Detecting compromised computers by correlating reputation data with web access logs
US7882542B2 · kind B2 · utility
Assignee
Inventors
Key dates
| Filing date | Jun 30, 2007 |
| Grant date | Feb 1, 2011 |
| Priority date | — |
| Expiry date | Oct 16, 2029 |
Classification
- Technology area (CPC H)Electricity
- CPC primaryH04L63/308
- WIPO fieldDigital communication
- WIPO sectorElectrical engineering
Abstract
Compromised host computers in an enterprise network environment comprising a plurality of security products called endpoints are detected in an automated manner by an arrangement in which a reputation service provides updates to identify resources including website URIs (Universal Resource Identifiers) and IP addresses (collectively “resources”) whose reputations have changed and represent potential threats or adversaries to the enterprise network. Responsively to the updates, a malware analyzer, which can be configured as a standalone endpoint, or incorporated into an endpoint having anti-virus/malware detection capability, or incorporated into the reputation service, will analyze logs maintained by another endpoint (typically a firewall, router, proxy server, or gateway) to identify, in a retroactive manner over some predetermined time window, those client computers in the environment that had any past communications with a resource that is newly categorized by the reputation service as malicious. Every client computer so identified is likely to be compromised.
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.