Altering application behavior based on content provider reputation

US 8,627,476 B1
Filed: 07/05/2010
Issued: 01/07/2014
Est. Priority Date: 07/05/2010
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for protecting a computer system from malicious attacks by altering content processing application behavior based on at least content provider reputation, the method comprising the steps of:

monitoring, by at least one computer, incoming network traffic;

identifying, by the at least one computer, content-based files in the monitored incoming network traffic, the content-based files originating from remote sources and being accessible using a processing application;

gleaning, by the at least one computer, security information concerning a specific, identified content-based file originating from a specific remote source, comprising receiving from a security server a security reputation of the specific remote source of the specific, identified content-based file;

detecting, by the at least one computer, an attempt to open the specific, identified content-based file with the processing application;

determining, by the at least one computer, a security risk rating concerning the specific, identified content-based file, based on security information concerning the specific, identified content-based file comprising at least the security reputation of the specific remote source of the specific, identified content-based file; and

altering, by the at least one computer, behavior associated with the attempt to open the specific, identified content-based file, in response to the determined security risk rating concerning the specific, identified content-based file exceeding a given threshold.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Incoming network traffic is monitored, and content-based files in the monitored incoming network traffic originating from remote sources are identified. When a specific content-based file originating from a remote source is identified, security information concerning that file is gleaned. This security information comprises at least a security reputation of the remote source from which the file originates. An attempt to open the file is identified, and a security risk rating is determined based on the security information concerning the file. In response to the security risk rating exceeding a given threshold, behavior associated with the attempt to open the file is altered. This altering of behavior can comprise, for example, disabling a scripting engine for the instance of the content processing application attempting to open the file, or altering file system and/or operating system resource access privileges.

Citations

20 Claims

1. A computer implemented method for protecting a computer system from malicious attacks by altering content processing application behavior based on at least content provider reputation, the method comprising the steps of:
- monitoring, by at least one computer, incoming network traffic;
  
  identifying, by the at least one computer, content-based files in the monitored incoming network traffic, the content-based files originating from remote sources and being accessible using a processing application;
  
  gleaning, by the at least one computer, security information concerning a specific, identified content-based file originating from a specific remote source, comprising receiving from a security server a security reputation of the specific remote source of the specific, identified content-based file;
  
  detecting, by the at least one computer, an attempt to open the specific, identified content-based file with the processing application;
  
  determining, by the at least one computer, a security risk rating concerning the specific, identified content-based file, based on security information concerning the specific, identified content-based file comprising at least the security reputation of the specific remote source of the specific, identified content-based file; and
  
  altering, by the at least one computer, behavior associated with the attempt to open the specific, identified content-based file, in response to the determined security risk rating concerning the specific, identified content-based file exceeding a given threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein identifying, by the at least one computer, content-based files in the monitored incoming network traffic further comprises:
    - identifying, by the at least one computer, a content-based file being downloaded from a remote source.
  - 3. The method of claim 1 wherein identifying, by the at least one computer, content-based files in the monitored incoming network traffic further comprises:
    - identifying, by the at least one computer, an incoming electronic communication from a remote user with at least one content-based file as an attachment.
  - 4. The method of claim 1 wherein gleaning, by the at least one computer, security information concerning a specific,identified content-based file originating from a specific remote source further comprises:
    - retrieving, by the at least one computer, the security reputation of the specific remote source of the specific content-based file from a stored collection of reputations of a plurality of file sources.
  - 5. The method of claim 1 wherein determining, by the at least one computer, a security risk rating concerning the specific, identified content-based file, based on security information concerning the specific, identified content-based file further comprises:
    - determining, by the at least one computer, a security risk rating concerning the specific, identified content-based file, based on the security reputation of the specific remote source of the specific, identified content-based file and at least some additional security information concerning the specific, identified content-based file.
  - 6. The method of claim 5 wherein the at least some additional security information concerning the specific, identified content-based file further comprises:
    - at least a size and a format of the specific, identified content-based file.
  - 7. The method of claim 1 wherein altering, by the at least one computer, behavior associated with the attempt to open the specific, identified content-based file, in response to the determined security risk rating concerning the specific, identified content-based file exceeding a given threshold further comprises:
    - blocking, by the at least one computer, the attempt to open the specific, identified content-based file, in response to the determined security risk rating concerning the specific, identified content-based file exceeding a given threshold.
  - 8. The method of claim 1 wherein altering, by the at least one computer, behavior associated with the attempt to open the specific, identified content-based file, in response to the determined security risk rating concerning the specific, identified content-based file exceeding a given threshold further comprises:
    - disabling, by the at least one computer, a scripting engine, for an instance of a content processing application attempting to open the specific, identified content-based file, in response to the determined security risk rating concerning the specific, identified content-based file exceeding a given threshold.
  - 9. The method of claim 1 wherein altering, by the at least one computer, behavior associated with the attempt to open the specific, identified content-based file, in response to the determined security risk rating concerning the specific, identified content-based file exceeding a given threshold further comprises:
    - altering, by the at least one computer, file system access privileges of an instance of a content processing application attempting to open the specific, identified content-based file, in response to the determined security risk rating concerning the specific, identified content-based file exceeding a given threshold.
  - 10. The method of claim 1 wherein altering, by the at least one computer, behavior associated with the attempt to open the specific, identified content-based file, in response to the determined security risk rating concerning the specific, identified content-based file exceeding a given threshold further comprises:
    - altering, by the at least one computer, operating system resource access privileges of an instance of a content processing application attempting to open the specific, identified content-based file, in response to the determined security risk rating concerning the specific, identified content-based file exceeding a given threshold.

11. At least one non-transitory computer readable storage medium storing a computer program product for protecting a computer system from malicious attacks by altering content processing application behavior based on at least content provider reputation, the computer program product comprising:
- program code for monitoring incoming network traffic;
  
  program code for identifying content-based files in the monitored incoming network traffic, the content-based files originating from remote sources and being accessible using a processing application;
  
  program code for gleaning security information concerning a specific, identified content-based file originating from a specific remote source, comprising receiving from a security server a security reputation of the specific remote source of the specific, identified content-based file;
  
  program code for detecting an attempt to open the specific, identified content-based file with the processing application;
  
  program code for determining a security risk rating concerning the specific, identified content-based file, based on security information concerning the specific, identified content-based file comprising at least the security reputation of the specific remote source of the specific, identified content-based file; and
  
  program code for altering behavior associated with the attempt to open the specific, identified content-based file, in response to the determined security risk rating concerning the specific, identified content-based file exceeding a given threshold.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The computer program product of claim 11 wherein the program code for identifying content-based files in the monitored incoming network traffic further comprises:
    - program code for identifying a content-based file being downloaded from a remote source.
  - 13. The computer program product of claim 11 wherein the program code for identifying content-based files in the monitored incoming network traffic further comprises:
    - program code for identifying an incoming electronic communication from a remote user with at least one content-based file as an attachment.
  - 14. The computer program product of claim 11 wherein the program code for gleaning security information concerning a specific, identified content-based file originating from a specific remote source further comprises:
    - program code for retrieving the security reputation of the specific remote source of the specific content-based file from a stored collection of reputations of a plurality of file sources.
  - 15. The computer program product of claim 11 wherein the program code for determining a security risk rating concerning the specific, identified content-based file, based on security information concerning the specific, identified content-based file further comprises:
    - program code for determining a security risk rating concerning the specific, identified content-based file, based on the security reputation of the specific remote source of the specific, identified content-based file and at least some additional security information concerning the specific, identified content-based file.
  - 16. The computer program product of claim 15 wherein the at least some additional security information concerning the specific, identified content-based file further comprises:
    - at least a size and a format of the specific, identified content-based file.
  - 17. The computer program product of claim 11 wherein the program code for altering behavior associated with the attempt to open the specific, identified content-based file, in response to the determined security risk rating concerning the specific, identified content-based file exceeding a given threshold further comprises:
    - program code for disabling a scripting engine, for an instance of a content processing application attempting to open the specific, identified content-based file, in response to the determined security risk rating concerning the specific, identified content-based file exceeding a given threshold.
  - 18. The computer program product of claim 11 wherein the program code for altering behavior associated with the attempt to open the specific, identified content-based file, in response to the determined security risk rating concerning the specific, identified content-based file exceeding a given threshold further comprises:
    - program code for altering file system access privileges of an instance of a content processing application attempting to open the specific, identified content-based file, in response to the determined security risk rating concerning the specific, identified content-based file exceeding a given threshold.
  - 19. The computer program product of claim 11 wherein the program code for altering behavior associated with the attempt to open the specific, identified content-based file, in response to the determined security risk rating concerning the specific, identified content-based file exceeding a given threshold further comprises:
    - program code for altering operating system resource access privileges of an instance of a content processing application attempting to open the specific, identified content-based file, in response to the determined security risk rating concerning the specific, identified content-based file exceeding a given threshold.

20. A computer system configured to protect against malicious attacks by altering content processing application behavior based on at least content provider reputation, the computer system comprising:
- a processor;
  
  system memory;
  
  a network monitoring module to monitor incoming network traffic, and to identify content-based files in the monitored incoming network traffic, the content-based files originating from remote sources and being accessible using a processing application;
  
  a file information gleaning module to glean security information concerning a specific, identified content-based file originating from a specific remote source, comprising receiving from a security server a security reputation of the specific remote source of the specific, identified content-based file;
  
  a file access detecting module to detect an attempt to open the specific, identified content-based file with the processing application;
  
  a content risk determining module to determine a security risk rating concerning the specific, identified content-based file, based on security information concerning the specific, identified content-based file comprising at least the security reputation of the specific remote source of the specific, identified content-based file; and
  
  a behavior altering module to alter behavior associated with the attempt to open the specific, identified content-based file, in response to the determined security risk rating 27 concerning the specific, identified content-based file exceeding a given threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Satish, Sourabh, Gardner, Patrick
Primary Examiner(s)
Reza, Mohammad W
Assistant Examiner(s)
Rahim, Monjour

Application Number

US12/830,418
Time in Patent Office

1,282 Days
Field of Search

726/24, 726/2, 726/22, 726/26, 713/187, 713/188, 713/189
US Class Current

726/24
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/53   by executing in a restricte...

H04L 63/1441   Countermeasures against mal...

Altering application behavior based on content provider reputation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Altering application behavior based on content provider reputation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links