System and method for malware and network reputation correlation
First Claim
1. At least one non-transitory tangible medium comprising logic encoded therein, and when executed by one or more processors the logic causes the one or more processors to:
- receive a first reputation query including a first network address of a first remote end and a first hash of a first file, the first file associated with a first endhost and an attempt to establish a first network connection to the first remote end;
identify the first file as malicious based on determining the first network address is associated with a malicious reputation;
receive a second reputation query including a second network address of a second remote end and a second hash of a second file, the second file associated with a second endhost and an attempt to establish a second network connection to the second remote end; and
identify the second network address as malicious based on determining the second hash corresponds to the first hash, wherein the second network address is different from the first network address.
9 Assignments
0 Petitions
Accused Products
Abstract
A method is provided in one example embodiment and includes receiving a reputation value based on a hash of a file making a network connection and on a network address of a remote end of the network connection. The network connection may be blocked if the reputation value indicates the hash or the network address is associated with malicious activity. In more specific embodiments, the method may also include sending a query to a threat analysis host to request the reputation value. Additionally or alternatively the reputation value may be based on query patterns in particular embodiments. In yet more specific embodiments, the network connection may be an inbound connection and/or an outbound connection, and the reputation value may be based on a file reputation associated with the hash and a connection reputation associated with the network address of the remote end of the network connection.
204 Citations
23 Claims
-
1. At least one non-transitory tangible medium comprising logic encoded therein, and when executed by one or more processors the logic causes the one or more processors to:
-
receive a first reputation query including a first network address of a first remote end and a first hash of a first file, the first file associated with a first endhost and an attempt to establish a first network connection to the first remote end; identify the first file as malicious based on determining the first network address is associated with a malicious reputation; receive a second reputation query including a second network address of a second remote end and a second hash of a second file, the second file associated with a second endhost and an attempt to establish a second network connection to the second remote end; and identify the second network address as malicious based on determining the second hash corresponds to the first hash, wherein the second network address is different from the first network address. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. An apparatus, the apparatus comprising:
-
at least one processor; and an analyzer module coupled to the at least one processor, the analyzer module to; receive a first reputation query including a first network address of a first remote end and a first hash of a first file, the first file associated with a first endhost and an attempt to establish a first network connection to the first remote end; identify the first file as malicious based on determining the first network address is associated with a malicious reputation; receive a second reputation query including a second network address of a second remote end and a second hash of a second file, the second file associated with a second endhost and an attempt to establish a second network connection to the second remote end; and identify the second network address as malicious based on determining the second hash corresponds to the first hash, wherein the second network address is different from the first network address. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
-
-
22. A method for navigational route selection, the method comprising:
-
receiving a first reputation query including a first network address of a first remote end and a first hash of a first file, the first file associated with a first endhost and an attempt to establish a first network connection to the first remote end; identifying the first file as malicious based on determining the first network address is associated with a malicious reputation; receiving a second reputation query including a second network address of a second remote end and a second hash of a second file, the second file associated with a second endhost and an attempt to establish a second network connection to the second remote end; and identifying the second network address as malicious based on determining the second hash corresponds to the first hash, wherein the second network address is different from the first network address. - View Dependent Claims (23)
-
Specification