Real-time network updates for malicious content

US 10,089,466 B2
Filed: 05/09/2017
Issued: 10/02/2018
Est. Priority Date: 03/16/2009
Status: Active Grant

First Claim

Patent Images

1. A method for identifying network threats, the method comprising:

receiving data over a communication network from one or more real-time data feeds;

aggregating data from a plurality of sources regarding the one or more real-time data feeds;

breaking down the received data from the one or more real-time data feeds into a series of components;

generating reputation scores for each component;

generating a signature based on the received data from at least one of the real-time data feeds;

identifying that the signature is associated with a pattern that has a bad reputation;

identifying that the at least one real-time data feed is associated with malicious content based on a reputation score of a component associated with the identified real-time data feed; and

blocking the identified real-time data feed based on the association with the malicious content and the signature being associated with the pattern that has the bad reputation.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A global response network collects, analyzes, and distributes “cross-vector” threat-related information between security systems to allow for an intelligent, collaborative, and comprehensive real-time response.

37 Citations

View as Search Results

16 Claims

1. A method for identifying network threats, the method comprising:
- receiving data over a communication network from one or more real-time data feeds;
  
  aggregating data from a plurality of sources regarding the one or more real-time data feeds;
  
  breaking down the received data from the one or more real-time data feeds into a series of components;
  
  generating reputation scores for each component;
  
  generating a signature based on the received data from at least one of the real-time data feeds;
  
  identifying that the signature is associated with a pattern that has a bad reputation;
  
  identifying that the at least one real-time data feed is associated with malicious content based on a reputation score of a component associated with the identified real-time data feed; and
  
  blocking the identified real-time data feed based on the association with the malicious content and the signature being associated with the pattern that has the bad reputation.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein at least some of the series of components are thumbprints generated from at least a portion of the at least one real-time data feed.
  - 3. The method of claim 2, wherein the signature is associated with the malicious content, and at least one thumbprint generated from the at least one real-time data feed is not yet associated with the malicious content, and further comprising associating the at least one thumbprint with the bad reputation.
  - 4. The method of claim 1, further comprising identifying a component reputation as good or bad for each of the series of components.
  - 5. The method of claim 4, wherein the component reputation for each of the series of components is identified based on reputation information received from a data center.
  - 6. The method of claim 4, wherein the component reputation for each of the series of components is identified based on at least one of an IP address, a URL, a file attachment, or an embedded image.
  - 7. The method of claim 4, further comprising vetting the component reputations identified as good or bad against the data received from a plurality of security appliances using votes received from one or more user devices.

8. A non-transitory computer readable storage medium having embodied thereon a program executable by a processor for implementing a method for identifying network threats, the method comprising:
- receiving data over a communication network from one or more real-time data feeds;
  
  aggregating data from a plurality of sources regarding the one or more real-time data feeds;
  
  breaking down the received data from the one or more real-time data feeds into a series of components;
  
  generating reputation scores for each component;
  
  generating a signature based on the received data from at least one of the real-time data feed;
  
  identifying that the signature is associated with a pattern that has a bad reputation;
  
  identifying that the at least one real-time data feed is associated with malicious content based on a reputation score of a component associated with the identified real-time data feed; and
  
  blocking the identified real-time data feed based on the association with the malicious content and the signature being associated with the pattern that has the bad reputation.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer readable storage medium of claim 8, wherein at least some of the series of components are thumbprints generated from at least a portion of the at least one real-time data feed.
  - 10. The non-transitory computer readable storage medium of claim 9, wherein the signature is associated with the malicious content, and at least one thumbprint generated from the at least one real-time data feed is not associated with the malicious content, and wherein the program further comprises instructions executable to associate the at least one thumbprint with the bad reputation.
  - 11. The non-transitory computer readable storage medium of claim 8, wherein the program further comprises instructions executable to identify a component reputation as good or bad for each of the series of components.
  - 12. The non-transitory computer readable storage medium of claim 11, wherein the component reputation for each of the series of components is identified using reputation information received from a data center.
  - 13. The non-transitory computer readable storage medium of claim 11, wherein the component reputation for each of the series of components is identified using at least one of an IP address, a URL, a file attachment, or an embedded image.
  - 14. The non-transitory computer readable storage medium of claim 12, wherein the program further comprises instructions executable to vet the component reputations identified as good or bad against the data received from a plurality of security appliances using votes received from one or more user devices.

15. A system for identifying network threats, the system comprising:
- a communication network interface of a computing device that receives data over a communication network from one or more real-time data feeds; and
  
  a memory;
  
  a processor of the computing device that executes instructions stored in the memory, wherein execution of the instructions by the processor;
  
  aggregates data from a plurality of sources regarding the one or more real-time data feeds;
  
  breaks down the received data from the one or more real-time data feeds into a series of components;
  
  generates reputation scores for each component;
  
  generates a signature from the received data from at least one of the real-time data feed;
  
  identifies that the signature is associated with a pattern that has a bad reputation;
  
  identifies that the at least one real-time data feed is associated with malicious content based on a reputation score of a component associated with the identified real-time data feed; and
  
  blocks the identified real-time data feed based on the association with the malicious content and the signature being associated with the pattern that has the bad reputation.
- View Dependent Claims (16)
- - 16. The system of claim 15, further comprising a plurality of security appliances communicatively coupled to the computing device, wherein the component reputations identified as good or bad are vetted against the data received from the plurality of security appliances using votes received from one or more user devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SonicWALL US Holdings, Inc. (SonicWall Holdings Ltd.)
Original Assignee
SonicWALL, Inc. (SonicWall Holdings Ltd.)
Inventors
Yanovsky, Boris, Eikenberry, Scott D., Rachamreddy, Bhuvanasundar, Bilogorskiy, Nick, Bhimaraju, Gayatri
Primary Examiner(s)
Siddiqi, Mohammad A

Application Number

US15/590,897
Publication Number

US 20170316207A1
Time in Patent Office

511 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

H04L 51/04   Real-time or near real-time...

H04L 63/1408   by monitoring network traff...

Real-time network updates for malicious content

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

37 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Real-time network updates for malicious content

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links