SYSTEM AND METHOD FOR DETERMINING AND USING LOCAL REPUTATIONS OF USERS AND HOSTS TO PROTECT INFORMATION IN A NETWORK ENVIRONMENT

US 20130268994A1
Filed: 04/10/2012
Published: 10/10/2013
Est. Priority Date: 04/10/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

correlating a first set of event data from a private network;

determining a local reputation score of a host in the private network based on the correlating the first set of event data; and

providing the local reputation score of the host to a security node,wherein the security node applies a policy, based on the local reputation score of the host, to a network communication associated with the host.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method in an example embodiment includes correlating a first set of event data from a private network and determining a local reputation score of a host in the private network based on correlating the first set of event data. The method further includes providing the local reputation score of the host to a security node, which applies a policy, based on the local reputation score of the host, to a network communication associated with the host. In specific embodiments, the local reputation score of the host is mapped to a network address of the host. In further embodiments, the first set of event data includes one or more event indicators representing one or more events, respectively, in the private network. In more specific embodiments, the method includes determining a local reputation score of a user and providing the local reputation score of the user to the security node.

234 Citations

24 Claims

1. A method comprising:
- correlating a first set of event data from a private network;
  
  determining a local reputation score of a host in the private network based on the correlating the first set of event data; and
  
  providing the local reputation score of the host to a security node,wherein the security node applies a policy, based on the local reputation score of the host, to a network communication associated with the host.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the local reputation score of the host is mapped to a network address of the host.
  - 3. The method of claim 2, wherein the first set of event data includes one or more event indicators representing one or more events, respectively, in the private network, wherein each of the one or more events is associated with the network address of the host.
  - 4. The method of claim 2, wherein the network address of the host is one of a source address and a destination address of the network communication.
  - 5. The method of claim 1, further comprising:
    - determining a local reputation score of a user based on correlating a second set of event data from the private network; and
      
      providing the local reputation score of the user to the security node if the network communication is associated with the user.
  - 6. The method of claim 5, wherein the policy based on the local reputation score of the host is applied to the network communication when the policy based on the local reputation score of the host is more restrictive than a different policy based on the local reputation score of the user.
  - 7. The method of claim 5, wherein the local reputation score of the user is mapped to a user identifier of the user.
  - 8. The method of claim 7, wherein the second set of event data includes one or more event indicators representing one or more events, respectively, in the private network, wherein each of the one or more events is associated with the user identifier.
  - 9. The method of claim 1, wherein the private network includes an intranet with one or more remote networks.
  - 10. The method of claim 1, wherein at least a portion of the first set of event data is selected from one or more event notifications received from at least one event detection node in the private network.
  - 11. The method of claim 1, wherein at least a portion of the first set of event data is fetched from an event data repository in the private network, wherein one or more event detection nodes stored the first set of event data in the event data repository.
  - 12. The method of claim 1, wherein the security node is one of a network security device and a host.

13. A method comprising:
- correlating a first set of event data from a private network;
  
  determining a local reputation score of a user of the private network based on the correlating the first set of event data; and
  
  providing the local reputation score of the user to a security node,wherein the security node applies a policy, based on the local reputation score of the user, to a network communication associated with the user.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The method of claim 13, wherein the local reputation score of the user is mapped to a user identifier of the user.
  - 15. The method of claim 14, wherein the first set of event data includes one or more event indicators representing one or more events, respectively, in the private network, wherein each of the one or more events is associated with the user identifier of the user.
  - 16. The method of claim 13, wherein a process on a host in the private network initiated the network communication, and wherein a process owner of the process corresponds to the user identifier of the user.
  - 17. The method of claim 13, further comprising:
    - determining a local reputation score of a host in the private network based on correlating a second set of event data from the private network; and
      
      providing the local reputation score of the host to the security node if the network communication is associated with the host,wherein the local reputation score of the host is mapped to a network address of the host.

18. An apparatus, comprising:
- a memory element configured to store data;
  
  a processor operable to execute instructions associated with the data; and
  
  a risk correlation module configured to interface with the memory element and the processor, wherein the apparatus is configured for;
  
  correlating a first set of event data from a private network;
  
  determining a local reputation score of a host in the private network based on the correlating the first set of event data; and
  
  providing the local reputation score of the host to a security node,wherein the security node applies a policy, based on the local reputation score of the host, to a network communication associated with the host.
- View Dependent Claims (19, 20)
- - 19. The apparatus of claim 18, wherein the local reputation score of the host is mapped to a network address of the host.
  - 20. The apparatus of claim 18, wherein the apparatus is further configured for:
    - determining a local reputation score of a user based on correlating a second set of event data from the private network; and
      
      providing the local reputation score of the user to the network security node if the network communication is associated with the user.

21. A method comprising:
- correlating a first set of event data from a private network;
  
  determining a local reputation score of a host in the private network based on the correlating the first set of event data; and
  
  providing the local reputation score of the host to the host,wherein a policy is selected based on the local reputation score of the host, and wherein the policy is applied to a process detected by the host.
- View Dependent Claims (22, 23, 24)
- - 22. The method of claim 21, wherein the process includes copying a file to an off-line media connected to the host.
  - 23. The method of claim 21, further comprising:
    - determining a local reputation score of a user based on correlating a second set of event data; and
      
      providing the local reputation score of the user to the host if the user is the process owner of the process.
  - 24. The method of claim 23, wherein the policy based on the local reputation score of the host is applied to the process when the policy based on the local reputation score of the host is more restrictive than a different policy based on the local reputation score of the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Cooper, Geoffrey Howard, Diehl, David Frederick, Green, Michael W., Ma, Robert

Granted Patent

US 8,931,043 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/10   for controlling access to d...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

SYSTEM AND METHOD FOR DETERMINING AND USING LOCAL REPUTATIONS OF USERS AND HOSTS TO PROTECT INFORMATION IN A NETWORK ENVIRONMENT

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

234 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

SYSTEM AND METHOD FOR DETERMINING AND USING LOCAL REPUTATIONS OF USERS AND HOSTS TO PROTECT INFORMATION IN A NETWORK ENVIRONMENT

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

234 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others