System and method for determining and using local reputations of users and hosts to protect information in a network environment

US 9,516,062 B2
Filed: 12/22/2014
Issued: 12/06/2016
Est. Priority Date: 04/10/2012
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory computer readable medium having instructions stored therein that, when executed by one or more processors cause the one or more processors to:

correlate, by a reputation server, a first set of event data from a private network, wherein the first set of event data corresponds to one or more host events associated with a network address of a host in the private network, wherein correlating the first set of event data includes evaluating access by the host to sensitive data in the private network, wherein the access is indicated by the host events;

determine, by the reputation server, a local host reputation score of the host in the private network based, at least in part, on the correlating the first set of event data;

determine a local user reputation score of a user identifier associated with a user, the determination of the local user reputation score based on correlating a second set of event data associated with the user identifier; and

provide the local host reputation score and the local user reputation score to the host in the private network, wherein the host is to apply a policy to affect a process running on the host and corresponding to the user identifier, and wherein the policy is dynamically selected based, at least in part, on the local host reputation score and the local user reputation score.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method in an example embodiment includes correlating a first set of event data from a private network and determining a local reputation score of a host in the private network based on correlating the first set of event data. The method further includes providing the local reputation score of the host to a security node, which applies a policy, based on the local reputation score of the host, to a network communication associated with the host. In specific embodiments, the local reputation score of the host is mapped to a network address of the host. In further embodiments, the first set of event data includes one or more event indicators representing one or more events, respectively, in the private network. In more specific embodiments, the method includes determining a local reputation score of a user and providing the local reputation score of the user to the security node.

106 Citations

18 Claims

1. At least one non-transitory computer readable medium having instructions stored therein that, when executed by one or more processors cause the one or more processors to:
- correlate, by a reputation server, a first set of event data from a private network, wherein the first set of event data corresponds to one or more host events associated with a network address of a host in the private network, wherein correlating the first set of event data includes evaluating access by the host to sensitive data in the private network, wherein the access is indicated by the host events;
  
  determine, by the reputation server, a local host reputation score of the host in the private network based, at least in part, on the correlating the first set of event data;
  
  determine a local user reputation score of a user identifier associated with a user, the determination of the local user reputation score based on correlating a second set of event data associated with the user identifier; and
  
  provide the local host reputation score and the local user reputation score to the host in the private network, wherein the host is to apply a policy to affect a process running on the host and corresponding to the user identifier, and wherein the policy is dynamically selected based, at least in part, on the local host reputation score and the local user reputation score.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The at least one non-transitory computer readable medium of claim 1, wherein the process includes copying a file to an off-line medium connected to the host.
  - 3. The at least one non-transitory computer readable medium of claim 1, wherein the process is associated with a network communication detected by the host.
  - 4. The at least one non-transitory computer readable medium of claim 3, wherein the network communication is associated with a network asset associated with the private network, wherein the policy is dynamically selected based, at least in part, on a sensitivity level of data in the network asset.
  - 5. The at least one non-transitory computer readable medium of claim 1, wherein the instructions, when executed by the one or more processors cause the one or more processors to:
    - receive a request from the host for the local user reputation score of the user identifier if the user identifier is associated with the process running on the host.
  - 6. The at least one non-transitory computer readable medium of claim 1, wherein at least two user events of the second set of event data are associated with different hosts of a plurality of hosts in the private network.
  - 7. The at least one non-transitory computer readable medium of claim 1, wherein the private network includes an intranet with one or more remote networks.
  - 8. The at least one non-transitory computer readable medium of claim 1, wherein at least a portion of the first set of event data is selected from one or more event notifications received from at least one event detection node in the private network.
  - 9. The at least one non-transitory computer readable medium of claim 1, wherein the evaluating access to sensitive data is to include at least one of:
    - (a) determining whether an aggregate number of the host events associated with accessing sensitive data reaches a predetermined threshold; and
      
      (b) determining whether a certain number of host events are associated with accessing sensitive data and transmitting the sensitive data.

10. An apparatus, comprising:
- a memory element configured to store data;
  
  a processor operable to execute instructions associated with the data; and
  
  a risk correlation module configured to interface with the memory element and the processor, wherein the apparatus is configured for;
  
  correlating a first set of event data from a private network, wherein the first set of event data corresponds to one or more host events associated with a network address of a host in the private network, wherein correlating the first set of event data includes evaluating access to sensitive data in the private network, wherein the access is indicated by the host events;
  
  determining a local host reputation score of the host in the private network based, at least in part, on the correlating the first set of event data;
  
  determining a local user reputation score of a user identifier associated with a user, the determination of the local user reputation score based on correlating a second set of event data associated with the user identifier; and
  
  providing the local host reputation score and the local user reputation score to the host in the private network, wherein the host is to apply a policy to affect a process running on the host and corresponding to the user identifier, and wherein the policy is dynamically selected based, at least in part, on the local host reputation score and the local user reputation score.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The apparatus of claim 10, wherein the process is associated with one of copying a file to an off-line medium connected to the host or a network communication detected by the host.
  - 12. The apparatus of claim 11, wherein the network communication is associated with a network asset associated with the private network, wherein the policy is dynamically selected based, at least in part, on a sensitivity level of data in the network asset.
  - 13. The apparatus of claim 10, wherein the apparatus is further configured for:
    - receiving a request from the host for the local user reputation score if the user identifier corresponds to a user that is determined to be logged onto the host while the process is running on the host.
  - 14. The apparatus of claim 10, wherein the evaluating access to sensitive data in the private network is to include:
    - (a) determining whether an aggregate number of the host events associated with accessing sensitive data reaches a threshold; and
      
      (b) determining whether a certain number of host events are associated with accessing sensitive data in combination with transmitting the sensitive data.

15. A method comprising:
- correlating, by a reputation server, a first set of event data from a private network, wherein the first set of event data corresponds to one or more host events associated with a network address of a host in the private network, wherein correlating the first set of event data includes evaluating access by the host to sensitive data in the private network, wherein the access is indicated by the host events;
  
  determining, by the reputation server, a local host reputation score of the host in the private network based, at least in part, on the correlating the first set of event data;
  
  determining a local user reputation score of a user identifier associated with a user, the determination of the local user reputation score based on correlating a second set of event data associated with the user identifier; and
  
  providing the local host reputation score and the local user reputation score to the host in the private network, wherein the host is to apply a policy to affect a process running on the host and corresponding to the user identifier, and wherein the policy is dynamically selected based, at least in part, on the local host reputation score and the local user reputation score.
- View Dependent Claims (16, 17, 18)
- - 16. The method of claim 15, wherein the process is associated with one of copying a file to an off-line medium connected to the host or a network communication detected by the host.
  - 17. The method of claim 15, wherein at least two user events are associated with different hosts of a plurality of hosts.
  - 18. The method of claim 15, wherein the evaluating access to sensitive data in the private network is to include:
    - (a) determining whether an aggregate number of the host events associated with accessing sensitive data reaches a threshold; and
      
      (b) determining whether a certain number of host events are associated with accessing sensitive data in combination with transmitting the sensitive data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Cooper, Geoffrey Howard, Diehl, David Frederick, Green, Michael W., Ma, Robert
Primary Examiner(s)
ABEDIN, SHANTO

Application Number

US14/580,091
Publication Number

US 20150180903A1
Time in Patent Office

715 Days
Field of Search

726 1- 2, 726 22- 25, 726/28, 726/29, 709224-226, 709/229, 709/238
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/10   for controlling access to d...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

System and method for determining and using local reputations of users and hosts to protect information in a network environment

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

106 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for determining and using local reputations of users and hosts to protect information in a network environment

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

106 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links