Altering application behavior based on content provider reputation
First Claim
1. A computer implemented method for protecting a computer system from malicious attacks by altering content processing application behavior based on at least content provider reputation, the method comprising the steps of:
- monitoring, by at least one computer, incoming network traffic;
identifying, by the at least one computer, content-based files in the monitored incoming network traffic, the content-based files originating from remote sources and being accessible using a processing application;
gleaning, by the at least one computer, security information concerning a specific, identified content-based file originating from a specific remote source, comprising receiving from a security server a security reputation of the specific remote source of the specific, identified content-based file;
detecting, by the at least one computer, an attempt to open the specific, identified content-based file with the processing application;
determining, by the at least one computer, a security risk rating concerning the specific, identified content-based file, based on security information concerning the specific, identified content-based file comprising at least the security reputation of the specific remote source of the specific, identified content-based file; and
altering, by the at least one computer, behavior associated with the attempt to open the specific, identified content-based file, in response to the determined security risk rating concerning the specific, identified content-based file exceeding a given threshold.
2 Assignments
0 Petitions
Accused Products
Abstract
Incoming network traffic is monitored, and content-based files in the monitored incoming network traffic originating from remote sources are identified. When a specific content-based file originating from a remote source is identified, security information concerning that file is gleaned. This security information comprises at least a security reputation of the remote source from which the file originates. An attempt to open the file is identified, and a security risk rating is determined based on the security information concerning the file. In response to the security risk rating exceeding a given threshold, behavior associated with the attempt to open the file is altered. This altering of behavior can comprise, for example, disabling a scripting engine for the instance of the content processing application attempting to open the file, or altering file system and/or operating system resource access privileges.
-
Citations
20 Claims
-
1. A computer implemented method for protecting a computer system from malicious attacks by altering content processing application behavior based on at least content provider reputation, the method comprising the steps of:
-
monitoring, by at least one computer, incoming network traffic; identifying, by the at least one computer, content-based files in the monitored incoming network traffic, the content-based files originating from remote sources and being accessible using a processing application; gleaning, by the at least one computer, security information concerning a specific, identified content-based file originating from a specific remote source, comprising receiving from a security server a security reputation of the specific remote source of the specific, identified content-based file; detecting, by the at least one computer, an attempt to open the specific, identified content-based file with the processing application; determining, by the at least one computer, a security risk rating concerning the specific, identified content-based file, based on security information concerning the specific, identified content-based file comprising at least the security reputation of the specific remote source of the specific, identified content-based file; and altering, by the at least one computer, behavior associated with the attempt to open the specific, identified content-based file, in response to the determined security risk rating concerning the specific, identified content-based file exceeding a given threshold. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. At least one non-transitory computer readable storage medium storing a computer program product for protecting a computer system from malicious attacks by altering content processing application behavior based on at least content provider reputation, the computer program product comprising:
-
program code for monitoring incoming network traffic; program code for identifying content-based files in the monitored incoming network traffic, the content-based files originating from remote sources and being accessible using a processing application; program code for gleaning security information concerning a specific, identified content-based file originating from a specific remote source, comprising receiving from a security server a security reputation of the specific remote source of the specific, identified content-based file; program code for detecting an attempt to open the specific, identified content-based file with the processing application; program code for determining a security risk rating concerning the specific, identified content-based file, based on security information concerning the specific, identified content-based file comprising at least the security reputation of the specific remote source of the specific, identified content-based file; and program code for altering behavior associated with the attempt to open the specific, identified content-based file, in response to the determined security risk rating concerning the specific, identified content-based file exceeding a given threshold. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A computer system configured to protect against malicious attacks by altering content processing application behavior based on at least content provider reputation, the computer system comprising:
-
a processor; system memory; a network monitoring module to monitor incoming network traffic, and to identify content-based files in the monitored incoming network traffic, the content-based files originating from remote sources and being accessible using a processing application; a file information gleaning module to glean security information concerning a specific, identified content-based file originating from a specific remote source, comprising receiving from a security server a security reputation of the specific remote source of the specific, identified content-based file; a file access detecting module to detect an attempt to open the specific, identified content-based file with the processing application; a content risk determining module to determine a security risk rating concerning the specific, identified content-based file, based on security information concerning the specific, identified content-based file comprising at least the security reputation of the specific remote source of the specific, identified content-based file; and a behavior altering module to alter behavior associated with the attempt to open the specific, identified content-based file, in response to the determined security risk rating 27 concerning the specific, identified content-based file exceeding a given threshold.
-
Specification