Systems providing a network resource address reputation service
First Claim
1. A system comprising:
- A) one or more network security device being communicatively coupled to a network and;
i) storing a plurality of event signatures; and
ii) configured to determine whether an event associated with a first network resource having a first network resource address matches one or more of said plurality of event signatures;
B) a first malicious network resource address database being communicatively coupled to said network and storing a plurality of malicious network resource addresses determined to be malicious by one or more external feeds;
C) one or more server computer being communicatively coupled to said network and configured to, responsive to a determination that said event matches one or more of said plurality of event signatures;
i) generate a reputation score for said first network resource address by;
a) determining a quantity of event signature matches associated with each of a plurality of network resource addresses, wherein said plurality of network resource addresses includes said first network resource address;
b) sequencing each of said plurality of network resource addresses amongst each of said plurality of network resource addresses according to said quantity of event signature matches associated with each of said plurality of network resource addresses;
c) grouping said quantity of event signature matches associated with each of said plurality of network resource addresses according to a common quantity of event signature matches;
d) generating a rolling count for each grouping of said common quantity of event signature matches;
e) assigning a percentile score to each of said quantity of event signature matches associated with each of said plurality of network resource addresses according to said rolling count; and
f) assigning the percentile score assigned to the quantity of event signature matches associated with said network resource addresses as said reputation score for said first network resource address;
ii) determine whether said first network resource address is present in said first malicious network resource address database;
iii) responsive to a determination that said first network resource address is present in said first malicious network resource address database, modify said reputation score to indicate a more negative reputation for said first network resource address; and
iv) store, in a second malicious network resource address database, said first network resource address in association with said reputation score; and
D) said second malicious network resource address database being communicatively coupled to said network.
4 Assignments
0 Petitions
Accused Products
Abstract
An exemplary system for providing a network resource address reputation service may comprise a server computer configured to determine whether an event associated with a network resource address matches event signature(s) in network security device(s). If the event matches a signature, a reputation score for the network resource address may be generated. If the network resource address is not present in a first malicious network resource address database, the network resource address in association with the reputation score may be stored in a second malicious network resource address database. If the network resource address is present in the first malicious network resource address database, the reputation score may be modified to indicate a more negative reputation for the network resource address. The network resource address may then be stored in association with the modified reputation score in a second malicious network resource address database.
157 Citations
20 Claims
-
1. A system comprising:
-
A) one or more network security device being communicatively coupled to a network and; i) storing a plurality of event signatures; and ii) configured to determine whether an event associated with a first network resource having a first network resource address matches one or more of said plurality of event signatures; B) a first malicious network resource address database being communicatively coupled to said network and storing a plurality of malicious network resource addresses determined to be malicious by one or more external feeds; C) one or more server computer being communicatively coupled to said network and configured to, responsive to a determination that said event matches one or more of said plurality of event signatures; i) generate a reputation score for said first network resource address by; a) determining a quantity of event signature matches associated with each of a plurality of network resource addresses, wherein said plurality of network resource addresses includes said first network resource address; b) sequencing each of said plurality of network resource addresses amongst each of said plurality of network resource addresses according to said quantity of event signature matches associated with each of said plurality of network resource addresses; c) grouping said quantity of event signature matches associated with each of said plurality of network resource addresses according to a common quantity of event signature matches; d) generating a rolling count for each grouping of said common quantity of event signature matches; e) assigning a percentile score to each of said quantity of event signature matches associated with each of said plurality of network resource addresses according to said rolling count; and f) assigning the percentile score assigned to the quantity of event signature matches associated with said network resource addresses as said reputation score for said first network resource address; ii) determine whether said first network resource address is present in said first malicious network resource address database; iii) responsive to a determination that said first network resource address is present in said first malicious network resource address database, modify said reputation score to indicate a more negative reputation for said first network resource address; and iv) store, in a second malicious network resource address database, said first network resource address in association with said reputation score; and D) said second malicious network resource address database being communicatively coupled to said network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system comprising, one or more server computer communicatively coupled to a network and configured to:
-
A) determine whether an event associated with a first network resource having a first network resource address matches one or more of a plurality of event signatures stored in one or more network security device; B) responsive to a determination that said event matches said one or more of a plurality of event signatures, generate a reputation score for said first network resource address by; i) determining a quantity of event signature matches associated with each of a plurality of network resource addresses, wherein said plurality of network resource addresses includes said first network resource address; ii) sequencing each of said plurality of network resource addresses amongst each of said plurality of network resource addresses according to said quantity of event signature matches associated with each of said plurality of network resource addresses; iii) grouping said quantity of event signature matches associated with each of said plurality of network resource addresses according to a common quantity of event signature matches; iv) generating a rolling count for each grouping of said common quantity of event signature matches; v) assigning a percentile score to each of said quantity of event signature matches associated with each of said plurality of network resource addresses according to said rolling count; and vi) assigning the percentile score assigned to the quantity of event signature matches associated with said network resource addresses as said reputation score for said first network resource address; C) determine whether said first network resource address is stored in a first malicious network resource address database storing a plurality of malicious network resource addresses determined to be malicious by one or more external feeds; D) responsive to a determination that said first network resource address is present in said first malicious network resource address database, modify said reputation score to indicate a more negative reputation for said first network resource address; and E) store said first network resource address in association with said reputation score in a second malicious network resource address database. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification