Detection of adversaries through collection and correlation of assessments
First Claim
1. A method of operating a reputation service, the method comprising the steps of:
- collecting an assessment of a detected adversary from a security product deployed at a network, the assessment containing at least a time-to-live value that defines a time interval over which the assessment is valid; and
correlating the collected assessment with other assessments to establish a confidence level that is associated with a reputation for the detected adversary.
2 Assignments
0 Petitions
Accused Products
Abstract
An automated arrangement for detecting adversaries is provided in which assessments of detected adversaries are reported to a reputation service from security devices, such as unified threat management systems in deployed customer networks. By using actual deployed networks, the number of available sensors can be very large to increase the scope of the adversary detection, while still observing real attacks and threats including those that are targeted to small sets of customers. The reputation service performs a number of correlations and validations on the received assessments to then return a reputation back to the security device in the enterprise network that can be used for blocking adversaries, but only when multiple, distinct sources report the same adversary in their assessments to thus ensure that the reputation is accurate and reliable.
116 Citations
20 Claims
-
1. A method of operating a reputation service, the method comprising the steps of:
-
collecting an assessment of a detected adversary from a security product deployed at a network, the assessment containing at least a time-to-live value that defines a time interval over which the assessment is valid; and correlating the collected assessment with other assessments to establish a confidence level that is associated with a reputation for the detected adversary. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A computer-readable storage medium containing instructions which, when executed by one or more processors disposed in an electronic device, performs a method for reporting assessments to a reputation service, the method comprising the steps of:
-
generating an assessment upon detection of an adversary attacking an enterprise network; populating the assessment with data including a time-to-live value that defines a time interval over which the assessment is valid, and an ID value that uniquely identifies the adversary; and sending the assessment as telemetry to the reputation service. - View Dependent Claims (16, 17)
-
-
18. A computer-implemented database, comprising:
-
records arranged for storing assessments relating to an adversary detected by a plurality of sensors distributed among customer networks, each assessment including at least a time-to-live value that defines a time interval over which the reputation assessment is valid; and an interface to a reputation service by which multiple valid records are correlated to derive a fidelity for a reputation associated with the adversary. - View Dependent Claims (19, 20)
-
Specification