System and method for malware and network reputation correlation

US 9,122,877 B2
Filed: 03/21/2011
Issued: 09/01/2015
Est. Priority Date: 03/21/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

intercepting, on an endhost, an attempt to establish a network connection with a remote end, wherein a file on the endhost is associated with the network connection;

sending a reputation query including a hash of the file and a network address of the remote end to a threat analysis host to determine whether the network connection associated with the tile should be allowed based on a real-time correlation of a file reputation of the hash and a network reputation of the network address;

receiving a response from the threat analysis host based on the real-time correlation of the file reputation of the hash and the network reputation of the network address, wherein the response indicates the network connection should not be allowed when the real-time correlation includes adjusting the file reputation of the hash to indicate the hash is associated with malicious activity, wherein the adjusting is based, at least in part, on the network reputation of the network address indicating the network address is associated with a malicious server, wherein the response includes a reputation value that indicates a level of trustworthiness from a range of two or more levels of trustworthiness, wherein the reputation value is based, at least in part, on the file reputation of the hash and the network reputation of the network address; and

taking a policy action on the network connection when the response indicates the network connection should not be allowed.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided in one example embodiment and includes receiving a reputation value based on a hash of a file making a network connection and on a network address of a remote end of the network connection. The network connection may be blocked if the reputation value indicates the hash or the network address is associated with malicious activity. In more specific embodiments, the method may also include sending a query to a threat analysis host to request the reputation value. Additionally or alternatively the reputation value may be based on query patterns in particular embodiments. In yet more specific embodiments, the network connection may be an inbound connection and/or an outbound connection, and the reputation value may be based on a file reputation associated with the hash and a connection reputation associated with the network address of the remote end of the network connection.

90 Citations

View as Search Results

24 Claims

1. A method, comprising:
- intercepting, on an endhost, an attempt to establish a network connection with a remote end, wherein a file on the endhost is associated with the network connection;
  
  sending a reputation query including a hash of the file and a network address of the remote end to a threat analysis host to determine whether the network connection associated with the tile should be allowed based on a real-time correlation of a file reputation of the hash and a network reputation of the network address;
  
  receiving a response from the threat analysis host based on the real-time correlation of the file reputation of the hash and the network reputation of the network address, wherein the response indicates the network connection should not be allowed when the real-time correlation includes adjusting the file reputation of the hash to indicate the hash is associated with malicious activity, wherein the adjusting is based, at least in part, on the network reputation of the network address indicating the network address is associated with a malicious server, wherein the response includes a reputation value that indicates a level of trustworthiness from a range of two or more levels of trustworthiness, wherein the reputation value is based, at least in part, on the file reputation of the hash and the network reputation of the network address; and
  
  taking a policy action on the network connection when the response indicates the network connection should not be allowed.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the reputation value is based, at least in part, on query patterns.
  - 3. The method claim 1, wherein the network connection is an inbound connection,
  - 4. The method of claim 1, wherein the network connection is an outbound network connection.
  - 5. The method of claim 1, wherein the policy action comprises blocking the network connection.
  - 6. The method of claim 1, wherein the policy action comprises alerting a user.
  - 7. The method of claim 1, wherein the policy action comprises creating a log of the network connection.
  - 8. The method of claim 1, wherein the file reputation is adjusted without analyzing the file.

9. One or more non-transitory tangible media that includes code for execution and the code, when executed by one or more processors, is operable to perform operations comprising:
- intercepting, on an endhost, an attempt to establish a network connection with a remote end, wherein a file on the endhost is associated with the network connection;
  
  sending a reputation query including a hash of the file and a network address of the remote end to a threat analysis host to determine whether the network connection associated with the file should be allowed based on a real-time correlation of a file reputation of the hash and a network reputation of the network address;
  
  receiving a response from the threat analysis host based on the real-time correlation of the file reputation of the hash and the network reputation of the network address, wherein the response indicates the network connection should not be allowed when the real-time correlation includes adjusting the file reputation of the hash to indicate the hash is associated with malicious activity, wherein the adjusting is based, at least in part, on the network reputation of the network address indicating the network address is associated with a malicious server, wherein the response includes a reputation value that indicates a level of trustworthiness from a range of two or more levels of trustworthiness, wherein the reputation value is based, at least in part, on the file reputation of the hash and the network reputation of the network address; and
  
  taking a policy action on the network connection when the response indicates the network connection should not be allowed.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The one or more non-transitory tangible media of claim 9, wherein the reputation value is based, at least in part, on query patterns.
  - 11. The one or more non-transitory tangible media of claim 9, wherein the network connection is an inbound connection.
  - 12. The one or more non-transitory tangible media of claim 9, wherein the network connection is an outbound network connection.
  - 13. The one or more non-transitory tangible media of claim 9, wherein the policy action comprises blocking the network connection.
  - 14. The one or more non-transitory tangible media of claim 9, wherein the policy action comprises alerting a user.
  - 15. The one or more non-transitory tangible media of claim 9, wherein the policy action comprises creating a log of the network connection.
  - 16. The one or more non-transitory tangible media of claim 9, wherein the file reputation is to be adjusted without analyzing the file.

17. An apparatus, comprising:
- an analyzer module comprising instructions;
  
  one or more hardware processors configured to execute the instructions associated with the analyzer module, to perform operations comprising;
  
  intercepting an attempt to establish a network connection with a remote end, wherein a file on the apparatus is associated with the network connection;
  
  sending a reputation query including a hash of the file and a network address of the remote end to a threat analysis host to determine whether the network connection associated with the file should be allowed based on a real-time correlation of a file reputation of the hash and a network reputation of the network address;
  
  receiving a response from the threat analysis host based on the real-time correlation of the file reputation of the hash and the network reputation of the network address, wherein the response indicates the network connection should not be allowed when the real-time correlation includes adjusting the file reputation of the hash to indicate the hash is associated with malicious activity, wherein the adjusting is based, at least in part, on the network reputation of the network address indicating the network address is associated with a malicious server, wherein the response includes a reputation value that indicates a level of trustworthiness from a range of two or more levels of trustworthiness, wherein the reputation value is based, at least in part, on the file reputation of the hash and the network reputation of the network address; and
  
  taking a policy action on the network connection when the response indicates the network connection should not be allowed.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The apparatus of claim 17, wherein the reputation value is based, at least in part, on query patterns.
  - 19. The apparatus of claim 17, wherein the network connection is an inbound connection.
  - 20. The apparatus of claim 17, wherein the network connection is an outbound network connection.
  - 21. The apparatus of claim 17, wherein the policy action comprises blocking the network connection.
  - 22. The apparatus of claim 17, wherein the policy action comprises alerting a user.
  - 23. The apparatus of claim 17, wherein the policy action comprises creating a log of the network connection.
  - 24. The apparatus of claim 17, wherein the file reputation is to be adjusted without analyzing the file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Alperovitch, Dmitri, Krasser, Sven
Primary Examiner(s)
Zaidi, S. Ali

Application Number

US13/052,739
Publication Number

US 20130247201A1
Time in Patent Office

1,625 Days
Field of Search

726/24, 726/22, 726/23, 709/206, 709/225
US Class Current

1/1
CPC Class Codes

G06F 16/148   File search processing

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

H04L 2463/144   Detection or countermeasure...

H04L 63/14   for detecting or protecting...

H04L 63/145   the attack involving the pr...

System and method for malware and network reputation correlation

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

90 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for malware and network reputation correlation

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

90 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links