Reputation of network address

US 9,106,681 B2
Filed: 12/17/2012
Issued: 08/11/2015
Est. Priority Date: 12/17/2012
Status: Active Grant

First Claim

Patent Images

1. A computing system comprising:

at least one hardware processor; and

at least one application executable on the at least one hardware processor to;

monitor, during a first time period, events associated with a network address to obtain event information;

determine a first reputation score of the network address based on the event information, wherein the first reputation score is associated with the first time period; and

determine a second reputation score of the network address based on the first reputation score, trend information associated with the first reputation score, and a portion of the event information corresponding to a second time period, wherein the second reputation score is associated with the second time period, and wherein the second time period is a portion of the first time period, wherein the trend information includes a slope associated with multiple historical points, wherein the multiple historical points are associated with the first reputation score.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Example embodiments disclosed herein relate to determining a reputation of a network address. A long-term reputation of the network address is determined. A short-term reputation of the network address is determined based on the long-term reputation and trend information associated with the long-term reputation.

Citations

18 Claims

1. A computing system comprising:
- at least one hardware processor; and
  
  at least one application executable on the at least one hardware processor to;
  
  monitor, during a first time period, events associated with a network address to obtain event information;
  
  determine a first reputation score of the network address based on the event information, wherein the first reputation score is associated with the first time period; and
  
  determine a second reputation score of the network address based on the first reputation score, trend information associated with the first reputation score, and a portion of the event information corresponding to a second time period, wherein the second reputation score is associated with the second time period, and wherein the second time period is a portion of the first time period, wherein the trend information includes a slope associated with multiple historical points, wherein the multiple historical points are associated with the first reputation score.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computing system of claim 1, wherein the at least one application is further to perform a security action based on the second reputation score.
  - 3. The computing system of claim 1, wherein the at least one application is further to receive a request from a device associated with the network address, wherein the security action is taken based on request.
  - 4. The computing system of claim 1,wherein the first reputation score is initially set at a base value, wherein, when the network address is associated with a malicious action, the first reputation score is modified, and wherein the first reputation score is normalized based on time.
  - 5. The computing system of claim 4, wherein the multiple historical points are based on the normalized first reputation score.
  - 6. The computing system of claim 4, wherein the first reputation score is associated with a likelihood that the network address is malicious.
  - 7. The computing system of claim 1, wherein the event information comprises statistical values associated with the events.

8. A non-transitory machine-readable storage medium storing instructions that, if executed by at least one processor of a device, cause the device to:
- monitor, during a first time period, one or more events associated with a network address to generate event information;
  
  determine a first reputation score of the network address based on the event information, wherein the first reputation score is associated with the first time period; and
  
  determine a second reputation score of the network address based on the first reputation score, trend information associated with the first reputation score, and a recent portion of the event information corresponding to a second time period, wherein the trend information includes a slope associated with multiple historical points, wherein the multiple historical points are associated with the first reputation score, wherein the second reputation score is associated with the second time period, and wherein the second time period is a portion of the first time period.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The non-transitory machine-readable storage medium of claim 8, further comprising instructions that, if executed by the at least one processor, cause the device to:
    - receive a request from a computing device associated with the network address; and
      
      perform a security action based on the second reputation score.
  - 10. The non-transitory machine-readable storage medium of claim 8, further comprising instructions that, if executed by the at least one processor, cause the device to:
    - initially set the first reputation score at a base value, when the network address is associated with a malicious action, modify the first reputation score negatively, andnormalize the first reputation score based on time.
  - 11. The non-transitory machine-readable storage medium of claim 8, wherein the first reputation score is associated with a likelihood that the network address is malicious.
  - 12. The non-transitory machine-readable storage medium of claim 8, wherein the event information comprises one or more statistical values associated with the one or more events.
  - 13. The non-transitory machine-readable storage medium of claim 8, wherein the second time period is less than one minute.

14. A method comprising:
- monitoring, during a first time period, one or more events associated with a network address to generate event information;
  
  determining a first reputation score of the network address based on the event information, wherein the first reputation score is associated with a first time period; and
  
  determining, at a processor, a second reputation score of the network address based on the first reputation score, trend information associated with the first reputation score, and a recent portion of the event information corresponding to a second time period, wherein the second reputation score is associated with the second time period, wherein the second time period is a portion of the first time period, wherein the trend information includes a slope associated with multiple historical points, wherein the multiple historical points are associated with the first reputation score; and
  
  updating the first reputation score based on the second reputation score.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The method of claim 14, further comprising:
    - initially set the first reputation score at a base value, when the network address is associated with a malicious action, modifying the first reputation score negatively,when the network address is associated with a third time period without malicious activity, modifying the first reputation score positively.
  - 16. The method of claim 15, wherein modifying the first reputation score negatively is based on a priority of the malicious action.
  - 17. The method of claim 14, further comprising:
    - performing a security function based on the second reputation score.
  - 18. The method of claim 14, wherein the event information comprises one or more statistical values associated with the one or more events.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Singla, Anurag, Keller, Doron
Primary Examiner(s)
Rashid, Harunur
Assistant Examiner(s)
KHAN, SHER A

Application Number

US13/716,781
Publication Number

US 20140173723A1
Time in Patent Office

967 Days
Field of Search

726 22- 30
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Reputation of network address

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Reputation of network address

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links