Reduction of false positive reputations through collection of overrides from customer deployments
First Claim
1. A method of operating a reputation service, the method comprising the steps of:
- receiving by a reputation service executing on at least one computer an override of a reputation from a security product deployed at a network, the override identifying the reputation and containing at least a time-to-live value that defines a time interval over which the override is valid;
collecting by the reputation service the received override with other overrides of the reputation received from other distinct networks, the other overrides identifying the reputation and containing at least a corresponding time-to-live value that defines a corresponding time interval over which the override is valid; and
adjusting by the reputation service a confidence level that is associated with the reputation responsive to determining that the number of collected overrides having an unexpired time-to-live value exceeds a predetermined threshold.
2 Assignments
0 Petitions
Accused Products
Abstract
An automated arrangement for reducing the occurrence and/or minimizing the impact of false positives by a reputation service is provided in which overrides for a reputation of an adversary are reported to a reputation service from security devices, such as unified threat management systems, deployed in enterprise or consumer networks. An override is typically performed by an administrator at a customer network to allow the security device to accept traffic from, or send traffic to a given IP address or URL. Such connectivity is allowed—even if such objects have a blacklisted reputation provided by a reputation service—in cases where the administrator recognizes that the blacklisted reputation is a false positive. The reputation service uses the reported overrides to adjust the fidelity (i.e., a confidence level) of that object'"'"'s reputation, and then provides an updated reputation, which reflects the fidelity adjustment, to all the security devices that use the reputation service.
32 Citations
17 Claims
-
1. A method of operating a reputation service, the method comprising the steps of:
-
receiving by a reputation service executing on at least one computer an override of a reputation from a security product deployed at a network, the override identifying the reputation and containing at least a time-to-live value that defines a time interval over which the override is valid; collecting by the reputation service the received override with other overrides of the reputation received from other distinct networks, the other overrides identifying the reputation and containing at least a corresponding time-to-live value that defines a corresponding time interval over which the override is valid; and adjusting by the reputation service a confidence level that is associated with the reputation responsive to determining that the number of collected overrides having an unexpired time-to-live value exceeds a predetermined threshold. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method for reporting overrides to a reputation service executing on at least one computer and processing of same by the reputation service, the method comprising the steps of:
-
generating by a security product executing on at least one computer and associated with a network an override upon detection of a false positive reputation; populating by the security product the override with data including a time-to-live value that defines a time interval over which the override is valid, and an ID value that uniquely identifies the false positive reputation; sending the override as telemetry to the reputation service; collecting by the reputation service the override with other overrides of the false positive reputation received from other distinct networks, the other overrides also including a corresponding time-to-live value and an ID value that identifies the false positive reputation; and adjusting by the reputation service a fidelity that is associated with the false positive reputation responsive to determining that the number of collected overrides having an unexpired time-to-live value exceeds a predetermined threshold, the fidelity expressing a confidence level in the false positive reputation. - View Dependent Claims (10, 11, 12)
-
-
13. A method for minimizing a false positive reputation for a resource, the method comprising the steps of:
-
communicating by a reputation service executing on at least one computer with a plurality of customer networks, each customer network including one or more security products that are arranged for i) blocking traffic to the resource in response to a reputation and an associated confidence level, the reputation and associated confidence level being assigned to the resource by the reputation service based both on a number of reported incidents received about the object from the plurality of customer networks and a severity level associated with each reported incident, and ii) having the blocking be negated through overrides by an administrator of the customer network, the overrides identifying the resource and containing at least a time-to-live value that defines a time interval over which the override is valid; correlating the overrides from the plurality of customer networks by the reputation service; and adjusting the confidence level for the reputation by the reputation service responsive to determining that a number of the correlated overrides from the plurality of customer networks that have an unexpired time-to-live value exceeds a predetermined threshold. - View Dependent Claims (14, 15, 16, 17)
-
Specification