Detection of adversaries through collection and correlation of assessments

US 20080256619A1
Filed: 08/17/2007
Published: 10/16/2008
Est. Priority Date: 04/16/2007
Status: Active Grant

First Claim

Patent Images

1. A method of operating a reputation service, the method comprising the steps of:

collecting an assessment of a detected adversary from a security product deployed at a network, the assessment containing at least a time-to-live value that defines a time interval over which the assessment is valid; and

correlating the collected assessment with other assessments to establish a confidence level that is associated with a reputation for the detected adversary.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An automated arrangement for detecting adversaries is provided in which assessments of detected adversaries are reported to a reputation service from security devices, such as unified threat management systems in deployed customer networks. By using actual deployed networks, the number of available sensors can be very large to increase the scope of the adversary detection, while still observing real attacks and threats including those that are targeted to small sets of customers. The reputation service performs a number of correlations and validations on the received assessments to then return a reputation back to the security device in the enterprise network that can be used for blocking adversaries, but only when multiple, distinct sources report the same adversary in their assessments to thus ensure that the reputation is accurate and reliable.

116 Citations

View as Search Results

20 Claims

1. A method of operating a reputation service, the method comprising the steps of:
- collecting an assessment of a detected adversary from a security product deployed at a network, the assessment containing at least a time-to-live value that defines a time interval over which the assessment is valid; and
  
  correlating the collected assessment with other assessments to establish a confidence level that is associated with a reputation for the detected adversary.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1 including a further step of authenticating the assessment using one of ID or security certificate.
  - 3. The method of claim 1 in which the security product is one of firewall product or UTM product.
  - 4. The method of claim 1 including a further step of generating the reputation only when multiple valid assessments are received from distinct networks that identify the detected adversary.
  - 5. The method of claim 1 in which the assessment provides a severity of a security incident associated with the detected adversary.
  - 6. The method of claim 5 in which the severity is used to establish the fidelity.
  - 7. The method of claim 1 in which the time-to-live value is increased when the security product detects the adversary on a recurring basis.
  - 8. The method of claim 7 in which the time-to-live value is increased using a function selected from one of exponential or geometric.
  - 9. The method of claim 4 in which the fidelity increases as the number valid assessments received increases.
  - 10. The method of claim 1 including a further step of maintaining a list of excluded proxies from which received assessments are ignored.
  - 11. The method of claim 1 including a further step of maintaining a list of excluded shared web hosting sites for which received assessments are ignored.
  - 12. The method of claim 1 in which the assessment identifies a URL or IP address associated with the adversary.
  - 13. The method of claim 12 in which the URL or the IP address is subjected to a hashing algorithm.
  - 14. The method of claim 13 in which the hashing algorithm is one of CRC32, MD-5 or SHA-1.

15. A computer-readable storage medium containing instructions which, when executed by one or more processors disposed in an electronic device, performs a method for reporting assessments to a reputation service, the method comprising the steps of:
- generating an assessment upon detection of an adversary attacking an enterprise network;
  
  populating the assessment with data including a time-to-live value that defines a time interval over which the assessment is valid, and an ID value that uniquely identifies the adversary; and
  
  sending the assessment as telemetry to the reputation service.
- View Dependent Claims (16, 17)
- - 16. The computer-readable storage medium of claim 15 in which the method includes a further step of populating the assessment with a severity of an incident associated with the adversary.
  - 17. The computer-readable storage medium of claim 16 in which the ID value is one of URL or IP address.

18. A computer-implemented database, comprising:
- records arranged for storing assessments relating to an adversary detected by a plurality of sensors distributed among customer networks, each assessment including at least a time-to-live value that defines a time interval over which the reputation assessment is valid; and
  
  an interface to a reputation service by which multiple valid records are correlated to derive a fidelity for a reputation associated with the adversary.
- View Dependent Claims (19, 20)
- - 19. The computer-implemented database of claim 18 in which the adversary is a compromised host operating on a botnet.
  - 20. The computer-implemented database of claim 18 in which the derived fidelity provides a level of confidence for the reputation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Neystadt, John, Hudis, Efim

Granted Patent

US 8,677,479 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/11
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 2463/144   Detection or countermeasure...

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/1416   Event detection, e.g. attac...

H04L 9/3263   involving certificates, e.g...

Detection of adversaries through collection and correlation of assessments

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

116 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of adversaries through collection and correlation of assessments

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

116 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links