System and method for malware and network reputation correlation
First Claim
1. A method, comprising:
- intercepting, on an endhost, an attempt to establish a network connection with a remote end, wherein a file on the endhost is associated with the network connection;
sending a reputation query including a hash of the file and a network address of the remote end to a threat analysis host to determine whether the network connection associated with the tile should be allowed based on a real-time correlation of a file reputation of the hash and a network reputation of the network address;
receiving a response from the threat analysis host based on the real-time correlation of the file reputation of the hash and the network reputation of the network address, wherein the response indicates the network connection should not be allowed when the real-time correlation includes adjusting the file reputation of the hash to indicate the hash is associated with malicious activity, wherein the adjusting is based, at least in part, on the network reputation of the network address indicating the network address is associated with a malicious server, wherein the response includes a reputation value that indicates a level of trustworthiness from a range of two or more levels of trustworthiness, wherein the reputation value is based, at least in part, on the file reputation of the hash and the network reputation of the network address; and
taking a policy action on the network connection when the response indicates the network connection should not be allowed.
10 Assignments
0 Petitions
Accused Products
Abstract
A method is provided in one example embodiment and includes receiving a reputation value based on a hash of a file making a network connection and on a network address of a remote end of the network connection. The network connection may be blocked if the reputation value indicates the hash or the network address is associated with malicious activity. In more specific embodiments, the method may also include sending a query to a threat analysis host to request the reputation value. Additionally or alternatively the reputation value may be based on query patterns in particular embodiments. In yet more specific embodiments, the network connection may be an inbound connection and/or an outbound connection, and the reputation value may be based on a file reputation associated with the hash and a connection reputation associated with the network address of the remote end of the network connection.
90 Citations
24 Claims
-
1. A method, comprising:
-
intercepting, on an endhost, an attempt to establish a network connection with a remote end, wherein a file on the endhost is associated with the network connection; sending a reputation query including a hash of the file and a network address of the remote end to a threat analysis host to determine whether the network connection associated with the tile should be allowed based on a real-time correlation of a file reputation of the hash and a network reputation of the network address; receiving a response from the threat analysis host based on the real-time correlation of the file reputation of the hash and the network reputation of the network address, wherein the response indicates the network connection should not be allowed when the real-time correlation includes adjusting the file reputation of the hash to indicate the hash is associated with malicious activity, wherein the adjusting is based, at least in part, on the network reputation of the network address indicating the network address is associated with a malicious server, wherein the response includes a reputation value that indicates a level of trustworthiness from a range of two or more levels of trustworthiness, wherein the reputation value is based, at least in part, on the file reputation of the hash and the network reputation of the network address; and taking a policy action on the network connection when the response indicates the network connection should not be allowed. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. One or more non-transitory tangible media that includes code for execution and the code, when executed by one or more processors, is operable to perform operations comprising:
-
intercepting, on an endhost, an attempt to establish a network connection with a remote end, wherein a file on the endhost is associated with the network connection; sending a reputation query including a hash of the file and a network address of the remote end to a threat analysis host to determine whether the network connection associated with the file should be allowed based on a real-time correlation of a file reputation of the hash and a network reputation of the network address; receiving a response from the threat analysis host based on the real-time correlation of the file reputation of the hash and the network reputation of the network address, wherein the response indicates the network connection should not be allowed when the real-time correlation includes adjusting the file reputation of the hash to indicate the hash is associated with malicious activity, wherein the adjusting is based, at least in part, on the network reputation of the network address indicating the network address is associated with a malicious server, wherein the response includes a reputation value that indicates a level of trustworthiness from a range of two or more levels of trustworthiness, wherein the reputation value is based, at least in part, on the file reputation of the hash and the network reputation of the network address; and taking a policy action on the network connection when the response indicates the network connection should not be allowed. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. An apparatus, comprising:
-
an analyzer module comprising instructions; one or more hardware processors configured to execute the instructions associated with the analyzer module, to perform operations comprising; intercepting an attempt to establish a network connection with a remote end, wherein a file on the apparatus is associated with the network connection; sending a reputation query including a hash of the file and a network address of the remote end to a threat analysis host to determine whether the network connection associated with the file should be allowed based on a real-time correlation of a file reputation of the hash and a network reputation of the network address; receiving a response from the threat analysis host based on the real-time correlation of the file reputation of the hash and the network reputation of the network address, wherein the response indicates the network connection should not be allowed when the real-time correlation includes adjusting the file reputation of the hash to indicate the hash is associated with malicious activity, wherein the adjusting is based, at least in part, on the network reputation of the network address indicating the network address is associated with a malicious server, wherein the response includes a reputation value that indicates a level of trustworthiness from a range of two or more levels of trustworthiness, wherein the reputation value is based, at least in part, on the file reputation of the hash and the network reputation of the network address; and taking a policy action on the network connection when the response indicates the network connection should not be allowed. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
Specification