Hygiene-based computer security

US 8,312,536 B2
Filed: 12/29/2006
Issued: 11/13/2012
Est. Priority Date: 12/29/2006
Status: Active Grant

First Claim

Patent Images

1. A method of providing computer security, comprising:

using a computer to perform steps comprising;

determining hygiene scores associated with a plurality of clients, the hygiene scores changing over time and representing assessments of trustworthiness of the clients, the plurality of clients including first clients and a second client;

receiving data describing an entity encountered by the first clients of the plurality of clients;

calculating a reputation score for the entity responsive to the client hygiene scores of the first clients of the plurality of clients that encountered the entity, the reputation score representing an assessment of whether the entity is malicious; and

providing the reputation score for the entity to the second client of the plurality of clients, the second client of the plurality of clients encountering the entity and being associated with one of the hygiene scores.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A reputation server is coupled to multiple clients via a network. Each client has a security module that detect malware at the client. The security module computes a hygiene score based on detected malware and provides it to the reputation server. The security module monitors client encounters with entities such as files, programs, and websites. When a client encounters an entity, the security module obtains a reputation score for the entity from the reputation server. The security module evaluates the reputation score and optionally cancels an activity involving the entity. The reputation server computes reputation scores for the entities based on the clients'"'"' hygiene scores and operations performed in response to the evaluations. The reputation server prioritizes malware submissions from the client security modules based on the reputation scores.

77 Citations

View as Search Results

32 Claims

1. A method of providing computer security, comprising:
- using a computer to perform steps comprising;
  
  determining hygiene scores associated with a plurality of clients, the hygiene scores changing over time and representing assessments of trustworthiness of the clients, the plurality of clients including first clients and a second client;
  
  receiving data describing an entity encountered by the first clients of the plurality of clients;
  
  calculating a reputation score for the entity responsive to the client hygiene scores of the first clients of the plurality of clients that encountered the entity, the reputation score representing an assessment of whether the entity is malicious; and
  
  providing the reputation score for the entity to the second client of the plurality of clients, the second client of the plurality of clients encountering the entity and being associated with one of the hygiene scores.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein determining hygiene scores comprises:
    - receiving the hygiene scores from the plurality of clients via a computer network.
  - 3. The method of claim 1, wherein receiving data describing an entity encountered by the first clients of the plurality of clients comprises:
    - receiving data identifying at least one of a file or a website encountered by the first clients.
  - 4. The method of claim 1, wherein calculating the reputation score for the entity comprises:
    - determining whether the entity is malicious responsive to the hygiene scores of the first clients that encountered the entity.
  - 5. The method of claim 4, wherein the entity is a computer file and wherein determining whether the file is malicious comprises:
    - determining whether the first clients with hygiene scores indicating that the first clients are trustworthy download, install, or execute the file.
  - 6. The method of claim 1, wherein calculating the reputation score for the entity comprises:
    - identifying a set of super clients from the first clients that have hygiene scores indicating that the first clients are very trustworthy and have encountered the entity; and
      
      determining whether the entity is malicious responsive to the hygiene scores of the super clients and operations the super clients performed responsive to evaluating the reputation score of the entity.
  - 7. The method of claim 1, further comprising:
    - receiving submissions of entities detected on the plurality of clients;
      
      determining reputation scores for the submitted entities; and
      
      prioritizing the submitted entities responsive to the reputation scores.

8. A system for providing computer security, comprising:
- a non-transitory computer readable medium with computer program instructions embodied therein, the computer program instructions comprising instructions for;
  
  determining hygiene scores associated with a plurality of clients, the hygiene scores changing over time and representing assessments of trustworthiness of the clients, the plurality of clients including first clients and a second client;
  
  receiving data describing an entity encountered by the first clients of the plurality of clients;
  
  calculating a reputation score for the entity responsive to the client hygiene scores of the first clients of the plurality of clients that encountered the entity, the reputation score representing an assessment of whether the entity is malicious; and
  
  providing the reputation score for the entity to the second client of the plurality of clients, the second client of the plurality of clients encountering the entity and being associated with one of the hygiene scores; and
  
  a processor for executing the instructions.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein determining the hygiene scores comprises:
    - receiving the hygiene scores from the plurality of clients via a computer network.
  - 10. The system of claim 8, wherein receiving data describing an entity encountered by one or more clients of the plurality of clients comprises:
    - receiving data identifying at least one of a file or a website encountered by the first clients of the plurality of clients.
  - 11. The system of claim 8, wherein calculating the reputation score for the entity comprises:
    - determining whether the entity is malicious responsive to the hygiene scores of the first clients that encountered the entity.
  - 12. The system of claim 11, wherein the entity is a computer file and wherein determining whether the file is malicious comprises:
    - determining whether the first clients with hygiene scores indicating that the first clients are trustworthy download, install, and/or execute the file.
  - 13. The system of claim 8, wherein calculating the reputation score for the entity comprises:
    - identifying a set of super clients from the first clients that have hygiene scores indicating that the first clients are very trustworthy and have encountered the entity; and
      
      determining whether the entity is malicious responsive to the hygiene scores of the super clients and operations the super clients performed responsive to evaluating the reputation score of the entity.
  - 14. The system of claim 8, further comprising:
    - receiving submissions of entities detected on the plurality of clients;
      
      determining reputation scores for the submitted entities; and
      
      prioritizing the submitted entities responsive to the reputation scores.

15. A method of providing security for a client, comprising:
- monitoring a state of the client to detect an encounter with an entity;
  
  receiving, at the client, a reputation score for the entity encountered by the client from a reputation server, the reputation score representing an assessment of whether the entity is malicious and calculated responsive to hygiene scores of other clients that encountered the entity, the hygiene scores changing over time and representing assessments of trustworthiness of the other clients, wherein the client receiving the reputation score is associated with a hygiene score representing an assessment of trustworthiness of the client; and
  
  evaluating the reputation score for the entity to determine whether the entity is malicious.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23)
- - 16. The method of claim 15, further comprising:
    - calculating the hygiene score for the client; and
      
      providing the hygiene score for the client to the reputation server.
  - 17. The method of claim 16, wherein calculating the hygiene score for the client comprises:
    - determining a frequency at which malware is detected on the client; and
      
      calculating the hygiene score responsive to the frequency at which malware is detected on the client, wherein more frequent detections of malware result in a hygiene score indicating that the client is less trustworthy.
  - 18. The method of claim 15, further comprising:
    - providing data describing an operation performed on the client in response to the evaluation to the reputation server.
  - 19. The method of claim 15, wherein the entity is a file, program, or website.
  - 20. The method of claim 15, further comprising:
    - identifying the entity encountered by the client using a unique identifier; and
      
      providing the unique identifier to the reputation server;
      
      wherein the reputation score for the entity is received from the reputation server responsive to providing the server with the unique identifier.
  - 21. The method of claim 20, wherein the entity is a file and wherein the unique identifier is a hash of the file.
  - 22. The method of claim 15, wherein evaluating the reputation score for the entity comprises:
    - suspending an activity involving the entity;
      
      comparing the reputation score for the entity to a threshold; and
      
      canceling the suspended activity responsive to the comparison.
  - 23. The method of claim 15, wherein evaluating the reputation score for the entity comprises:
    - suspending an activity involving the entity;
      
      displaying a message describing the reputation score for the entity to a user of the client; and
      
      displaying a user interface to the user enabling the user to cancel the activity.

24. A computer program product having a non-transitory computer-readable medium with computer program instructions embodied therein for providing security on a client, the computer program instructions comprising instructions for:
- monitoring a state of the client to detect an encounter with an entity;
  
  receiving, at the client, a reputation score for the entity encountered by the client from a reputation server, the reputation score representing an assessment of whether the entity is malicious and calculated responsive to hygiene scores of other clients, the hygiene scores changing over time and representing assessments of trustworthiness of the other clients, wherein the client receiving the reputation score is associated with a hygiene score representing an assessment of trustworthiness of the client; and
  
  evaluating the reputation score for the entity to determine whether the entity is malicious.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32)
- - 25. The computer program product of claim 24, wherein the instructions further comprise instructions for:
    - calculating the hygiene score for the client; and
      
      providing the hygiene score for the client to the reputation server.
  - 26. The computer program product of claim 25, wherein the instructions further comprise instructions for:
    - determining a frequency at which malware is detected on the client; and
      
      calculatescalculating the hygiene score responsive to the frequency at which malware is detected on the client, wherein more frequent detections of malware result in a hygiene score indicating that the client is less trustworthy.
  - 27. The computer program product of claim 24, wherein the instructions further comprise instructions for:
    - providing data describing an operation performed on the client in response to the evaluation to the reputation server.
  - 28. The computer program product of claim 24, wherein the entity is a file, program, or website.
  - 29. The computer program product of claim 24, wherein the instructions further comprise instructions for:
    - identifying the entity encountered by the client using a unique identifier andproviding the unique identifier to the reputation server;
      
      wherein the reputation score for the entity is received from the reputation server responsive to providing the server with the unique identifier.
  - 30. The computer program product of claim 29, wherein the entity is a file and wherein the unique identifier is a hash of the file.
  - 31. The computer program product of claim 24, wherein the instructions further comprise instructions for:
    - suspending an activity involving the entity;
      
      comparing the reputation score for the entity to a threshold; and
      
      cancelling the suspended activity responsive to the comparison.
  - 32. The computer program product of claim 24, wherein the instructions further comprise instructions for:
    - suspending an activity involving the entity;
      
      displaying a message describing the reputation score for the entity to a user of the client;
      
      displaying a user interface to the user enabling the user to cancel the activity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Nachenberg, Carey S., Griffin, Kent E.
Primary Examiner(s)
Shan, April

Application Number

US11/618,215
Publication Number

US 20090282476A1
Time in Patent Office

2,146 Days
Field of Search

726/21, 726/1, 726/10, 726/22, 713/156, 713/189, 705/38, 709223-225, 709/205, 370/328
US Class Current

726/22
CPC Class Codes

G06F 21/50 Monitoring users, programs ...

G06F 21/577 Assessing vulnerabilities a...

Hygiene-based computer security

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

77 Citations

32 Claims

Specification

Use Cases

Quick Links

Others

Hygiene-based computer security

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

77 Citations

32 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others