Communication-based reputation system

US 9,246,931 B1
Filed: 11/07/2014
Issued: 01/26/2016
Est. Priority Date: 03/19/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of providing security against a first entity that communicates with a host, the method comprising:

identifying reputation information indicating reputations of second entities that communicate with the host;

generating a host reputation score indicating a reputation of the host based on the reputation information indicating reputations of the second entities that communicate with the host;

generating, by a computer, an entity reputation score indicating a likelihood that the first entity that communicates with the host is malware based on the host reputation score indicating the reputation of the host, the first entity comprising a file or software application that communicates with the host when executing on a first client;

and transmitting the entity reputation score to the first client for malware remediation.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A communication between an entity and a host is identified. Reputation information associated with a set of other entities that communicate with the host is identified. A reputation score associated with the host is generated based on the reputation information associated with a set of other entities. A reputation score associated with the entity is generated based on the reputation score associated with the host.

102 Citations

19 Claims

1. A computer-implemented method of providing security against a first entity that communicates with a host, the method comprising:
- identifying reputation information indicating reputations of second entities that communicate with the host;
  
  generating a host reputation score indicating a reputation of the host based on the reputation information indicating reputations of the second entities that communicate with the host;
  
  generating, by a computer, an entity reputation score indicating a likelihood that the first entity that communicates with the host is malware based on the host reputation score indicating the reputation of the host, the first entity comprising a file or software application that communicates with the host when executing on a first client;
  
  and transmitting the entity reputation score to the first client for malware remediation.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the reputation information indicating reputations of the second entities comprises a plurality of hygiene scores associated with a plurality of second clients on which the second entities are identified, a hygiene score for a second client indicating a likelihood that the second client will be exposed to malware threats.
  - 3. The method of claim 1, wherein the reputation information indicating reputations of the second entities comprises reputation scores associated with the second entities and generating the host reputation score comprises:
    - combining the reputation scores associated with the second entities.
  - 4. The method of claim 1, wherein generating the host reputation score comprises:
    - applying a classifier to the reputation information indicating reputations of the second entities that communicate with the host.
  - 5. The method of claim 4, further comprising:
    - identifying a first training set of reputation information associated with a set of the second entities that communicate with hosts with known good reputations;
      
      identifying a second training set of reputation information associated with a set of the second entities that communicate with hosts with known bad reputations; and
      
      generating the classifier based on the first training set and the second training set.
  - 6. The method of claim 1, further comprising:
    - receiving, from the first client, information identifying the first entity and the host that the first entity communicates with.
  - 7. The method of claim 1, wherein the first entity comprises a file or software application that initiates communication with the host when the first entity is executed on the client.

8. A non-transitory computer-readable storage medium encoded with executable computer program code for computer security, the program code comprising program code for:
- identifying, at a first client, a communication between a first entity and a host that the first entity communicates with, the first entity comprising a file or software application that communicates with the host when executing on a first client;
  
  transmitting, to at least one server, information identifying the entity and the host;
  
  receiving, from the at least one server, an entity reputation score indicating a likelihood that the entity is malware, the entity reputation score determined by;
  
  identifying reputation information indicating reputations of second entities that communicate with the host;
  
  generating a host reputation score indicating a reputation of the host based on the reputation information indicating reputations of the second entities that communicate with the host; and
  
  generating the entity reputation score indicating the likelihood that the first entity is malware based on the host reputation score indicating the reputation of the host; and
  
  remediating the first client responsive to determining that the entity reputation score indicates that the first entity has a high likelihood of containing malware.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The non-transitory computer-readable storage medium of claim 8, further comprising program code for:
    - generating a hygiene score associated with the first client, wherein the hygiene score indicates a likelihood that the first client will be exposed to malware threats; and
      
      transmitting, to the at least one server, the hygiene score associated with the first client.
  - 10. The non-transitory computer-readable storage medium of claim 8, wherein the reputation information indicating reputations of the set of second entities that communicate with the host comprises hygiene scores associated with a plurality of second clients on which the second entities are identified, a hygiene score for a second client indicating a likelihood that the second client will be exposed to malware threats.
  - 11. The non-transitory computer-readable storage medium of claim 8, further comprising program code for:
    - monitoring network traffic associated with the first entity.
  - 12. The non-transitory computer-readable storage medium of claim 8, wherein the first entity comprises a file or software application that initiates the communication with the host when the first entity is executed on the client.

13. A computer system for providing security against a first entity that communicates with a host, the computer system comprising:
- a hardware processor; and
  
  a memory storing instructions that are executable by the hardware processor to;
  
  identify reputation information indicating reputations of second entities that communicate with the host;
  
  generate a host reputation score indicating a reputation of the host based on the reputation information indicating reputations of the second entities that communicate with the host;
  
  generate an entity reputation score indicating a likelihood that the first entity that communicates with the host is malware based on the host reputation score indicating the reputation of the host, the first entity comprising a file or software application that communicates with the host when executing on a first client; and
  
  transmit the entity reputation score to the first client for malware remediation.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The system of claim 13, wherein the reputation information indicating reputations of the second entities comprises a plurality of hygiene scores associated with a plurality of second clients on which the second entities are identified, a hygiene score for a second client indicating a likelihood that the second client will be exposed to malware threats.
  - 15. The system of claim 13, wherein the reputation information indicating reputations of the second entities comprises reputation scores associated with the second entities and generating the host reputation score comprises:
    - combining the reputation scores associated with the second entities.
  - 16. The system of claim 13, the instructions further comprising instructions for:
    - applying a classifier to the reputation information indicating reputations of the second entities that communicate with the host.
  - 17. The system of claim 16, the instructions further comprising instructions for:
    - identifying a first training set of reputation information associated with a set of the second entities that communicate with hosts with known good reputations;
      
      identifying a second training set of reputation information associated with a set of the second entities that communicate with hosts with known bad reputations; and
      
      generating the classifier based on the first training set and the second training set.
  - 18. The system of claim 13, the instructions further comprising instructions for:
    - receiving, from the first client, information identifying the first entity and the host that the first entity communicates with.
  - 19. The system of claim 13, wherein the first entity comprises a file or software application that initiates communication with the host when the first entity is executed on the client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Nachenberg, Carey S., Satish, Sourabh
Primary Examiner(s)
Wang, Harris C

Application Number

US14/535,733
Time in Patent Office

445 Days
Field of Search

726/23
US Class Current

1/1
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

H04L 67/535   Tracking the activity of th...

Communication-based reputation system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

102 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Communication-based reputation system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

102 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others