whether an event associated with a network resource address matches event signature(s) in network security device(s). If the event matches a signature, a reputation score for the network resource address may be generated. If the network resource address is not present in a first malicious network resource address database, the network resource address in association with the reputation score may be stored in a second malicious network resource address database. If the network resource address is present in the first malicious network resource address database, the reputation score may be modified to indicate a more negative reputation for the network resource address. The network resource address may then be stored in association with the modified reputation score in a second malicious network resource address database.

157 Citations

20 Claims

1. A system comprising:
- A) one or more network security device being communicatively coupled to a network and;
  
  i) storing a plurality of event signatures; and
  
  ii) configured to determine whether an event associated with a first network resource having a first network resource address matches one or more of said plurality of event signatures;
  
  B) a first malicious network resource address database being communicatively coupled to said network and storing a plurality of malicious network resource addresses determined to be malicious by one or more external feeds;
  
  C) one or more server computer being communicatively coupled to said network and configured to, responsive to a determination that said event matches one or more of said plurality of event signatures;
  
  i) generate a reputation score for said first network resource address by;
  
  a) determining a quantity of event signature matches associated with each of a plurality of network resource addresses, wherein said plurality of network resource addresses includes said first network resource address;
  
  b) sequencing each of said plurality of network resource addresses amongst each of said plurality of network resource addresses according to said quantity of event signature matches associated with each of said plurality of network resource addresses;
  
  c) grouping said quantity of event signature matches associated with each of said plurality of network resource addresses according to a common quantity of event signature matches;
  
  d) generating a rolling count for each grouping of said common quantity of event signature matches;
  
  e) assigning a percentile score to each of said quantity of event signature matches associated with each of said plurality of network resource addresses according to said rolling count; and
  
  f) assigning the percentile score assigned to the quantity of event signature matches associated with said network resource addresses as said reputation score for said first network resource address;
  
  ii) determine whether said first network resource address is present in said first malicious network resource address database;
  
  iii) responsive to a determination that said first network resource address is present in said first malicious network resource address database, modify said reputation score to indicate a more negative reputation for said first network resource address; and
  
  iv) store, in a second malicious network resource address database, said first network resource address in association with said reputation score; and
  
  D) said second malicious network resource address database being communicatively coupled to said network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein said network comprises the Internet.
  - 3. The system of claim 2, wherein said one or more network security devices comprise a distributed denial of service mitigation device, an intrusion detection system, an intrusion prevention system, a host-based intrusion prevention system, or a web application firewall.
  - 4. The system of claim 3, wherein said plurality of event signatures comprise a plurality of malware signatures.
  - 5. The system of claim 4, wherein said plurality of malware signatures comprise a virus signature, a worm signature, a trojan horse signature, a rootkit signature, a backdoor signature, a spyware signature, a keystroke logger signature, or a phishing application signature.
  - 6. The system of claim 3, wherein said plurality of event signatures comprise a plurality of attack signatures.
  - 7. The system of claim 6, wherein said plurality of attack signatures comprise one or more signatures identifying a botnet attack, a shell code attack, a cross site scripting attack, a SQL injection attack, a directory reversal attack, a remote code execution attack, a distributed denial of service attack, a brute force attack, a remote file inclusion attack, a script injection attack, or an iFrame injection attack.
  - 8. The method of claim 1, wherein said one or more external feeds comprises a malware domain list feed, a malware URL list feed, an emerging threat feed, an intrusion detection feed, a botnet tracking feed, a phishing tracking feed, a spam tracking feed, or a compromised network feed.
  - 9. The system of claim 1, wherein said one or more server computer is further configured to:
    - D) determine whether said reputation score exceeds a predetermined value; and
      
      E) responsive to a determination that said reputation score exceeds said predetermined value, add said first network resource address to a blacklist.
  - 10. The system of claim 1, wherein said at least one server computer further comprise an applications programming interface providing a plurality of third parties access to said second malicious network resource address database.

11. A system comprising, one or more server computer communicatively coupled to a network and configured to:
- A) determine whether an event associated with a first network resource having a first network resource address matches one or more of a plurality of event signatures stored in one or more network security device;
  
  B) responsive to a determination that said event matches said one or more of a plurality of event signatures, generate a reputation score for said first network resource address by;
  
  i) determining a quantity of event signature matches associated with each of a plurality of network resource addresses, wherein said plurality of network resource addresses includes said first network resource address;
  
  ii) sequencing each of said plurality of network resource addresses amongst each of said plurality of network resource addresses according to said quantity of event signature matches associated with each of said plurality of network resource addresses;
  
  iii) grouping said quantity of event signature matches associated with each of said plurality of network resource addresses according to a common quantity of event signature matches;
  
  iv) generating a rolling count for each grouping of said common quantity of event signature matches;
  
  v) assigning a percentile score to each of said quantity of event signature matches associated with each of said plurality of network resource addresses according to said rolling count; and
  
  vi) assigning the percentile score assigned to the quantity of event signature matches associated with said network resource addresses as said reputation score for said first network resource address;
  
  C) determine whether said first network resource address is stored in a first malicious network resource address database storing a plurality of malicious network resource addresses determined to be malicious by one or more external feeds;
  
  D) responsive to a determination that said first network resource address is present in said first malicious network resource address database, modify said reputation score to indicate a more negative reputation for said first network resource address; and
  
  E) store said first network resource address in association with said reputation score in a second malicious network resource address database.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein said network comprises the Internet.
  - 13. The system of claim 12, wherein said one or more network security device comprises a distributed denial of service mitigation device, an intrusion detection system, an intrusion prevention system, a host-based intrusion prevention system, or a web application firewall.
  - 14. The system of claim 13, wherein said plurality of event signatures comprise a plurality of malware signatures.
  - 15. The system of claim 14, wherein said plurality of malware signatures comprise a virus signature, a worm signature, a trojan horse signature, a rootkit signature, a backdoor signature, a spyware signature, a keystroke logger signature, or a phishing application signature.
  - 16. The system of claim 13, wherein said plurality of event signatures comprise a plurality of attack signatures.
  - 17. The system of claim 16, wherein said plurality of attack signatures comprise one or more signatures identifying a botnet attack, a shell code attack, a cross site scripting attack, a SQL injection attack, a directory reversal attack, a remote code execution attack, a distributed denial of service attack, a brute force attack, a remote file inclusion attack, a script injection attack, or an iFrame injection attack.
  - 18. The system of claim 11, wherein said one or more external feeds comprises a malware domain list feed, a malware URL list feed, an emerging threat feed, an intrusion detection feed, a botnet tracking feed, a phishing tracking feed, a spam tracking feed, or a compromised network feed.
  - 19. The system of claim 12, wherein said one or more server computer is further configured to:
    - F) determine whether said reputation score exceeds a predetermined value; and
      
      G) responsive to a determination that said reputation score exceeds said predetermined value, add said first network resource address to a blacklist.
  - 20. The system of claim 12, wherein said at least one server computer further comprise an applications programming interface providing a plurality of third parties access to said second malicious network resource address database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Go Daddy Operating Company LLC (GoDaddy, Inc.)
Original Assignee
Go Daddy Operating Company LLC (GoDaddy, Inc.)
Inventors
Devarajan, Ganesh, Herbelin, Russell, LeBert, Don, Redfoot, Todd, Warner, Neil
Primary Examiner(s)
Chen, Susan

Application Number

US13/170,514
Time in Patent Office

588 Days
Field of Search

None
US Class Current

707/899
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/1441 Countermeasures against mal...

Systems providing a network resource address reputation service

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

157 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems providing a network resource address reputation service

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

157 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links