Local reputation to adjust sensitivity of behavioral detection system
First Claim
1. A method performed by a data processing apparatus, the method comprising:
- monitoring source assets in a network for activities indicative of potential security compromises, wherein the network comprises an internet protocol based network logically independent from other internet protocol networks, and each activity to be monitored is associated with a corresponding activity weight to indicate probability of the respective activity resulting from a respective, actual security compromise;
determining that a particular one of the monitored source assets performs a particular monitored activity indicative of a potential security compromise, wherein the particular activity comprises a download of an executable having a malicious reputation;
instantiating a particular source asset tracking instance in a computer memory, the source asset tracking instance including data identifying the particular source asset and the particular monitored activity, wherein the source asset tracking instance is to be updated based on identification of subsequently monitored activities, performed by the particular source asset, indicative of potential security compromises;
determining a reputation value for the corresponding activity weight of the particular monitored activity based at least in part on the malicious reputation of the executable;
adjusting, for the particular source asset, the corresponding activity weight of the particular monitored activity based at least in part on the reputation value;
determining an asset reputation for the particular source asset from the corresponding activity weights associated with monitored activities involving the particular source asset; and
determining a security risk associated with the particular source asset when the asset reputation exceeds a threshold.
10 Assignments
0 Petitions
Accused Products
Abstract
Source assets are monitored for activities, each activity associated with a corresponding activity weight indicating probability of the activity resulting from a security compromise. A source asset is determined to perform a particular activity indicative of a potential security compromise, such as a download of an executable of malicious reputation. A source asset tracking instance is instantiated to include data identifying the particular activity. The tracking instance is to be updated based on identification of subsequently monitored activities. A reputation value is determined for the activity weight of the particular activity based at least in part on the malicious reputation of the executable. An asset reputation is determined for the source asset from the corresponding activity weights of monitored activities involving the source asset and a security risk is determined when the asset reputation exceeds a threshold.
12 Citations
20 Claims
-
1. A method performed by a data processing apparatus, the method comprising:
-
monitoring source assets in a network for activities indicative of potential security compromises, wherein the network comprises an internet protocol based network logically independent from other internet protocol networks, and each activity to be monitored is associated with a corresponding activity weight to indicate probability of the respective activity resulting from a respective, actual security compromise; determining that a particular one of the monitored source assets performs a particular monitored activity indicative of a potential security compromise, wherein the particular activity comprises a download of an executable having a malicious reputation; instantiating a particular source asset tracking instance in a computer memory, the source asset tracking instance including data identifying the particular source asset and the particular monitored activity, wherein the source asset tracking instance is to be updated based on identification of subsequently monitored activities, performed by the particular source asset, indicative of potential security compromises; determining a reputation value for the corresponding activity weight of the particular monitored activity based at least in part on the malicious reputation of the executable; adjusting, for the particular source asset, the corresponding activity weight of the particular monitored activity based at least in part on the reputation value; determining an asset reputation for the particular source asset from the corresponding activity weights associated with monitored activities involving the particular source asset; and determining a security risk associated with the particular source asset when the asset reputation exceeds a threshold. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A non-transitory computer readable medium comprising instructions executable by a data processing apparatus and that cause the data processing apparatus to perform operations comprising:
-
monitoring source assets in a network for activities indicative of potential security compromises, wherein the network comprises an internet protocol based network logically independent from other internet protocol networks, and each activity to be monitored is associated with a corresponding activity weight to indicate probability of the respective activity resulting from a respective, actual security compromise; determining that a particular one of the monitored source assets performs a particular monitored activity indicative of a potential security compromise, wherein the particular activity comprises a download of an executable having a malicious reputation; instantiating a particular source asset tracking instance in a computer memory, the source asset tracking instance including data identifying the particular source asset and the particular monitored activity, wherein the source asset tracking instance is to be updated based on identification of subsequently monitored activities, performed by the particular source asset, indicative of potential security compromises; determining a reputation value for the corresponding activity weight of the particular monitored activity based at least in part on the malicious reputation of the executable; adjusting, for the particular source asset, the corresponding activity weight of the particular monitored activity based at least in part on the reputation value; determining an asset reputation for the particular source asset from the corresponding activity weights associated with monitored activities involving the particular source asset; and determining a security risk associated with the particular source asset when the asset reputation exceeds a threshold. - View Dependent Claims (15, 16, 17, 18, 19)
-
-
20. A system comprising:
-
a data processing apparatus; and a non-transitory computer readable medium storing instructions executable by the data processing apparatus and that cause the data processing apparatus to perform operations comprising; monitoring source assets in a network for activities indicative of potential security compromises, wherein the network comprises an internet protocol based network logically independent from other internet protocol networks, and each activity to be monitored is associated with a corresponding activity weight to indicate probability of the respective activity resulting from a respective, actual security compromise; determining that a particular one of the monitored source assets performs a particular monitored activity indicative of a potential security compromise, wherein the particular activity comprises a download of an executable having a malicious reputation; instantiating a particular source asset tracking instance in a computer memory, the source asset tracking instance including data identifying the particular source asset and the particular monitored activity, wherein the source asset tracking instance is to be updated based on identification of subsequently monitored activities, performed by the particular source asset, indicative of potential security compromises; determining a reputation value for the corresponding activity weight of the particular monitored activity based at least in part on the malicious reputation of the executable; adjusting, for the particular source asset, the corresponding activity weight of the particular monitored activity based at least in part on the reputation value; determining an asset reputation for the particular source asset from the corresponding activity weights associated with monitored activities involving the particular source asset; and determining a security risk associated with the particular source asset when the asset reputation exceeds a threshold.
-
Specification