Reduction of false positive reputations through collection of overrides from customer deployments

US 7,953,969 B2
Filed: 08/17/2007
Issued: 05/31/2011
Est. Priority Date: 04/16/2007
Status: Active Grant

First Claim

Patent Images

1. A method of operating a reputation service, the method comprising the steps of:

receiving by a reputation service executing on at least one computer an override of a reputation from a security product deployed at a network, the override identifying the reputation and containing at least a time-to-live value that defines a time interval over which the override is valid;

collecting by the reputation service the received override with other overrides of the reputation received from other distinct networks, the other overrides identifying the reputation and containing at least a corresponding time-to-live value that defines a corresponding time interval over which the override is valid; and

adjusting by the reputation service a confidence level that is associated with the reputation responsive to determining that the number of collected overrides having an unexpired time-to-live value exceeds a predetermined threshold.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An automated arrangement for reducing the occurrence and/or minimizing the impact of false positives by a reputation service is provided in which overrides for a reputation of an adversary are reported to a reputation service from security devices, such as unified threat management systems, deployed in enterprise or consumer networks. An override is typically performed by an administrator at a customer network to allow the security device to accept traffic from, or send traffic to a given IP address or URL. Such connectivity is allowed—even if such objects have a blacklisted reputation provided by a reputation service—in cases where the administrator recognizes that the blacklisted reputation is a false positive. The reputation service uses the reported overrides to adjust the fidelity (i.e., a confidence level) of that object'"'"'s reputation, and then provides an updated reputation, which reflects the fidelity adjustment, to all the security devices that use the reputation service.

32 Citations

View as Search Results

17 Claims

1. A method of operating a reputation service, the method comprising the steps of:
- receiving by a reputation service executing on at least one computer an override of a reputation from a security product deployed at a network, the override identifying the reputation and containing at least a time-to-live value that defines a time interval over which the override is valid;
  
  collecting by the reputation service the received override with other overrides of the reputation received from other distinct networks, the other overrides identifying the reputation and containing at least a corresponding time-to-live value that defines a corresponding time interval over which the override is valid; and
  
  adjusting by the reputation service a confidence level that is associated with the reputation responsive to determining that the number of collected overrides having an unexpired time-to-live value exceeds a predetermined threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 including a further step of authenticating the override using one of ID or security certificate.
  - 3. The method of claim 1 in which the security product is one of firewall product or UTM product.
  - 4. The method of claim 1 including a further step of generating an updated reputation only when multiple valid overrides are received from distinct networks, each of the multiple valid overrides identifying the reputation.
  - 5. The method of claim 4 in which the confidence level is expressed by a fidelity of the reputation that decrease as a number of received valid overrides increases.
  - 6. The method of claim 1 in which the reputation is generated by the reputation service.
  - 7. The method of claim 6 in which the reputation is generated responsively to a plurality of assessments of detected adversaries reported by multiple distinct customers.
  - 8. The method of claim 1 in which the override identifies a reputation to be overridden by identifying a Uniform Resource Locator (URL) or Internet Protocol (IP) address.

9. A method for reporting overrides to a reputation service executing on at least one computer and processing of same by the reputation service, the method comprising the steps of:
- generating by a security product executing on at least one computer and associated with a network an override upon detection of a false positive reputation;
  
  populating by the security product the override with data including a time-to-live value that defines a time interval over which the override is valid, and an ID value that uniquely identifies the false positive reputation;
  
  sending the override as telemetry to the reputation service;
  
  collecting by the reputation service the override with other overrides of the false positive reputation received from other distinct networks, the other overrides also including a corresponding time-to-live value and an ID value that identifies the false positive reputation; and
  
  adjusting by the reputation service a fidelity that is associated with the false positive reputation responsive to determining that the number of collected overrides having an unexpired time-to-live value exceeds a predetermined threshold, the fidelity expressing a confidence level in the false positive reputation.
- View Dependent Claims (10, 11, 12)
- - 10. The method of claim 9 including a further step of receiving by the security product-an updated reputation which includes the adjusted fidelity associated with the false positive reputation.
  - 11. The method of claim 10 including a further step of enabling by the security product communication with an object responsively to the updated reputation.
  - 12. The method of claim 11 in which the object is one of URL or IP address.

13. A method for minimizing a false positive reputation for a resource, the method comprising the steps of:
- communicating by a reputation service executing on at least one computer with a plurality of customer networks, each customer network including one or more security products that are arranged for i) blocking traffic to the resource in response to a reputation and an associated confidence level, the reputation and associated confidence level being assigned to the resource by the reputation service based both on a number of reported incidents received about the object from the plurality of customer networks and a severity level associated with each reported incident, and ii) having the blocking be negated through overrides by an administrator of the customer network, the overrides identifying the resource and containing at least a time-to-live value that defines a time interval over which the override is valid;
  
  correlating the overrides from the plurality of customer networks by the reputation service; and
  
  adjusting the confidence level for the reputation by the reputation service responsive to determining that a number of the correlated overrides from the plurality of customer networks that have an unexpired time-to-live value exceeds a predetermined threshold.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The method of claim 13 in which the resource comprises one of URL or IP address.
  - 15. The method of claim 13 in which the communicating includes receiving telemetry data.
  - 16. The method of claim 13 in which the confidence level comprises fidelity.
  - 17. The method of claim 13 including a further step of providing an updated reputation to one or more of the customer networks after performing the step of adjusting.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Neystadt, John, Hudis, Efim
Primary Examiner(s)
LAFORGIA, CHRISTIAN A

Application Number

US11/893,974
Publication Number

US 20080256622A1
Time in Patent Office

1,383 Days
Field of Search

713/155, 709/225
US Class Current

713/155
CPC Class Codes

H04L 2463/144   Detection or countermeasure...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

Reduction of false positive reputations through collection of overrides from customer deployments

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

32 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Reduction of false positive reputations through collection of overrides from customer deployments

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links