Enforcing good network hygiene using reputation-based automatic remediation

US 8,566,932 B1
Filed: 07/31/2009
Issued: 10/22/2013
Est. Priority Date: 07/31/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of applying automatic remediation for enforcing network hygiene of a client, the method comprising:

responsive to an attempt by the client to connect to a secure network, scanning the client to detect a plurality of files on the client;

retrieving onto the client a reputation score for each of the files detected;

calculating on the client a hygiene score for the client based on the reputation scores for the plurality of files detected on the client, the hygiene score indicating a likelihood of the client to engage in risky behavior, wherein the files on the client include files with reputation scores indicating negative security behavior and files with reputation scores indicating positive security behavior, the files with reputation scores indicating negative security behavior affecting the hygiene score to indicate increased likelihood of the client to engage in risky behavior, and the files with reputation scores indicating positive security behavior affecting the hygiene score to indicate decreased likelihood of the client to engage in risky behavior;

determining whether the hygiene score exceeds a threshold for bad client hygiene; and

responsive to the hygiene score for the client exceeding the threshold, applying a policy to the client that restricts access to the secure network.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Reputation-based automatic remediation is applied for enforcing good network hygiene of a client. A scanning module scans the client to detect files on the client in response to an attempt by the client to connect to a secure network. A reputation score module retrieves onto the client a reputation score for each of the files detected. The reputation scores can be retrieved from a reputation database of a reputation server storing reputation data for files. A hygiene score module calculates on the client a hygiene score for the client based on the reputation scores for the files on the client. The hygiene score indicates a likelihood of the client to engage in risky behavior. The threshold determination module determines whether the hygiene score exceeds a threshold for bad client hygiene. The policy module applies a policy to the client that restricts network access in response to the hygiene score for the client exceeding the threshold.

119 Citations

View as Search Results

20 Claims

1. A computer-implemented method of applying automatic remediation for enforcing network hygiene of a client, the method comprising:
- responsive to an attempt by the client to connect to a secure network, scanning the client to detect a plurality of files on the client;
  
  retrieving onto the client a reputation score for each of the files detected;
  
  calculating on the client a hygiene score for the client based on the reputation scores for the plurality of files detected on the client, the hygiene score indicating a likelihood of the client to engage in risky behavior, wherein the files on the client include files with reputation scores indicating negative security behavior and files with reputation scores indicating positive security behavior, the files with reputation scores indicating negative security behavior affecting the hygiene score to indicate increased likelihood of the client to engage in risky behavior, and the files with reputation scores indicating positive security behavior affecting the hygiene score to indicate decreased likelihood of the client to engage in risky behavior;
  
  determining whether the hygiene score exceeds a threshold for bad client hygiene; and
  
  responsive to the hygiene score for the client exceeding the threshold, applying a policy to the client that restricts access to the secure network.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - responsive to the attempt by the client to connect to the secure network, receiving a request from an enforcer to indicate whether an agent is installed on the client;
      
      indicating to the enforcer that the agent has not been installed;
      
      receiving the agent from the enforcer for installation on the client; and
      
      installing the agent on the client, the agent including data regarding the threshold for bad client hygiene for the client and the policy to be applied to the client based on the hygiene score of the client.
  - 3. The method of claim 1, further comprising, responsive to the attempt to connect to the secure network, downloading onto the client from an enforcer an agent that downloads a cloud module, the cloud module performing the scanning step, the retrieving step, and the calculating step.
  - 4. The method of claim 1, further comprising:
    - storing the hygiene score calculated for the client for determining whether to allow the client access to the secure network on subsequent attempts by the client to connect to the secure network; and
      
      updating the hygiene score based on a state of the client.
  - 5. The method of claim 1, wherein the hygiene score is calculated using results of a malware scan of the client and using a stored hygiene score previously calculated for the client.
  - 6. The method of claim 1, wherein applying a policy to the client that restricts access to the secure network further comprises allowing the client to access only a quarantine network having a firewall and device manager policy that are both more restrictive than policies for the secure network for which the client attempted access.
  - 7. The method of claim 1, wherein the scanning, retrieving, and calculating steps further comprise performing a cloud-based scan on the client using reputation data stored in a reputation database at a reputation server regarding applications having lower reputation scores than other applications.

8. A non-transitory computer-readable storage medium storing executable computer program instructions for applying automatic remediation for enforcing network hygiene of a client, the computer program instructions comprising instructions for performing steps comprising:
- responsive to an attempt by the client to connect to a secure network, scanning the client to detect a plurality of files on the client;
  
  retrieving onto the client a reputation score for each of the files detected;
  
  calculating on the client a hygiene score for the client based on the reputation scores for the plurality of files detected on the client, the hygiene score indicating a likelihood of the client to engage in risky behavior, wherein the files on the client include files with reputation scores indicating negative security behavior and files with reputation scores indicating positive security behavior, the files with reputation scores indicating negative security behavior affecting the hygiene score to indicate increased likelihood of the client to engage in risky behavior, and the files with reputation scores indicating positive security behavior affecting the hygiene score to indicate decreased likelihood of the client to engage in risky behavior;
  
  determining whether the hygiene score exceeds a threshold for bad client hygiene; and
  
  responsive to the hygiene score for the client exceeding the threshold, applying a policy to the client that restricts access to the secure network.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer program product of claim 8, wherein retrieving onto the client a reputation score for each of the files detected further comprises accessing stored reputations scores stored in a reputation database of a reputation server that were previously determined for the files on the client and receiving reputation scores calculated by the reputation server for new files not previously detected on the client.
  - 10. The computer program product of claim 8, wherein calculating on the client a hygiene score for the client further comprises accessing a stored hygiene score previously calculated for the client.
  - 11. The computer program product of claim 8, further comprising instructions for:
    - performing a local malware scan of the client;
      
      determining, based on the local malware scan, that the client is infected with malware;
      
      applying a flag to the client to indicate that the client is infected; and
      
      applying the flag along with the reputation scores for the plurality of files in calculating the hygiene score of the client.
  - 12. The computer program product of claim 8, wherein determining whether the hygiene score exceeds a threshold further comprises determining whether a count of a number of malware threats on the client per time period exceeds the threshold.
  - 13. The computer program product of claim 8, further comprising instructions for:
    - responsive to the attempt by the client to connect to the secure network, providing an indication to an enforcer that a security module has not been installed; and
      
      receiving and installing a security module that downloads components for performing each of the steps.
  - 14. The computer program product of claim 8, wherein allowing limited network access further comprises placing the client into a group of clients that have access only to a network with a firewall, an application policy, and a device manager policy that are more restrictive than for the secure network for which the client attempted access.

15. A computer system for applying automatic remediation for enforcing network hygiene of a client, the system comprising:
- a non-transitory computer-readable storage medium storing executable software modules, comprising;
  
  a scanning module for scanning the client to detect a plurality of files on the client in response to an attempt by the client to connect to a secure network;
  
  a reputation score module for retrieving onto the client a reputation score for each of the files detected;
  
  a hygiene score module for calculating on the client a hygiene score for the client based on the reputation scores for the plurality of files detected on the client, the hygiene score indicating a likelihood of the client to engage in risky behavior, wherein the files on the client include files with reputation scores indicating negative security behavior and files with reputation scores indicating positive security behavior, the files with reputation scores indicating negative security behavior affecting the hygiene score to indicate increased likelihood of the client to engage in risky behavior, and the files with reputation scores indicating positive security behavior affecting the hygiene score to indicate decreased likelihood of the client to engage in risky behavior;
  
  a threshold determination module for determining whether the hygiene score exceeds a threshold for bad client hygiene;
  
  a policy module for applying a policy to the client that restricts access to the secure network in response to the hygiene score for the client exceeding the threshold; and
  
  a processor configured to execute the software modules stored by the computer readable storage medium.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the hygiene score module is further configured for calculating the hygiene score using the reputation scores retrieved, using information retrieved regarding matches of the files to malware signatures, and using a stored hygiene score previously calculated for the client.
  - 17. The system of claim 15, wherein the threshold determination module is further configured for determining whether a count of a number of malware threats on the client per time period exceeds the threshold.
  - 18. The system of claim 15, wherein the policy module is further configured for allowing the client to access only a quarantine network having a firewall, an application policy, and a device manager policy that are more restrictive than policies for the secure network for which the client attempted access.
  - 19. The system of claim 15, wherein the hygiene score module is further configured for:
    - determining that the client has third party security software pre-installed;
      
      collecting security data from a log for the third party software; and
      
      analyzing previous threats on the client provided in the log, wherein results of the analysis are included in the calculation of the hygiene score for the client.
  - 20. The system of claim 15, wherein the reputation score for each file is an assessment of the likelihood that the file is malicious, and wherein the hygiene score for the client represents an assessment of trustworthiness of the client, wherein the trustworthiness is a measure of a propensity of the client for getting infected by malware, where a client that is infected more often is less trustworthy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Hotta, Nobuto Max, Rivera, Shireen
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
MEJIA, FELICIANO S

Application Number

US12/533,958
Time in Patent Office

1,544 Days
Field of Search

726 2- 3, 726/11, 726/22
US Class Current

726/22
CPC Class Codes

G06F 11/00   Error detection; Error corr...

G06F 21/565   by checking file integrity

G06F 21/567   using dedicated hardware

G08B 21/245   Reminder of hygiene complia...

H04L 63/00   Network architectures or ne...

H04L 63/10   for controlling access to d...

Enforcing good network hygiene using reputation-based automatic remediation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

119 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Enforcing good network hygiene using reputation-based automatic remediation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

119 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links