Dynamically computing reputation scores for objects

US 8,584,094 B2
Filed: 06/29/2007
Issued: 11/12/2013
Est. Priority Date: 06/29/2007
Status: Active Grant

First Claim

Patent Images

1. At least one machine-readable memory comprising machine-readable instructions that, when executed by at least one processor, cause the at least one processor to perform acts comprising:

receiving, at a current time, at least one request for at least one object, wherein the object comprises at least one of a file stored on a server or a webpage hosted on a website;

determining whether a reputation score for the at least one object exists, and if so, determining whether the reputation score is valid based at least in part on a difference between the current time and a previous time when the reputation score was known to be valid; and

in response to determining that the reputation score does not exist or is not valid, computing the reputation score for the at least one object by;

instantiating a protected virtual environment in which to execute the object,executing the object within the protected virtual environment,suspending execution of the object within the protected virtual environment, andanalyzing at least one aspect of the protected virtual environment to determine the reputation score while the execution of the object is suspended, the reputation score is computed substantially in real time with the at least one request for the file stored on the server or the webpage hosted on the website, the reputation score indicating whether the file stored on the server or the webpage hosted on the website, when loaded into and executed within the protected virtual environment, is associated with an acceptable level of risk.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Tools and techniques for dynamically computing reputation scores for objects are described herein. The tools may provide machine-readable storage media containing machine-readable instructions for receiving requests to dynamically compute reputation scores for the objects, for instantiating protected virtual environments in which to execute the objects, and for computing the reputation score based on how the object behaves when executing within the virtual environment.

287 Citations

20 Claims

1. At least one machine-readable memory comprising machine-readable instructions that, when executed by at least one processor, cause the at least one processor to perform acts comprising:
- receiving, at a current time, at least one request for at least one object, wherein the object comprises at least one of a file stored on a server or a webpage hosted on a website;
  
  determining whether a reputation score for the at least one object exists, and if so, determining whether the reputation score is valid based at least in part on a difference between the current time and a previous time when the reputation score was known to be valid; and
  
  in response to determining that the reputation score does not exist or is not valid, computing the reputation score for the at least one object by;
  
  instantiating a protected virtual environment in which to execute the object,executing the object within the protected virtual environment,suspending execution of the object within the protected virtual environment, andanalyzing at least one aspect of the protected virtual environment to determine the reputation score while the execution of the object is suspended, the reputation score is computed substantially in real time with the at least one request for the file stored on the server or the webpage hosted on the website, the reputation score indicating whether the file stored on the server or the webpage hosted on the website, when loaded into and executed within the protected virtual environment, is associated with an acceptable level of risk.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The machine-readable memory of claim 1, wherein the instructions cause the processor to perform the acts further comprising providing the reputation score to a requesting device.
  - 3. The machine-readable memory of claim 1, wherein the instructions cause the processor to perform the acts further comprising:
    - generating a request for the reputation score for the at least one object.
  - 4. The machine-readable memory of claim 1, wherein the instructions cause the processor to perform the acts further comprising determining whether to grant access to the object based on the reputation score of the object.
  - 5. The machine-readable memory of claim 1, wherein the instructions cause the processor to perform the acts further comprising caching the reputation score.
  - 6. The machine-readable memory of claim 1, wherein the instructions cause the processor to perform the acts further comprising searching a cache for the reputation score for the object.
  - 7. The machine-readable memory of claim 1, wherein the instructions cause the processor to perform the acts further comprising capturing an initial state of the protected virtual environment, before the object is executed in the protected virtual environment.
  - 8. The machine-readable memory of claim 1, wherein the instructions cause the processor to perform the acts further comprising inspecting at least one state of the protected virtual environment while the object is executing within the protected virtual environment.
  - 9. The machine-readable memory of claim 1, wherein the instructions cause the processor to perform the acts further comprising checking for any unexpected behavior of the object when executing within the protected virtual environment.
  - 10. The machine-readable memory of claim 9, wherein the instructions for checking for any unexpected behavior include instructions for analyzing at least one persistent storage location associated with the protected virtual environment.
  - 11. The machine-readable memory of claim 9, wherein the instructions for checking for any unexpected behavior include instructions for analyzing at least one volatile storage location associated with the protected virtual environment.
  - 12. The machine-readable memory of claim 9, wherein the instructions for checking for any unexpected behavior include instructions for searching the protected virtual environment for at least one malware signature resulting from executing the object.
  - 13. The machine-readable memory of claim 9, wherein the instructions for checking for any unexpected behavior include instructions for searching the protected virtual environment for at least one network access resulting from executing the object.
  - 14. The machine-readable memory of claim 9, wherein the instructions for checking for any unexpected behavior include instructions for searching the protected virtual environment for at least one installed file resulting from executing the object.

15. A system comprising:
- a server coupled to communicate with at least one client device and having one or more processors, memory, and a server-side reputation computation module stored on the memory and executable by the one or more processors to;
  
  receive, at a current time, a request for an object from the at least one client device, wherein the object comprises a webpage hosted on a website,determine whether a reputation score for the object exists, and if so, determine whether the reputation score is valid based at least in part on a difference between the current time and a previous time when the reputation score was known to be valid, andin response to determining that the reputation score does not exist or is not valid;
  
  instantiate, prior to computing a reputation score for the object, a protected virtual environment in which to execute the object,execute the object within the protected virtual environment,suspend execution of the object within the protected virtual environment,analyze at least one aspect of the protected virtual environment while the execution of the object is suspended, anddynamically compute the reputation score for the object based at least in part on the analysis of the at least one aspect of the protected virtual environment, in which the reputation score is computed substantially in real time with the request for the webpage hosted on the website, the reputation score indicating whether the webpage hosted on the website, when loaded into the protected virtual environment, operates with a level of risk below a threshold.
- View Dependent Claims (16)
- - 16. The system of claim 15, wherein the client device includes a module for determining whether to grant access to the object based on the reputation score.

17. A method comprising:
- receiving, at a first physical computing device and at a current time, at least one request, from a second physical computing device, for at least one object, wherein the object comprises a file stored on a server;
  
  determining whether a reputation score for the at least one object exists, and if so, determining whether the reputation score is valid based at least in part on a difference between the current time and a previous time when the reputation score was known to be valid; and
  
  in response to determining that the reputation score does not exist or is not valid, determining the reputation score for the at least one object by;
  
  instantiating, at the first physical computing device, a protected virtual environment in which to execute the object,executing the object within the protected virtual environment of the first physical computing device,suspending the execution of the object within the protected virtual environment,analyzing, at the first physical computing device, at least one aspect of the protected virtual environment while execution of the object is suspended, andcomputing by the first physical computing device the reputation score for the at least one object based at least in part on the analysis of the at least one aspect of the protected virtual environment, in which the reputation score is computed substantially in real time with the at least one request for the file stored on the server, the reputation score indicating whether the file stored on the server, when executed within the protected virtual environment by using a processor, operates with an acceptable risk level.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, further comprising providing the reputation score to the second physical computing device.
  - 19. The method of claim 17, further comprising:
    - checking for a behavior of the object within the protected virtual environment.
  - 20. The method of claim 17, wherein the determining whether the reputation score is valid includes:
    - determining that the reputation score is valid based at least in part on the object having digital signature information associated therewith in which the digital signature information is digitally signed by a trusted entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Dadhia, Rajesh K, Field, Scott A.
Primary Examiner(s)
Dao, Thuy
Assistant Examiner(s)
ST LEGER, GEOFFREY R

Application Number

US11/771,594
Publication Number

US 20090007102A1
Time in Patent Office

2,328 Days
Field of Search

None
US Class Current

717/127
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/2151   Time stamp

G06F 9/45558   Hypervisor-specific managem...

Dynamically computing reputation scores for objects

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

287 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Dynamically computing reputation scores for objects

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

287 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others