Identifying application reputation based on resource accesses
First Claim
1. A method of executing applications on a device having a processor, the method comprising:
- executing on the processor instructions that cause the device to;
while executing an application, detect at least one resource access of at least one remote resource accessed by the application;
send resource accesses for respective remote resources to a reputation service;
upon receiving from the reputation service an application reputation set identifying application reputations for respective applications;
store the application reputation set;
identify at least one application on the device that is executing according to an application policy; and
adjust the application policy of the application according to the application reputation of the application in the application reputation set.
2 Assignments
0 Petitions
Accused Products
Abstract
Malware detection is often based on monitoring a local application binary and/or process, such as detecting patterns of malicious code, unusual local resource utilization, or suspicious application behavior. However, the volume of available software, variety of malware, and sophistication of evasion techniques may reduce the effectiveness of detection based on monitoring local resources. Presented herein are techniques for identifying malware based on the reputations of remote resources (e.g., web content, files, databases, IP addresses, services, and users) accessed by an application. Remote resource accesses may be reported to a reputation service, which may identify reputations of remote resources, and application reputations of applications that utilize such remote resources. These application reputations may be used to adjust the application policies of the applications executed by devices and servers. These techniques thereby achieve rapid detection and mitigation of newly identified malware through application telemetry in a predominantly automated manner.
-
Citations
20 Claims
-
1. A method of executing applications on a device having a processor, the method comprising:
executing on the processor instructions that cause the device to; while executing an application, detect at least one resource access of at least one remote resource accessed by the application; send resource accesses for respective remote resources to a reputation service; upon receiving from the reputation service an application reputation set identifying application reputations for respective applications; store the application reputation set; identify at least one application on the device that is executing according to an application policy; and adjust the application policy of the application according to the application reputation of the application in the application reputation set. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 20)
-
11. A method of identifying, on a computer having a processor, application reputations for applications executed on behalf of at least one device, the method comprising:
-
executing on the processor instructions that cause the computer to; upon receiving from at least one device at least one resource access of a remote resource and an application identifier of an application executing on the device and requesting the resource access of the remote resource, store the resource access of the remote resource; for respective remote resources, identify a resource reputation; for respective applications, identify an application reputation of the application according to the resource reputations of the remote resources accessed by the application; generate an application reputation set specifying, for respective applications, the application identifier of the application and an application reputation of the application according to the resource accesses of remote resources accessed by the application; and send the application reputation set to at least one device. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
-
-
19. A memory device comprising instructions that, when executed on a processor of a computing device, cause the computing device to execute applications by:
-
while executing an application, detecting at least one resource access of at least one remote resource accessed by the application; sending resource accesses for respective remote resources to a reputation service; upon receiving from the reputation service an application reputation set identifying application reputations for respective applications; storing the application reputation set; identifying at least one application on the device that is executing according to an application policy; and adjusting the application policy of the application according to the application reputation of the application in the application reputation set.
-
Specification