Local reputation to adjust sensitivity of behavioral detection system

US 8,650,287 B2
Filed: 04/27/2011
Issued: 02/11/2014
Est. Priority Date: 04/27/2011
Status: Active Grant

First Claim

Patent Images

1. A method performed by a data processing apparatus, the method comprising:

monitoring source assets in a network for activities indicative of potential security compromises, wherein the network comprises an internet protocol based network logically independent from other internet protocol networks, and each activity to be monitored is associated with a corresponding activity weight to indicate probability of the respective activity resulting from a respective, actual security compromise;

determining that a particular one of the monitored source assets performs a particular monitored activity indicative of a potential security compromise, wherein the particular activity comprises a download of an executable having a malicious reputation;

instantiating a particular source asset tracking instance in a computer memory, the source asset tracking instance including data identifying the particular source asset and the particular monitored activity, wherein the source asset tracking instance is to be updated based on identification of subsequently monitored activities, performed by the particular source asset, indicative of potential security compromises;

determining a reputation value for the corresponding activity weight of the particular monitored activity based at least in part on the malicious reputation of the executable;

adjusting, for the particular source asset, the corresponding activity weight of the particular monitored activity based at least in part on the reputation value;

determining an asset reputation for the particular source asset from the corresponding activity weights associated with monitored activities involving the particular source asset; and

determining a security risk associated with the particular source asset when the asset reputation exceeds a threshold.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Source assets are monitored for activities, each activity associated with a corresponding activity weight indicating probability of the activity resulting from a security compromise. A source asset is determined to perform a particular activity indicative of a potential security compromise, such as a download of an executable of malicious reputation. A source asset tracking instance is instantiated to include data identifying the particular activity. The tracking instance is to be updated based on identification of subsequently monitored activities. A reputation value is determined for the activity weight of the particular activity based at least in part on the malicious reputation of the executable. An asset reputation is determined for the source asset from the corresponding activity weights of monitored activities involving the source asset and a security risk is determined when the asset reputation exceeds a threshold.

12 Citations

View as Search Results

20 Claims

1. A method performed by a data processing apparatus, the method comprising:
- monitoring source assets in a network for activities indicative of potential security compromises, wherein the network comprises an internet protocol based network logically independent from other internet protocol networks, and each activity to be monitored is associated with a corresponding activity weight to indicate probability of the respective activity resulting from a respective, actual security compromise;
  
  determining that a particular one of the monitored source assets performs a particular monitored activity indicative of a potential security compromise, wherein the particular activity comprises a download of an executable having a malicious reputation;
  
  instantiating a particular source asset tracking instance in a computer memory, the source asset tracking instance including data identifying the particular source asset and the particular monitored activity, wherein the source asset tracking instance is to be updated based on identification of subsequently monitored activities, performed by the particular source asset, indicative of potential security compromises;
  
  determining a reputation value for the corresponding activity weight of the particular monitored activity based at least in part on the malicious reputation of the executable;
  
  adjusting, for the particular source asset, the corresponding activity weight of the particular monitored activity based at least in part on the reputation value;
  
  determining an asset reputation for the particular source asset from the corresponding activity weights associated with monitored activities involving the particular source asset; and
  
  determining a security risk associated with the particular source asset when the asset reputation exceeds a threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein:
    - the source asset tracking instance further includes data identifying another monitored activity involving the particular source asset, wherein the other monitored activity comprises a communication from the particular source asset to a destination address external to the network; and
      
      determining a reputation value for the corresponding activity weight of the other monitored activity comprises;
      
      determining a reputation associated with the destination address;
      
      determining the reputation value for the corresponding activity weight of the other monitored activity based on the reputation associated with the destination address.
  - 3. The method of claim 2, wherein the corresponding activity weight of the other monitored activity is to be adjusted, only for the particular source asset, based at least in part on the reputation associated with the destination address.
  - 4. The method of claim 1 wherein adjusting, only for the particular source asset, the corresponding activity weight of the particular monitored activity comprises:
    - adjusting the particular activity weight for monitored activities performed in response to execution of the executable by the particular source asset.
  - 5. The method of claim 1, wherein:
    - the source asset tracking instance further includes data identifying another monitored activity involving the particular source asset, wherein the other activity comprises one or more communication attempts by the particular source asset to destination computer devices external to the network; and
      
      determining a reputation value for the activity weight of the other monitored activity comprises;
      
      determining a number of responses from the destination computer devices that are indicative of a denied request due to a determination that the communication attempt from the particular source asset is indicative of a potential security compromise; and
      
      determining the reputation value for the activity weight of the other monitored activity based on the number.
  - 6. The method of claim 5, wherein the corresponding activity weight of the other monitored activity is to be adjusted, only for the particular source asset, based at least in part on the reputation value for the activity weight of the other monitored activity.
  - 7. The method of claim 1, wherein:
    - the source asset tracking instance further includes data identifying another monitored activity involving the particular source asset, wherein the other activity comprises one or more communication attempts by the particular source asset to destination computer devices; and
      
      determining a reputation value for the activity weight of the other monitored activity comprises;
      
      determining a number of responses from the destination computer devices that are indicative of a non-existent destination address to which the communication attempt was directed; and
      
      determining the reputation value for the activity weight of the other monitored activity based on the number.
  - 8. The method of claim 7, wherein the corresponding activity weight of the other monitored activity is to be adjusted, only for the particular source asset, based at least in part on the reputation value for the activity weight of the other monitored activity.
  - 9. The method of claim 1, wherein:
    - the source asset tracking instance further includes data identifying another monitored activity involving the particular source asset, wherein the other activity comprises an incoming attack detected on the particular source asset and an outgoing attack detected from the particular source asset; and
      
      determining a reputation value for the activity weight of the other monitored activity is to be based at least in part on the number.
  - 10. The method of claim 9, wherein the corresponding activity weight of the other monitored activity is to be adjusted, only for the particular source asset, based at least in part on the reputation value for the activity weight of the other monitored activity.
  - 11. The method of claim 1, wherein:
    - each activity weight is one of a set comprising a low weight, medium weight or high weight, wherein a low weight is indicative of a low security risk, a medium weight is indicative of a medium security risk, and a high weight is indicative of a high security risk; and
      
      the method further comprises;
      
      determining from the activity weights associated with the monitored activities involving the particular source asset a security score for the particular source asset, wherein determining the security score comprises;
      
      summing each of the activity weights so that at least two low weights are equal to a medium weight, two medium weights are equal to a high weight, and two high weights constitute a security risk.
  - 12. The method of claim 1, wherein the monitored activities include communications that use one or more of the following protocols:
    - SSL, HTTP, FTP, IRC, DNS, P2P, SMB/Netbios, and SMTP.
  - 13. The method of claim 1, wherein the source asset tracking instance is one of a plurality of source asset tracking instances in computer memory and the method further comprises, for each source asset tracking instance in the computer memory:
    - in response to not monitoring an activity that is indicative of a potential security compromise for a predefined time period, purging the source asset tracking instance from the computer memory.

14. A non-transitory computer readable medium comprising instructions executable by a data processing apparatus and that cause the data processing apparatus to perform operations comprising:
- monitoring source assets in a network for activities indicative of potential security compromises, wherein the network comprises an internet protocol based network logically independent from other internet protocol networks, and each activity to be monitored is associated with a corresponding activity weight to indicate probability of the respective activity resulting from a respective, actual security compromise;
  
  determining that a particular one of the monitored source assets performs a particular monitored activity indicative of a potential security compromise, wherein the particular activity comprises a download of an executable having a malicious reputation;
  
  instantiating a particular source asset tracking instance in a computer memory, the source asset tracking instance including data identifying the particular source asset and the particular monitored activity, wherein the source asset tracking instance is to be updated based on identification of subsequently monitored activities, performed by the particular source asset, indicative of potential security compromises;
  
  determining a reputation value for the corresponding activity weight of the particular monitored activity based at least in part on the malicious reputation of the executable;
  
  adjusting, for the particular source asset, the corresponding activity weight of the particular monitored activity based at least in part on the reputation value;
  
  determining an asset reputation for the particular source asset from the corresponding activity weights associated with monitored activities involving the particular source asset; and
  
  determining a security risk associated with the particular source asset when the asset reputation exceeds a threshold.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The non-transitory computer readable medium of claim 14, wherein:
    - the source asset tracking instance further includes data identifying another monitored activity involving the particular source asset, wherein the other monitored activity comprises a communication from the particular source asset to a destination address external to the network; and
      
      determining a reputation value for the corresponding activity weight of the other monitored activity comprises;
      
      determining a reputation associated with the destination address;
      
      determining the reputation value for the corresponding activity weight of the other monitored activity based on the reputation associated with the destination address.
  - 16. The non-transitory computer readable medium of claim 14, wherein:
    - the source asset tracking instance further includes data identifying another monitored activity involving the particular source asset, wherein the other activity comprises one or more communication attempts by the particular source asset to destination computer devices external to the network; and
      
      determining a reputation value for the activity weight of the other monitored activity comprises;
      
      determining a number of responses from the destination computer devices that are indicative of a denied request due to a determination that the communication attempt from the particular source asset is indicative of a potential security compromise; and
      
      determining the reputation value for the activity weight of the other monitored activity based on the number.
  - 17. The non-transitory computer readable medium of claim 14, wherein:
    - the source asset tracking instance further includes data identifying another monitored activity involving the particular source asset, wherein the other activity comprises one or more communication attempts by the particular source asset to destination computer devices; and
      
      determining a reputation value for the activity weight of the other monitored activity comprises;
      
      determining a number of responses from the destination computer devices that are indicative of a non-existent destination address to which the communication attempt was directed; and
      
      determining the reputation value for the activity weight of the other monitored activity based on the number.
  - 18. The non-transitory computer readable medium of claim 14, wherein:
    - the source asset tracking instance further includes data identifying another monitored activity involving the particular source asset, wherein the other activity comprises an incoming attack detected on the particular source asset and an outgoing attack detected from the particular source asset; and
      
      determining a reputation value for the activity weight of the other monitored activity is to be based at least in part on the number.
  - 19. The non-transitory computer readable medium of claim 14, wherein:
    - each activity weight is one of a set comprising a low weight, medium weight or high weight, wherein a low weight is indicative of a low security risk, a medium weight is indicative of a medium security risk, and a high weight is indicative of a high security risk; and
      
      the method further comprises;
      
      determining from the activity weights associated with the monitored activities involving the particular source asset a security score for the particular source asset, wherein determining the security score comprises;
      
      summing each of the activity weights so that at least two low weights are equal to a medium weight, two medium weights are equal to a high weight, and two high weights constitute a security risk.

20. A system comprising:
- a data processing apparatus; and
  
  a non-transitory computer readable medium storing instructions executable by the data processing apparatus and that cause the data processing apparatus to perform operations comprising;
  
  monitoring source assets in a network for activities indicative of potential security compromises, wherein the network comprises an internet protocol based network logically independent from other internet protocol networks, and each activity to be monitored is associated with a corresponding activity weight to indicate probability of the respective activity resulting from a respective, actual security compromise;
  
  determining that a particular one of the monitored source assets performs a particular monitored activity indicative of a potential security compromise, wherein the particular activity comprises a download of an executable having a malicious reputation;
  
  instantiating a particular source asset tracking instance in a computer memory, the source asset tracking instance including data identifying the particular source asset and the particular monitored activity, wherein the source asset tracking instance is to be updated based on identification of subsequently monitored activities, performed by the particular source asset, indicative of potential security compromises;
  
  determining a reputation value for the corresponding activity weight of the particular monitored activity based at least in part on the malicious reputation of the executable;
  
  adjusting, for the particular source asset, the corresponding activity weight of the particular monitored activity based at least in part on the reputation value;
  
  determining an asset reputation for the particular source asset from the corresponding activity weights associated with monitored activities involving the particular source asset; and
  
  determining a security risk associated with the particular source asset when the asset reputation exceeds a threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Mahadik, Vinay, Madhusudan, Bharath
Primary Examiner(s)
Nguyen, Quang N
Assistant Examiner(s)
PATEL, HITESHKUMAR R

Application Number

US13/095,545
Publication Number

US 20130246605A1
Time in Patent Office

1,021 Days
Field of Search

709/206, 709224-226, 726/1, 726 25- 27
US Class Current

709/224
CPC Class Codes

H04L 63/1433 Vulnerability analysis

Local reputation to adjust sensitivity of behavioral detection system

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

12 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Local reputation to adjust sensitivity of behavioral detection system

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links