Hierarchical statistical model of internet reputation

Abstract

In embodiments of the present invention improved capabilities are described for predicting the reputation of a communication identifier, such as a web address, a domain name, an IP address, host name, email address, IM address, telephone number, VoIP telephony address, and the like. In embodiments, the present invention may receive a communication from a first communication identifier, parse the first communication identifier into its components, and assign the components to a hierarchical tree structure, where the hierarchical tree structure maintains the hierarchical relationship between the components of the communication identifier. The present invention may monitor and keep count of a number of communications from the first communication identifier, wherein the number of communications may be kept for both malicious and / or unwanted communications and non-malicious and / or unwanted communications. Attributes may then be provided to the number of communications for each appropriate component of the hierarchical tree, and a statistical measure may be calculated as related to the number of communications for each component of the hierarchical tree. The present invention may then receive a communication from a second communication identifier, where the second communication identifier may be previously unknown and have a common component with the hierarchical tree. The statistical measure of the common component may then be assigned to the second communication identifier, and utilizing the statistical measure assigned to the second communication identifier, may provide a prediction of reputation of the second communication identifier.

Description

BACKGROUND[0001]1. Field[0002]The present invention is related to computer security, and more specifically to reputation of Internet entities.[0003]1. Description of the Related Art[0004]Assessing the reputation (“trustworthiness”) of Internet entities via identifiers such as IP addresses and hostnames is a fundamental network security task. Most current approaches relying on black- and white-lists of known identifiers suffer from a grave weakness: they are unable to assign a reputation score to an entity not already encountered—such as the many thousands of new bots that are brought online daily. Therefore there exists a need for improved reputation assessment, where a reputation score may be assigned to new entities as they are encountered for the first time.SUMMARY[0005]In embodiments, the present invention may provide for a hierarchical modeling processing facility to build a hierarchical reputation model of Internet entities that allows for the automated clustering of “neighbor...

AI Technical Summary

Benefits of technology

[0005]In embodiments, the present invention may provide for a hierarchical modeling processing facility to build a hierarchical reputation model of Internet entities that allows for the automated clustering of “neighborhoods” of related systems, and thus the reputation assessment even of brand new hosts within a neighborhood. The reputation of such a neighborhood, with an accompanying confidence level, may be derived statistically from measurements of observed behavior of the systems within it. This may in turn be used to produce an action to provide additional security to users.

Problems solved by technology

Most current approaches relying on black- and white-lists of known identifiers suffer from a grave weakness: they are unable to assign a reputation score to an entity not already encountered—such as the many thousands of new bots that are brought online daily.

Images