Communication-based reputation system

US 8,904,520 B1
Filed: 03/19/2009
Issued: 12/02/2014
Est. Priority Date: 03/19/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of determining a reputation associated with an entity, the method comprising:

receiving, by at least one server from a client, information indicating a communication between the entity and a host that the entity communicates with, wherein the communication is monitored by the client and occurs while the entity is executed on the client, the entity comprising a file or software application;

identifying, by the least one server, reputation information indicating reputations of a set of other entities that communicate with the host;

generating, by the least one server, a host reputation score indicating a reputation of the host that the entity communicates with based on the reputation information indicating reputations of the set of other entities that communicate with the host;

generating, by the least one server, an entity reputation score indicating a likelihood that the entity is malware based on the host reputation score indicating the reputation of the host that the entity communicates with; and

transmitting, by the at least one server, the entity reputation score to the client for malware remediation.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A communication between an entity and a host is identified. Reputation information associated with a set of other entities that communicate with the host is identified. A reputation score associated with the host is generated based on the reputation information associated with a set of other entities. A reputation score associated with the entity is generated based on the reputation score associated with the host.

247 Citations

15 Claims

1. A computer-implemented method of determining a reputation associated with an entity, the method comprising:
- receiving, by at least one server from a client, information indicating a communication between the entity and a host that the entity communicates with, wherein the communication is monitored by the client and occurs while the entity is executed on the client, the entity comprising a file or software application;
  
  identifying, by the least one server, reputation information indicating reputations of a set of other entities that communicate with the host;
  
  generating, by the least one server, a host reputation score indicating a reputation of the host that the entity communicates with based on the reputation information indicating reputations of the set of other entities that communicate with the host;
  
  generating, by the least one server, an entity reputation score indicating a likelihood that the entity is malware based on the host reputation score indicating the reputation of the host that the entity communicates with; and
  
  transmitting, by the at least one server, the entity reputation score to the client for malware remediation.
- View Dependent Claims (2, 3, 4, 5, 15)
- - 2. The method of claim 1, wherein the reputation information indicating reputations of the set of other entities comprises a plurality of hygiene scores associated with a plurality of clients on which the other entities are identified, a hygiene score for a client indicating a likelihood that the client will be exposed to malware threats.
  - 3. The method of claim 1, wherein the reputation information indicating reputations of the set of other entities comprises a set of reputation scores associated with the set of other entities and generating a host reputation score comprises:
    - combining the set of reputation scores associated with the set of other entities.
  - 4. The method of claim 1, wherein generating a host reputation comprises:
    - applying a classifier to the reputation information.
  - 5. The method of claim 4, further comprising:
    - identifying a first training set of reputation information associated with a set of entities that communicate with hosts with known good reputations;
      
      identifying a second training set of reputation information associated with a set of entities that communicate with hosts with known bad reputations; and
      
      generating the classifier based on the first training set and the second training set.
  - 15. The method of claim 1, wherein the entity initiates the communication with the host when the entity is executed on the client.

6. A non-transitory computer-readable storage medium encoded with executable computer program code for determining a reputation associated with an entity, the program code comprising program code for:
- identifying, at a client, a communication between the entity and a host that the entity communicates with, wherein communication occurs while the entity is executed on a client, the entity comprising a file or software application;
  
  transmitting, to a server, information uniquely identifying the entity and the host;
  
  receiving, from the server, a entity reputation score indicating a likelihood that the entity is malware, wherein the server determines the entity reputation score by;
  
  identifying reputation information indicating reputations of set of other entities that communicate with the host,generating a host reputation score indicating a reputation of the host that the entity communicates with based on the reputation information indicating the reputations of the set of other entities that communicate with the host, andgenerating the entity reputation score indicating a likelihood that the entity is malware based on the host reputation score indicating the reputation of the host that the entity communicates with; and
  
  remediating the client responsive to determining that the entity reputation score indicates that the entity has a high likelihood of containing malware.
- View Dependent Claims (7, 8, 9)
- - 7. The medium of claim 6, further comprising program code for:
    - generating a hygiene score associated with the client wherein the hygiene score indicates a likelihood that a client will be exposed to malware threats; and
      
      transmitting, to the server, the hygiene score associated with the client.
  - 8. The medium of claim 7, wherein the reputation information indicating reputations of the set of other entities that communicate with the host comprises hygiene scores associated with the set of other entities that communicate with the host.
  - 9. The medium of claim 6, further comprising program code for:
    - monitoring network traffic associated with the entity.

10. A computer system for determining a reputation associated with an entity, the computer system comprising:
- a memory;
  
  a hardware processor;
  
  a reporting module stored on the memory and executable by the hardware processor to receive, from a client, information indicating a communication between the entity and a host that the entity communicates with, the communication monitored by the client and occurring while the entity is executed on the client, the entity comprising a file or software application;
  
  a host reputation scoring module stored on the memory and executable by the hardware processor to identify reputation information indicating reputations of a set of other entities that communicate with the host and generate a host reputation score indicating a reputation of the host that the entity communicates with based on the reputation information indicating reputations of the set of other entities that communicate with the host, the set of other entities being files or software applications that communicate with the host while executing; and
  
  an entity reputation scoring module stored on the memory and executable by the hardware processor to generate an entity reputation score indicating a likelihood that the entity is malware based on the host reputation score indicating the reputation of the host that the entity communicates with,wherein the reporting module is further executable to transmit the entity reputation score to the client for malware remediation.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The system of claim 10, wherein the reputation information indicating reputations of the set of other entities comprises a plurality of hygiene scores associated with a plurality of clients on which the other entities are identified, a hygiene score for a client indicating a likelihood that the client will be exposed to malware threats.
  - 12. The system of claim 10, wherein the reputation information indicating reputations of the set of other entities comprises a set of reputation scores associated with the set of other entities and the host reputation scoring module is further executable to:
    - generate the host reputation score based on combining the set of reputation scores associated with the set of other entities.
  - 13. The system of claim 10, wherein the host reputation scoring module is further executable to:
    - generate the host reputation score based on applying a classifier to the reputation information.
  - 14. The system of claim 13, wherein the host reputation scoring module is further executable to:
    - identify a first training set of reputation information associated with a set of entities that communicate with hosts with known good reputations;
      
      identify a second training set of reputation information associated with a set of entities that communicate with hosts with known bad reputations; and
      
      generate the classifier based on the first training set and the second training set.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Nachenberg, Carey S., Satish, Sourabh
Primary Examiner(s)
Wang, Harris

Application Number

US12/407,772
Time in Patent Office

2,084 Days
Field of Search

726/22
US Class Current

726/22
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

H04L 67/535   Tracking the activity of th...

Communication-based reputation system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

247 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Communication-based reputation system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

247 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links