Web site computer security using client hygiene scores

US 8,650,647 B1
Filed: 07/24/2012
Issued: 02/11/2014
Est. Priority Date: 12/29/2006
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of providing computer security, comprising:

receiving, by one or more computer processors, from a plurality of clients, data describing client hygiene scores for the clients and describing a plurality of web sites visited by the clients, the client hygiene score for a client calculated responsive to an amount of malicious software detected at the client based on a scan of the client;

determining, by one or more computer processors, a secondary hygiene score for a web site of the plurality of web sites visited by the clients based at least in part on client hygiene scores of clients that visited the web site;

identifying, by one or more computer processors, a file hosted by the web site; and

calculating and storing, by one or more computer processors, a reputation score for the file responsive to the secondary hygiene score of the web site that hosts the file.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A reputation server is coupled to multiple clients via a network. Each client has a security module that detects malware at the client. The security module computes a hygiene score based on detected malware. The security module provides the hygiene score and an identifier of a visited web site to a reputation server. The security module also provides identifiers of files encountered at specified web sites to the reputation server. The reputation server computes secondary hygiene scores for web sites based on the hygiene scores of the clients that visit the web sites. The reputation server further computes reputation scores for files based on the secondary hygiene scores of sites that host the files. The reputation server provides the reputation scores to the clients. A reputation score represents an assessment of whether the associated file is malicious.

76 Citations

View as Search Results

20 Claims

1. A computer-implemented method of providing computer security, comprising:
- receiving, by one or more computer processors, from a plurality of clients, data describing client hygiene scores for the clients and describing a plurality of web sites visited by the clients, the client hygiene score for a client calculated responsive to an amount of malicious software detected at the client based on a scan of the client;
  
  determining, by one or more computer processors, a secondary hygiene score for a web site of the plurality of web sites visited by the clients based at least in part on client hygiene scores of clients that visited the web site;
  
  identifying, by one or more computer processors, a file hosted by the web site; and
  
  calculating and storing, by one or more computer processors, a reputation score for the file responsive to the secondary hygiene score of the web site that hosts the file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer-implemented method of claim 1, wherein the reputation score represents an assessment of whether the file is malicious.
  - 3. The computer-implemented method of claim 1, wherein determining the secondary hygiene score for the web site comprises:
    - determining, by one or more computer processors, whether the web site was predominantly visited by clients with good client hygiene scores; and
      
      responsive to determining that the web site was predominantly visited by clients with good client hygiene scores, assigning, by one or more computer processors, a secondary hygiene score indicating good hygiene to the web site.
  - 4. The computer-implemented method of claim 1, further comprising:
    - receiving, by one or more computer processors, data describing a domain hosting a plurality of web sites visited by the clients; and
      
      determining, by one or more computer processors, a secondary hygiene score for the domain hosting the plurality of web sites based on client hygiene scores of clients that visited the plurality of web sites hosted by the domain, the plurality of web sites hosted by the domain sharing the same secondary hygiene score as the domain.
  - 5. The computer-implemented method of claim 1, further comprising:
    - assigning, by one or more computer processors, a probationary hygiene score to a second web site of the plurality of web sites visited by the clients, the probationary hygiene score of the second web site indicating that the second web site has a poor hygiene; and
      
      responsive to a number of clients that visited the second web site exceeding a threshold, calculating, by one or more computer processors, a true hygiene score of the second web site based at least in part on the hygiene scores of the clients that visited the second web site.
  - 6. The computer-implemented method of claim 1, wherein identifying the file hosted by the web site comprises:
    - receiving, from a client by one or more computer processors, data identifying the web site and the file hosted by the web site.
  - 7. The computer-implemented method of claim 1, wherein the file is hosted by a plurality of web sites and wherein calculating a reputation score for the file responsive to the secondary hygiene score of the web site that hosts the file comprises:
    - determining, by one or more computer processors, whether the plurality of web sites that host the file have predominantly good or bad secondary hygiene; and
      
      determining, by one or more computer processors, the reputation score for the file responsive to the predominant secondary hygiene scores of the plurality of web sites that host the file, wherein the file receives a reputation score indicating that the file is potentially malicious responsive to the file being hosted by web sites having predominantly bad secondary hygiene.
  - 8. The computer-implemented method of claim 1, further comprising:
    - providing, by one or more computer processors, the reputation score for the file to a client that encounters the file.
  - 9. The computer-implemented method of claim 1, wherein the reputation score of the file reflects the secondary hygiene scores of a plurality of web sites that host the file.
  - 10. The computer-implemented method of claim 1, further comprising:
    - calculating, by one or more computer processors, the client hygiene score for the client based at least in part on a number of malware detections at the client relative to a number of files downloaded to the client.
  - 11. The computer-implemented method of claim 1, further comprising:
    - normalizing, by one or more computer processors, the client hygiene score for the client to within a range of numeric values.

12. A system for providing computer security, comprising:
- a non-transitory computer-readable storage medium storing executable computer program modules comprising;
  
  a hygiene cache module for receiving from a plurality of clients data describing client hygiene scores for the clients and describing a plurality of web sites visited by the clients, and for storing the client hygiene scores associated with the plurality of clients, the client hygiene score for a client calculated responsive to an amount of malicious software detected at the client based on a scan of the client;
  
  a hygiene computation module for calculating a secondary hygiene score for a web site of the plurality of web sites visited by the clients based at least in part on client hygiene scores of clients that visited the web site; and
  
  a reputation computation module for calculating and storing a reputation score for a file hosted by the web site responsive to the secondary hygiene score of the web site; and
  
  a processor and a memory for executing the computer program modules.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The system of claim 12, wherein the reputation score represents an assessment of whether the file is malicious.
  - 14. The system of claim 12, wherein the hygiene computation module is further for:
    - determining whether the web site was predominantly visited by clients with good client hygiene scores; and
      
      responsive to determining that the web site was predominantly visited by clients with good client hygiene scores, assigning a secondary hygiene score indicating good hygiene to the web site.
  - 15. The system of claim 12, the hygiene cache module is further for:
    - receiving data describing a domain hosting a plurality of web sites visited by the clients; and
      
      the hygiene computation module is further for determining a secondary hygiene score for the domain hosting the plurality of web sites based on client hygiene scores of clients that visited the plurality of web sites hosted by the domain, the plurality of web sites hosted by the domain sharing the same secondary hygiene score as the domain.
  - 16. The system of claim 12, further comprising:
    - a client communication module for receiving from the client data identifying the web site and the file hosted by the web site.
  - 17. The system of claim 12, further comprising:
    - a client communication module for providing the reputation score for the file to a client that encounters the file.

18. A non-transitory computer-readable storage medium with executable computer program instructions embodied therein for providing security, the computer program instructions comprising:
- a hygiene cache module for receiving from a plurality of clients data describing client hygiene scores for the clients and describing a plurality of web sites visited by the clients, and for storing the client hygiene scores associated with the plurality of clients, the client hygiene score for a client calculated responsive to an amount of malicious software detected at the client based on a scan of the client;
  
  a hygiene computation module for calculating a secondary hygiene score for a web site of the plurality of web sites visited by the clients based at least in part on client hygiene scores of clients that visited the web site; and
  
  a reputation computation module for calculating and storing a reputation score for a file hosted by the web site responsive to the secondary hygiene score of the web site.
- View Dependent Claims (19, 20)
- - 19. The non-transitory computer-readable storage medium of claim 18, wherein the reputation score represents an assessment of whether the file is malicious.
  - 20. The non-transitory computer-readable storage medium of claim 18, further comprising:
    - a client communication module for receiving from a client data identifying the web site and a file hosted by the web site.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Nachenberg, Carey S., Spertus, Michael P.
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
WRIGHT, BRYAN F

Application Number

US13/556,401
Time in Patent Office

567 Days
Field of Search

726/23
US Class Current

726/23
CPC Class Codes

G06F 21/51 at application loading time...

G06F 21/577 Assessing vulnerabilities a...

Web site computer security using client hygiene scores

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

76 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Web site computer security using client hygiene scores

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

76 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links