Communication-based host reputation system

US 8,381,289 B1
Filed: 03/31/2009
Issued: 02/19/2013
Est. Priority Date: 03/31/2009
Status: Active Grant

First Claim

Patent Images

1. A computer system for generating a host reputation score for a host connected to a network, the computer system comprising:

a memory;

a processor;

a reporting module stored on the memory and executable by the processor to;

receive information identifying a plurality of hosts connected to the network and information describing communications between a plurality of entities executing on a plurality of clients and the plurality of hosts;

receive information identifying one or more of the plurality of entities executing on the plurality of clients as malware threats; and

provide generated host reputation scores to the plurality of clients; and

a host reputation module stored on the memory and executable by the processor to;

identify malware entities executing onthe plurality of clients thatcommunicate with the host based at least on the informationidentifying the plurality of hosts, the information describingcommunications between the plurality of entities executing on theplurality of clients and the plurality of hosts, and the informationidentifying one or more of the plurality of entities as malware threats;

determine a number of the malware entities executing on the plurality ofclients that communicate with the host; and

generate the host reputation score for the host based at least on thenumber of the malware entities executing on the plurality of clientsthat communicate with the hostwherein the host reputationscore for the host indicates a likelihood that the host is malicious.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A host reputation score indicating whether a host connected to the client by a network is malicious is received. An entity on the client that communicates with the host is identified. Whether the entity is a malware threat is determined based at least in part on the host reputation score.

206 Citations

20 Claims

1. A computer system for generating a host reputation score for a host connected to a network, the computer system comprising:
- a memory;
  
  a processor;
  
  a reporting module stored on the memory and executable by the processor to;
  
  receive information identifying a plurality of hosts connected to the network and information describing communications between a plurality of entities executing on a plurality of clients and the plurality of hosts;
  
  receive information identifying one or more of the plurality of entities executing on the plurality of clients as malware threats; and
  
  provide generated host reputation scores to the plurality of clients; and
  
  a host reputation module stored on the memory and executable by the processor to;
  
  identify malware entities executing onthe plurality of clients thatcommunicate with the host based at least on the informationidentifying the plurality of hosts, the information describingcommunications between the plurality of entities executing on theplurality of clients and the plurality of hosts, and the informationidentifying one or more of the plurality of entities as malware threats;
  
  determine a number of the malware entities executing on the plurality ofclients that communicate with the host; and
  
  generate the host reputation score for the host based at least on thenumber of the malware entities executing on the plurality of clientsthat communicate with the hostwherein the host reputationscore for the host indicates a likelihood that the host is malicious.
- View Dependent Claims (2, 3, 4)
- - 2. The computer system of claim 1, wherein the host reputation module is further executable to:
    - identify a set of entities that communicate with the host based on the information describing the communications between the plurality of entities and the plurality of hosts;
      
      identify the malware entities as a subset of the set of entities that communicate with the host that are identified as malware threats.
  - 3. The computer system of claim 2, wherein the host reputation module is further executable to:
    - generate the host reputation score for the host based at least on a relationship between the set of entities that communicate with the host and the malware entities.
  - 4. The system of claim 1, wherein the host reputation module is further executable to:
    - generate the host reputation score for the host which indicates that the host is innocuous responsive to the number of the malware entities being zero.

5. A computer-implemented method of identifying a malware threat at a client, the method comprising:
- receiving a host reputation score indicating whether a host connected to the client by a network is malicious, wherein the host reputation score is determined by;
  
  identifying malware entities executing on a plurality of clients that communicate with the host based at least on information identifying a plurality of hosts, information describing communications between a plurality of entities executing on the plurality of clients and the plurality of hosts, and information identifying one or more of the plurality of entities as malware threats;
  
  determining a number of the malware entities executing on the plurality of clients that communicate with the host; and
  
  generating the host reputation score for the host based at least on the number of malware entities executing on the plurality of clients that communicate with the host;
  
  identifying an entity executing on the client that communicates with the host via the network; and
  
  determining, by a computer, whether the entity is a malware threat based at least on the host reputation score indicating whether the host connected to the client by the network is malicious.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
- - 6. The method of claim 5, wherein the host reputation score comprises a value describing a likelihood that the host is malicious.
  - 7. The method of claim 5, wherein identifying an entity executing on the client that communicates with the host comprises:
    - monitoring network communications of the client to identify entities executing on the client and hosts with which the entities communicate.
  - 8. The method of claim 5, further comprising:
    - receiving malware threat information identifying malicious entities;
      
      wherein determining whether the entity is a malware threat is based at least on the malware threat information and the host reputation score.
  - 9. The method of claim 5, further comprising:
    - transmitting information indicating that the entity is a malware threat to a security server, responsive to determining that the entity is a malware threat; and
      
      receiving, from the security server, host reputation scores for one or more hosts, the host reputation scores generated by the security server based at least on the transmitted information.
  - 10. The method of claim 9, further comprising:
    - transmitting information describing why the entity was convicted as a malware threat to the security server.
  - 11. The method of claim 5, further comprising:
    - monitoring network communications involving the entity;
      
      analyzing the monitored network communications to determine hosts with which the entity communicates;
      
      providing identifiers of the entity and the hosts with which the entity communicates to a security server; and
      
      receiving, from the security server, host reputation scores for the hosts with which the client communicates, the host reputation scores generated by the security server based at least on the identifiers of the entity and hosts provided to the security server.
  - 12. The method of claim 5, wherein determining whether the entity is a malware threat based at least on the host reputation score comprises:
    - monitoring behaviors of the entity on the client;
      
      analyzing the monitored behaviors in view of malware threat information describing behaviors performed by malware threats; and
      
      determining whether the entity is a malware threat based at least on the analysis of the monitored behaviors.

13. A non-transitory computer-readable storage medium storing executable computer program code for identifying a malware threat at a client, the program code when executed by a processor causes the processor to perform the steps of:
- receiving a host reputation score indicating whether a host connected to the client by a network is malicious, wherein the host reputation score is determined by;
  
  identifying malware entities executing on a plurality of clients that communicate with the host based at least on information identifying a plurality of hosts, information describing communications between a plurality of entities executing on a plurality of clients and the plurality of hosts, and information identifying one or more of the plurality of entities as malware threats;
  
  determining a number of the malware entities executing on the plurality of clients that communicate with the host; and
  
  generating the host reputation score for the host based at least on the number of malware entities executing on the plurality of clients that communicate with the host;
  
  identifying an entity executing on the client that communicates with the host via the network; and
  
  determining whether the entity is a malware threat based at least on the host reputation score indicating whether the host connected to the client by the network is malicious.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The medium of claim 13, wherein the host reputation score comprises a value describing a likelihood that the host is malicious.
  - 15. The medium of claim 13, wherein identifying an entity executing on the client that communicates with the host comprises:
    - monitoring network communications of the client to identify entities at the client and hosts with which the entities communicate.
  - 16. The medium of claim 13, wherein the program code when executed by the processor further causes the processor to perform steps of:
    - receiving malware threat information identifying malicious entities;
      
      wherein determining whether the entity is a malware threat is based at least on the malware threat information and the host reputation score.
  - 17. The medium of claim 13, wherein the program code when executed by the processor further causes the processor to perform steps of:
    - transmitting information indicating that the entity is a malware threat to a security server, responsive to determining that the entity is a malware threat; and
      
      receiving, from the security server, host reputation scores for one or more hosts, the host reputation scores generated by the security server based at least on the transmitted information.
  - 18. The medium of claim 17, wherein the program code when executed by the processor further causes the processor to perform steps of:
    - transmitting information describing why the entity was convicted as a malware threat to the security server.
  - 19. The medium of claim 13, wherein the program code when executed by the processor further causes the processor to perform steps of:
    - monitoring network communications involving the entity;
      
      analyzing the monitored network communications to determine hosts with which the entity communicates;
      
      providing identifiers of the entity and the hosts with which the entity communicates to a security server; and
      
      receiving, from the security server, host reputation scores for the hosts with which the client communicates, the host reputation scores generated by the security server based at least on the identifiers of the entity and hosts provided to the security server.
  - 20. The medium of claim 13, wherein determining whether the entity is a malware threat based at least on the host reputation score comprises:
    - monitoring behaviors of the entity on the client;
      
      analyzing the monitored behaviors in view of malware threat information describing behaviors performed by malware threats; and
      
      determining whether the entity is a malware threat based at least on the analysis of the monitored behaviors.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Pereira, Shane, Satish, Sourabh
Primary Examiner(s)
ABYANEH, ALI S

Application Number

US12/416,020
Time in Patent Office

1,421 Days
Field of Search

726/22, 726/23, 726/24, 726/25, 713/187, 713/188, 709/224, 709/225
US Class Current

726/22
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 63/145 the attack involving the pr...

Communication-based host reputation system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

206 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Communication-based host reputation system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

206 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links