Hygiene based computer security

US 9,262,638 B2
Filed: 11/01/2012
Issued: 02/16/2016
Est. Priority Date: 12/29/2006
Status: Active Grant

First Claim

Patent Images

1. A method for computer security comprising:

determining client hygiene scores associated with a plurality of clients that represent assessments of abilities of the clients in avoiding malware threats, the client hygiene scores based on amounts of malware detected at the clients;

receiving data describing one of a computer file that is downloaded, installed, or executed by one or more clients of the plurality of clients or a website that is visited by the one or more clients of the plurality of clients;

calculating, by a processor, a reputation score for the computer file or website responsive to the client hygiene scores of the one or more clients of the plurality of clients that downloaded, installed, or executed the computer file or visited the website, the client hygiene scores of the one or more clients used as an input in calculating the reputation score, the reputation score representing an assessment of whether the computer file or website is malicious; and

providing the reputation score for the computer file or website to a client of the plurality of clients for providing computer security at the client.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A reputation server is coupled to multiple clients via a network. Each client has a security module that detect malware at the client. The security module computes a hygiene score based on detected malware and provides it to the reputation server. The security module monitors client encounters with entities such as files, programs, and websites. When a client encounters an entity, the security module obtains a reputation score for the entity from the reputation server. The security module evaluates the reputation score and optionally cancels an activity involving the entity. The reputation server computes reputation scores for the entities based on the clients'"'"' hygiene scores and operations performed in response to the evaluations. The reputation server prioritizes malware submissions from the client security modules based on the reputation scores.

104 Citations

16 Claims

1. A method for computer security comprising:
- determining client hygiene scores associated with a plurality of clients that represent assessments of abilities of the clients in avoiding malware threats, the client hygiene scores based on amounts of malware detected at the clients;
  
  receiving data describing one of a computer file that is downloaded, installed, or executed by one or more clients of the plurality of clients or a website that is visited by the one or more clients of the plurality of clients;
  
  calculating, by a processor, a reputation score for the computer file or website responsive to the client hygiene scores of the one or more clients of the plurality of clients that downloaded, installed, or executed the computer file or visited the website, the client hygiene scores of the one or more clients used as an input in calculating the reputation score, the reputation score representing an assessment of whether the computer file or website is malicious; and
  
  providing the reputation score for the computer file or website to a client of the plurality of clients for providing computer security at the client.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the client hygiene scores associated with the plurality of clients that represent assessments of the abilities of the clients in avoiding malware threats are based on amounts of malware detected at the clients using signature scanning techniques.
  - 3. The method of claim 1, wherein the client hygiene scores are based on frequencies of malware detected at the clients.
  - 4. The method of claim 1, wherein calculating the reputation score for the computer file or website comprises:
    - identifying a set of super clients from the one or more clients that have downloaded, installed, or executed the computer file or visited the website, the set of super clients having client hygiene scores indicating an ability to avoid malware threats; and
      
      calculating the reputation score for the computer file or website responsive to the set of super clients having client hygiene scores indicating the ability to avoid malware threats.
  - 5. The method of claim 4, wherein calculating the reputation score for the computer file or website responsive to the set of super clients having client hygiene scores indicating an ability to avoid malware threats comprises:
    - receiving information from the super clients describing operations the super clients performed in response to evaluating the reputation score of the computer file or website; and
      
      calculating the reputation score based on the operations the super clients performed in response to evaluating the reputation score of the computer file or website.

6. A system, comprising:
- a non-transitory computer readable medium with computer program instructions embodied thereon, the computer program instructions comprising instructions to;
  
  determine client hygiene scores associated with a plurality of clients that represent assessments of abilities of the clients in avoiding malware threats, the client hygiene scores based on amounts of malware detected at the clients;
  
  receive data describing one of a computer file that is downloaded, installed, or executed by one or more clients of the plurality of clients or a website that is visited by the one or more clients of the plurality of clients;
  
  calculate a reputation score for the computer file or website responsive to the client hygiene scores of the one or more clients of the plurality of clients that downloaded, installed, or executed the computer file or visited the website, the client hygiene scores of the one or more clients used as an input in calculating the reputation score, the reputation score representing an assessment of whether the computer file or website is malicious; and
  
  provide the reputation score for the computer file or website to a client of the plurality of clients for providing computer security at the client; and
  
  a hardware processor for executing the computer program instructions.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The system of claim 6, wherein the client hygiene scores associated with the plurality of clients that represent assessments of the abilities of the clients in avoiding malware threats are based on amounts of malware detected at the clients using signature scanning techniques.
  - 8. The system of claim 6, wherein the client hygiene scores are based on frequencies of malware detected at the clients.
  - 9. The system of claim 6, wherein the instructions to calculate the reputation score for the computer file or website comprise instructions to:
    - identify a set of super clients from the one or more clients that have downloaded, installed, or executed the computer file or visited the website, the set of super clients having client hygiene scores indicating an ability to avoid malware threats; and
      
      calculate the reputation score for the computer file or website responsive to the set of super clients having client hygiene scores indicating the ability to avoid malware threats.
  - 10. The system of claim 9, wherein the instructions to calculate the reputation score for the computer file or website responsive to the set of super clients having client hygiene scores indicating an ability to avoid malware threats comprise instructions to:
    - receive information from the super clients describing operations the super clients performed in response to evaluating the reputation score of the computer file or website; and
      
      calculate the reputation score based on the operations the super clients performed in response to evaluating the reputation score of the computer file or website.

11. A non-transitory computer-readable medium with computer program instructions embodied therein, the computer program instructions comprising instructions that when executed by a processor causes the processor to:
- monitor a state of a client to detect one of a computer file that is downloaded, installed, or executed by the client or a website that is visited by the client;
  
  receive a reputation score for the computer file or website from a reputation server, the reputation score representing an assessment of whether the computer file or website is malicious and calculated responsive to client hygiene scores of other clients that downloaded, installed, or executed the computer file or visited the website by using the client hygiene scores as an input in calculating the reputation score, the client hygiene scores representing assessments of abilities of the other clients in avoiding malware threats, the client hygiene scores based on amounts of malware detected at the other clients;
  
  evaluate the reputation score for the computer file or website to determine whether the computer file or website is malicious; and
  
  cancel an activity involving the computer file or website responsive to the computer file or website being malicious.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The non-transitory computer-readable medium of claim 11, wherein the instructions further comprise instructions to:
    - calculate a client hygiene score for the client that represents an assessment of an ability of the client in avoiding malware threats; and
      
      provide the client hygiene score for the client to the reputation server.
  - 13. The non-transitory computer-readable medium of claim 12, wherein the instructions to calculate the client hygiene score for the client comprise instructions to:
    - determine a frequency at which malware is detected on the client; and
      
      calculate the client hygiene score responsive to the frequency at which malware is detected on the client, wherein more frequent detections of malware result in the client hygiene score indicating that the client has less ability to avoid malware threats.
  - 14. The non-transitory computer-readable medium of claim 11, wherein the instructions further comprise instructions to:
    - determine an operation performed on the client in response to evaluating the reputation score of the computer file or website; and
      
      provide, to the reputation server, the data describing the operation performed on the client in response to evaluating the reputation score of the computer file or website.
  - 15. The non-transitory computer-readable medium of claim 11, wherein the instructions further comprise instructions to:
    - identify the computer file that is downloaded, installed, or executed by the client or the website that is visited by the client using a unique identifier; and
      
      provide the unique identifier to the reputation server,wherein the reputation score for the computer file or website is received from the reputation server responsive to providing the server with the unique identifier.
  - 16. The non-transitory computer-readable medium of claim 11, wherein the instructions further comprise instructions to:
    - suspend the activity involving the computer file or website;
      
      display a message describing the reputation score for the computer file or website to a user of the client; and
      
      display a user interface to the user enabling the user to cancel the activity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Nachenberg, Carey S., Griffin, Kent E.
Primary Examiner(s)
Holder, Bradley

Application Number

US13/666,788
Publication Number

US 20130086690A1
Time in Patent Office

1,202 Days
Field of Search

726 22- 25, 713/188
US Class Current

1/1
CPC Class Codes

G06F 21/50 Monitoring users, programs ...

G06F 21/577 Assessing vulnerabilities a...

Hygiene based computer security

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

104 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Hygiene based computer security

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

104 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links