Lineage-based reputation system
First Claim
1. A computer-implemented method of determining a reputation score for a file, the method comprising:
- using a computer to performs steps comprising;
receiving a plurality of lineage reports from a plurality of clients, a lineage report specifying a lineage relationship for a file created at a client, the lineage report identifying a parent file and a child file created by the parent file at the client;
generating a plurality of lineage scores for the file using a plurality of lineage metrics based on the plurality of lineage reports;
aggregating the plurality of lineage scores for the file to produce an aggregated lineage score for the file, the aggregating comprising computing a proportion indicating how often the file is created by malware; and
generating a reputation score for the file based at least in part on the aggregated lineage score, the reputation score indicating a likelihood that the file is malware.
2 Assignments
0 Petitions
Accused Products
Abstract
A computer generates a reputation score for a file based at least in part on the lineage of the file. A security module on a client monitors file creations on the client and identifies a parent file creating a child file. The security module provides a lineage report describing the lineage relationship to a security server. The security server uses lineage reports from the client to generate one or more lineage scores for the files identified by the reports. The security server aggregates the lineage scores for files reported by multiple clients. The aggregated lineage scores are used by the security server to generate reputation scores for files. The reputation score for a file indicates a likelihood that the file is malicious. The security server reports the reputation scores to the clients, and the clients use the reputation scores to determine whether files detected at the clients are malicious.
103 Citations
19 Claims
-
1. A computer-implemented method of determining a reputation score for a file, the method comprising:
using a computer to performs steps comprising; receiving a plurality of lineage reports from a plurality of clients, a lineage report specifying a lineage relationship for a file created at a client, the lineage report identifying a parent file and a child file created by the parent file at the client; generating a plurality of lineage scores for the file using a plurality of lineage metrics based on the plurality of lineage reports; aggregating the plurality of lineage scores for the file to produce an aggregated lineage score for the file, the aggregating comprising computing a proportion indicating how often the file is created by malware; and generating a reputation score for the file based at least in part on the aggregated lineage score, the reputation score indicating a likelihood that the file is malware. - View Dependent Claims (2, 3, 4, 5, 6, 7, 18, 19)
-
8. A non-transitory computer-readable storage medium storing executable computer program instructions for determining a reputation score for a file, comprising computer program instructions for:
-
receiving a plurality of lineage reports from a plurality of clients, a lineage report specifying a lineage relationship for a file created at a client, the lineage report identifying a parent file and a child file created by the parent file at the client; generating a plurality of lineage scores for the file using a plurality of lineage metrics based on the plurality of lineage reports; aggregating the plurality of lineage scores for the file to produce an aggregated lineage score for the file, the aggregating comprising computing a proportion indicating how often the file is created by malware; and generating a reputation score for the file based at least in part on the aggregated lineage score, the reputation score indicating a likelihood that the file is malware. - View Dependent Claims (9, 10, 11, 12, 16)
-
-
13. A computer system for determining a reputation score for a file, the system comprising:
-
a non-transitory computer-readable storage medium storing executable computer program instructions comprising instructions for; receiving a plurality of lineage reports from a plurality of clients, a lineage report specifying a lineage relationship for a file created at a client, the lineage report identifying a parent file and a child file created by the parent file at the client; generating a plurality of lineage scores for the file using a plurality of lineage metrics based on the plurality of lineage reports; aggregating the plurality of lineage scores for the file to produce an aggregated lineage score for the file, the aggregating comprising computing a proportion indicating how often the file is created by malware; and generating a reputation score for the file based at least in part on the aggregated lineage score, the reputation score indicating a likelihood that the file is malware; and a computer processor configured to execute the computer program instructions. - View Dependent Claims (14, 15, 17)
-
Specification