Communication-based host reputation system
First Claim
Patent Images
1. A computer system for generating a host reputation score for a host connected to a network, the computer system comprising:
- a memory;
a processor;
a reporting module stored on the memory and executable by the processor to;
receive information identifying a plurality of hosts connected to the network and information describing communications between a plurality of entities executing on a plurality of clients and the plurality of hosts;
receive information identifying one or more of the plurality of entities executing on the plurality of clients as malware threats; and
provide generated host reputation scores to the plurality of clients; and
a host reputation module stored on the memory and executable by the processor to;
identify malware entities executing onthe plurality of clients thatcommunicate with the host based at least on the informationidentifying the plurality of hosts, the information describingcommunications between the plurality of entities executing on theplurality of clients and the plurality of hosts, and the informationidentifying one or more of the plurality of entities as malware threats;
determine a number of the malware entities executing on the plurality ofclients that communicate with the host; and
generate the host reputation score for the host based at least on thenumber of the malware entities executing on the plurality of clientsthat communicate with the hostwherein the host reputationscore for the host indicates a likelihood that the host is malicious.
2 Assignments
0 Petitions
Accused Products
Abstract
A host reputation score indicating whether a host connected to the client by a network is malicious is received. An entity on the client that communicates with the host is identified. Whether the entity is a malware threat is determined based at least in part on the host reputation score.
-
Citations
20 Claims
-
1. A computer system for generating a host reputation score for a host connected to a network, the computer system comprising:
-
a memory; a processor; a reporting module stored on the memory and executable by the processor to; receive information identifying a plurality of hosts connected to the network and information describing communications between a plurality of entities executing on a plurality of clients and the plurality of hosts; receive information identifying one or more of the plurality of entities executing on the plurality of clients as malware threats; and provide generated host reputation scores to the plurality of clients; and
a host reputation module stored on the memory and executable by the processor to;identify malware entities executing on the plurality of clients that communicate with the host based at least on the information identifying the plurality of hosts, the information describing communications between the plurality of entities executing on the plurality of clients and the plurality of hosts, and the information identifying one or more of the plurality of entities as malware threats; determine a number of the malware entities executing on the plurality of clients that communicate with the host; and generate the host reputation score for the host based at least on the number of the malware entities executing on the plurality of clients that communicate with the host wherein the host reputation score for the host indicates a likelihood that the host is malicious. - View Dependent Claims (2, 3, 4)
-
-
5. A computer-implemented method of identifying a malware threat at a client, the method comprising:
-
receiving a host reputation score indicating whether a host connected to the client by a network is malicious, wherein the host reputation score is determined by; identifying malware entities executing on a plurality of clients that communicate with the host based at least on information identifying a plurality of hosts, information describing communications between a plurality of entities executing on the plurality of clients and the plurality of hosts, and information identifying one or more of the plurality of entities as malware threats; determining a number of the malware entities executing on the plurality of clients that communicate with the host; and generating the host reputation score for the host based at least on the number of malware entities executing on the plurality of clients that communicate with the host; identifying an entity executing on the client that communicates with the host via the network; and determining, by a computer, whether the entity is a malware threat based at least on the host reputation score indicating whether the host connected to the client by the network is malicious. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
-
-
13. A non-transitory computer-readable storage medium storing executable computer program code for identifying a malware threat at a client, the program code when executed by a processor causes the processor to perform the steps of:
-
receiving a host reputation score indicating whether a host connected to the client by a network is malicious, wherein the host reputation score is determined by; identifying malware entities executing on a plurality of clients that communicate with the host based at least on information identifying a plurality of hosts, information describing communications between a plurality of entities executing on a plurality of clients and the plurality of hosts, and information identifying one or more of the plurality of entities as malware threats; determining a number of the malware entities executing on the plurality of clients that communicate with the host; and generating the host reputation score for the host based at least on the number of malware entities executing on the plurality of clients that communicate with the host; identifying an entity executing on the client that communicates with the host via the network; and determining whether the entity is a malware threat based at least on the host reputation score indicating whether the host connected to the client by the network is malicious. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
Specification