CN101730892A - Web reputation scoring - Google Patents

Web reputation scoring Download PDF

Info

Publication number
CN101730892A
CN101730892A CN200880009672A CN200880009672A CN101730892A CN 101730892 A CN101730892 A CN 101730892A CN 200880009672 A CN200880009672 A CN 200880009672A CN 200880009672 A CN200880009672 A CN 200880009672A CN 101730892 A CN101730892 A CN 101730892A
Authority
CN
China
Prior art keywords
reputation
associated
engine
entity
communication
Prior art date
Application number
CN200880009672A
Other languages
Chinese (zh)
Inventor
A·J·N·特里维迪
A·M·埃尔南德斯
D·阿尔佩罗维奇
J·A·齐齐亚斯基
L·L·维利斯
M·施特赫尔
P·A·施内克
P·朱格
P·格里夫
S·克拉泽
T·富特-伦诺瓦
T·朗格
W·杨
Y·唐
Original Assignee
迈可菲公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to US11/626,620 priority Critical patent/US7779156B2/en
Priority to US11/626,470 priority patent/US8561167B2/en
Priority to US11/626,644 priority
Priority to US11/626,644 priority patent/US8179798B2/en
Priority to US11/626,479 priority patent/US7937480B2/en
Priority to US11/626,620 priority
Priority to US11/626,470 priority
Priority to US11/626,479 priority
Application filed by 迈可菲公司 filed Critical 迈可菲公司
Priority to PCT/US2008/051865 priority patent/WO2008091980A1/en
Publication of CN101730892A publication Critical patent/CN101730892A/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/10Office automation, e.g. computer aided management of electronic mail or groupware; Time management, e.g. calendars, reminders, meetings or time accounting
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/30Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
    • G06F16/35Clustering; Classification
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management, e.g. organising, planning, scheduling or allocating time, human or machine resources; Enterprise planning; Organisational models

Abstract

Methods and systems for operation upon one or more data processors for assigning reputation to web-based entities based upon previously collected data.

Description

网络声誉评分 Online reputation score

技术领域 FIELD

[0001] 本文件通常涉及用于处理通信(communication)的系统和方法,尤其是涉及用于 [0001] The present document relates generally to systems and methods for processing communication (Communication), in particular, it relates to a

给与通信相关的实体进行分类的系统和方法。 Related entity given communication system and method for classification. [0002] 背景 [0002] BACKGROUND

[0003] 在反垃圾邮件行业中,垃圾邮件发送者使用各种创造性的装置来躲避垃圾邮件过滤器进行的检测。 [0003] In the anti-spam industry, spammers use various inventive apparatus to avoid detection of spam filters. 这样,通信从其起源的实体可提供是否应允许给定通信进入企业网络环境的另一指示。 Thus, the communication entity from its origin may provide whether it should be allowed to enter another indication given communication enterprise network environment.

[0004] 然而,用于消息发送者进行分析的当前工具包括互联网协议(IP)黑名单(有时称为实时黑名单(RBL))和IP白名单(实时白名单(RWL))。 [0004] However, current tools for analyzing the sender of the message comprises an Internet Protocol (IP) blacklist (sometimes referred to as real-time blacklist (of RBL)) and IP whitelist (real whitelist (RWL)). 白名单和黑名单当然对垃圾邮件分类过程增加了益处;然而,白名单和黑名单内在地限于响应于每个查询而提供一个二进制类型(YES/NO)。 White and black lists for spam classification process certainly increases the benefits; however, whitelist and blacklist inherently limited in response to each query and provide a binary type (YES / NO). 而且,黑名单和白名单独立地处理实体,并忽略与实体相关的各种属性所提供的证据。 Moreover, the black and white lists independently processing entity, and ignores the evidence of various attributes associated with the entity to offer. [0005] 概述 [0005] Overview

[0006] 提供了用于网络声誉评分的系统和方法。 [0006] Systems and methods for network reputation score. 用于给基于网络的实体分配声誉的系统可包括通信接口、通信分析器、声誉引擎和决策引擎。 A communication interface for communication analyzer, and the reputation engine based decision engine reputation physical distribution system may comprise a network. 通信接口可接收网络通信,且通信分析器可分析网络通信以确定与网络通信相关联的实体。 The communication interface may receive network communications, and the communication may analyze network traffic analyzer to determine an entity associated with the network communication. 声誉引擎可根据以前收集的与实体相关联的数据提供与实体相关联的声誉,且决策引擎可根据声誉确定网络通信是否被传递到接收者。 The reputation engine may provide data associated with an entity previously collected and reputation associated with an entity, and the decision engine may determine whether the communication network is transmitted to the recipient according to reputation.

[0007] 用于给基于网络的实体分配声誉的方法可包括:在边缘保护设备处接收超文本传输协议通信;识别与所接收的超文本传输协议通信相关联的实体;查询声誉引擎以得到与实体相关联的声誉指示符;从声誉引擎接收声誉指示符;以及根据与实体相关联的所接收的声誉指示符关于超文本传输协议通信采取行动。 [0007] for a reputation-based distribution network entity method may include: receiving a hypertext transfer protocol communications at the edge of the protection device; entity identifying a hypertext transfer protocol communications received associated; query to obtain the reputation engine reputation indicator associated with the entity; receiving an indicator reputation from reputation engine; and an indicator on hypertext transfer protocol communications received and to act according to the entity associated reputation.

[0008] 在处理器上操作来执行汇聚局部声誉数据以产生全局声誉矢量的计算机可读介质的例子可执行以下步骤:从请求的局部声誉引擎接收声誉查询;取回多个局部声誉,所述局部声誉分别与多个局部声誉引擎相关联;汇聚多个局部声誉;从局部声誉的汇聚得到全局声誉;以及以全局声誉响应于声誉查询。 [0008] converge to a local reputation perform data to generate a global reputation vector Examples of computer readable medium executable on a processor operating the steps of: receiving a query from a local reputation engine reputation request; retrieving a plurality of local reputation, the local reputation respectively associated with the plurality of local reputation engine; aggregation plurality of local reputation; global reputation obtained from the local reputation aggregation; and global reputation in the reputation in response to a query.

[0009] 其它示例性系统可包括通信接口和声誉引擎。 [0009] Other exemplary system may include a communication interface and a reputation engine. 通信接口可从中央服务器接收全局声誉信息,全局声誉与实体相关联。 The communication interface may receive global reputation information, the global reputation associated with the entity from the central server. 声誉引擎可根据所定义的局部偏好而偏置从中央服务器接收的全局声誉。 Reputation engine may be biased global reputation server received from the central partial preferences defined.

[0010] 另一示例性系统可包括通信接口、声誉模块和业务量控制模块。 [0010] Another exemplary system may include a communication interface, and a traffic control module reputation module. 通信接口可从分布式声誉引擎接收分布的声誉信息。 The communication interface may receive reputation engine distributed from the distribution of reputation information. 声誉模块可汇聚分布的声誉信息并根据分布的声誉信息的汇聚得出全局声誉,声誉模块也可根据声誉模块所接收的通信得出局部声誉信息。 Reputation information can aggregate reputation distribution module according to converge distribution of reputation information derived global reputation, a reputation module may also obtain the reputation of the local reputation information from the received communication module. 业务量控制模块可根据全局声誉和局部声誉确定与通信相关联的处理。 Traffic control module may determine the process associated with the communication according to the global and local reputation reputation.

[0011] 提供了用于汇聚声誉信息的系统和方法。 [0011] A system and method for concentrating reputation information. 用于汇聚声誉信息的系统可包括集中式声誉引擎和汇聚引擎。 The system for concentrating the reputation information may include a centralized reputation engine and aggregation engine. 集中式声誉引擎可从多个局部声誉引擎接收反馈。 Centralized reputation engine may receive feedback from the plurality of local reputation engine. 汇聚引擎可根据多个局部声誉的汇聚得到被查询的实体的全局声誉。 Aggregation engine may get the global reputation entity is queried according to converge a plurality of local reputation. 集中式声誉引擎可响应于从局部声誉引擎接收声誉查询而进一步向局部声誉引擎提供被查询的实体的全局声誉。 Centralized reputation engine in response to receiving the query further provides a global reputation reputation entity is queried from the local reputation engine to the local reputation engine. [0012] 汇聚声誉信息的方法可包括:从请求的局部声誉引擎接收声誉查询;取回多个局部声誉,所述局部声誉分别与多个局部声誉引擎相关联;汇聚多个局部声誉;从局部声誉的汇聚得到全局声誉;以及以全局声誉响应于声誉查询。 [0012] aggregation method may include reputation information: engine receives a query from the local reputation reputation request; retrieving a plurality of local reputation, the local reputation respectively associated with the plurality of local reputation engine; aggregation plurality of local reputation; from the local get the global reputation of the convergence of reputation; and reputation globally in response to the reputation queries.

[0013] 在处理器上操作来汇聚局部声誉数据以产生全局声誉矢量的计算机可读介质的例子可执行以下步骤:从请求的局部声誉引擎接收声誉查询;取回多个局部声誉,所述局部声誉分别与多个局部声誉引擎相关联;汇聚多个局部声誉;从局部声誉的汇聚得到全局声誉;以及以全局声誉响应于声誉查询。 [0013] performing the following steps aggregation local reputation data to generate a global reputation Examples of computer-readable media vector operations on the processor: receiving a query from a local reputation engine reputation request; retrieving a plurality of local reputation, the local reputation respectively associated with the plurality of local reputation engine; aggregation plurality of local reputation; global reputation obtained from the local reputation aggregation; and global reputation in the reputation in response to a query.

[0014] 其它示例性声誉汇聚系统可包括通信接口和声誉引擎。 [0014] Other exemplary reputation aggregation system may include a communication interface and a reputation engine. 通信接口可从中央服务器接收全局声誉信息,全局声誉与实体相关联。 The communication interface may receive global reputation information, the global reputation associated with the entity from the central server. 声誉引擎可根据所定义的局部偏好偏置从中央服务器接收的全局声誉。 Reputation engine may receive from the central server global reputation partial offset defined preferences.

[0015] 进一步的示例性系统可包括通信接口、声誉模块和业务量控制模块。 [0015] The exemplary system may further include a communication interface, and a traffic control module reputation module. 通信接口可从分布式声誉引擎接收分布的声誉信息。 The communication interface may receive reputation engine distributed from the distribution of reputation information. 声誉模块可汇聚分布的声誉信息并根据分布的声誉信息的汇聚得出全局声誉,声誉模块也可根据声誉模块所接收的通信得出局部声誉信息。 Reputation information can aggregate reputation distribution module according to converge distribution of reputation information derived global reputation, a reputation module may also obtain the reputation of the local reputation information from the received communication module. 业务量控制模块可根据全局声誉和局部声誉确定与通信相关联的处理。 Traffic control module may determine the process associated with the communication according to the global and local reputation reputation. [0016] 提供了用于基于声誉的网络安全系统的系统和方法。 [0016] Systems and methods based on the reputation of the network security system. 基于声誉的网络安全系统可包括通信接口、通信分析器、声誉引擎和安全引擎。 Reputation-based network security system can include a communication interface, a communication analyzer, and security engine reputation engine. 通信接口可接收与网络相关联的进入的通信的和传出的通信。 The communication interface may receive a communication network associated with the incoming and the outgoing communications. 通信分析器可得到与通信相关联的外部实体。 Analyzer available communication with the communication associated with external entities. 声誉引擎可得到与外部实体相关联的声誉矢量。 Reputation engine vector obtained reputation associated with external entities. 安全引擎可接收声誉矢量并向询问引擎发送通信,其中安全引擎根据声誉矢量确定询问引擎中的哪一个询问通信。 The security engine may receive reputation engine query vector and transmits a communication, wherein a security query engine which communication query engine according reputation vector determination.

[0017] 其它基于声誉的网络安全系统可包括通信接口、通信分析器、声誉引擎和安全引擎。 [0017] Other reputation-based network security system can include a communication interface, a communication analyzer, and security engine reputation engine. 通信接口可接收与网络相关联的进入的通信的和传出的通信。 The communication interface may receive a communication network associated with the incoming and the outgoing communications. 通信分析器可得到与通信相关联的外部实体。 Analyzer available communication with the communication associated with external entities. 声誉引擎可得到与外部实体相关联的声誉。 Reputation engine available reputation associated with external entities. 安全引擎将优先权信息分配给通信,其中安全引擎在外部实体是声誉好的实体的情况下可向通信分配高优先权, 并在外部实体是声誉差的实体的情况下可向通信分配低优先权,由此优先权信息由一个或更多个询问引擎使用来提高对声誉好的实体的服务的质量。 The security engine priority information assigned to the communication, wherein the external entity is a security engine may assign a high priority to the communication under reputable entity, the reputation of the case and the difference to the communication entity may be assigned a low priority in the external entity right, so the priority information by one or more of the inquiry engines use to improve the quality of service of a reputable entity.

[0018] 根据安全威胁的声誉来有效地处理通信的方法可包括:根据与通信相关联的发源或目的地信息来接收与外部实体相关联的通信;识别与所接收的通信相关联的外部实体; 根据与外部实体相关联的声誉好的和声誉差的标准得出与外部实体相关联的声誉;根据与外部实体相关联的所得出的声誉向通信分配优先权;根据分配给通信的优先权对通信执行一个或更多个测试。 [0018] A method for efficiently processing security communication according to the reputation of threats may include: a communication with the originating or destination information associated with communications with external entities to receive associated; identifying external entities associated with a communication received ; derived reputation associated with an external entity according to the goodwill associated with external entities and the reputation associated with good poor standards; priority assigned according to the communication with external entities associated reputation derived; according to the priority assigned to the communication perform one or more tests on communications.

[0019] 根据声誉有效地处理通信的方法可包括:根据与通信相关联的发源或目的地信息来接收与外部实体相关联的通信;识别与所接收的超文本传输协议通信相关联的外部实体;根据与外部实体相关联的声誉好的和声誉差的标准得出与外部实体相关联的声誉;将通信分配到从多个询问引擎中选择的一个或更多个询问引擎,所述一个或更多个询问引擎的选择基于与外部实体相关联的所得出的声誉和询问引擎的能力;以及对通信执行所述一个或更多个询问引擎。 [0019] A method for efficiently processing communication according reputation may include: communicating with the originating or destination information associated with communications with external entities to receive according associated; external entity identifying a hypertext transfer protocol communications received associated ; obtained according to the goodwill associated with external entities and the reputation associated with the difference between the standard good reputation associated with external entities; assigning the communication to the plurality of interrogation selected from one or more engines query engine, said one or select more query engine based on capability associated with external entities and the reputation derived from the interrogation engine; and a communication execution of the one or more query engine.

[0020] 提供了用于基于声誉的连接抑制的系统和方法。 [0020] A system and method for connecting inhibition based on reputation. 用于基于声誉的连接抑制的系统可包括通信接口、声誉引擎和连接控制引擎。 Reputation-based system for suppressing connection may comprise a communication interface, and a connection control engine reputation engine. 通信接口可在建立到外部实体的连接之前接收与外部实体相关联的连接请求。 The communication interface may be established before the connection to the external entity receives the connection request associated with the external entity. 声誉引擎可得出与外部实体相关联的声誉。 Reputation engine can be drawn from the reputation associated with external entities. 连接控制引擎可根据外部实体的所得出的声誉拒绝对到被保护网络的连接请求。 The connection control engine may deny the connection request to the network to be protected in accordance with the obtained external entity's reputation.

[0021] 根据声誉抑制连接请求的方法可包括:接收连接请求,所述连接请求与外部实体有关;查询声誉引擎以得到与外部实体相关联的声誉;将所述声誉与相关联于被保护的企业网的策略进行比较;根据确定与连接请求有关的外部实体的声誉遵守策略,来允许连接请求;以及根据确定与互联网协议语音电话连接请求有关的外部实体的声誉不遵守策略, 来抑制连接请求。 [0021] The connection request reputation suppression method may include: receiving a connection request, the connection request relating to the external entity; query to obtain reputation engine associated with an external entity reputation; associated with the reputation to be protected strategies enterprise network to compare; compliance policy determines the connection request reputation related to external entities according to permit the connection request; and non-compliance with the policy determination and voice over Internet protocol telephone connection request reputation related to external entities according to suppress the connection request .

附图说明 BRIEF DESCRIPTION

[0022] 图1是描述示例性网络的结构图,本公开的系统和方法可在该网络中进行操作。 [0022] Figure 1 is a block diagram of an exemplary network, the system and method of the present disclosure may operate in the network. [0023] 图2是描述本公开的示例性网络体系结构的结构图。 [0023] FIG. 2 is a block diagram of an exemplary network architecture described in the present disclosure.

[0024] 图3是描述通信和实体的例子的结构图,其包括用于检测实体之间的关系的标识符和属性。 [0024] FIG. 3 is a configuration diagram of an example of a communication and describes the entity, which includes an identifier and attributes for the relationship between the detectable entity.

[0025] 图4是描述用于检测关系并给实体分配风险的操作方案的流程图。 [0025] Figure 4 is a flowchart illustrating the operation for detecting the relationship between the program and to the risk of physical distribution.

[0026] 图5是示出示例性网络体系结构的结构图,其包括局部安全代理所储存的局部声 [0026] FIG. 5 is a block diagram illustrating an exemplary network architecture, comprising topically sound stored local security agent

誉和一个或多个服务器所储存的全局声誉。 Yu and the one or more servers stored in a global reputation.

[0027] 图6是示出基于局部声誉反馈的全局声誉的确定的结构图。 [0027] FIG. 6 is a configuration diagram illustrating determined based on the global reputation of the local feedback reputation.

[0028] 图7是示出全局声誉和局部声誉之间的示例性转化(resolution)的流程图。 [0028] FIG. 7 is a flowchart showing an exemplary conversion (Resolution) between global and local reputation reputation.

[0029] 图8是用于调节与声誉服务器相关联的过滤器的设置的示例性图形用户界面。 [0029] FIG 8 is an exemplary graphical user interface provided with a filter adjusted reputation associated with the server.

[0030] 图9是示出用于互联网协议语音电话(VoIP)或短消息服务(SMS)通信的基于声 Based on the sound [0030] FIG. 9 is a diagram illustrating a Voice over Internet Protocol telephony (VoIP) or short message service (SMS) communication

誉的连接抑制(connection throttling)的结构图。 Inhibition reputation connection (connection throttling) the structure of FIG.

[0031] 图10是示出基于声誉的负载均衡器的结构图。 [0031] FIG. 10 is a block diagram showing a reputation-based load balancer.

[0032] 图11A是示出用于基于地理位置的身份验证的示例性操作方案的流程图。 [0032] FIG 11A is a flowchart showing a geographic location based on the identity authentication of an exemplary operational scenario.

[0033] 图11B是示出用于基于地理位置的身份验证的另一示例性操作方案的流程图。 [0033] FIG. 11B is a flowchart showing a geographic location based on the identity authentication according to another exemplary embodiment of the operation.

[0034] 图11C是示出用于基于地理位置的身份验证的另一示例性操作方案的流程图。 [0034] FIG 11C is a flowchart showing a geographic location based on the identity authentication according to another exemplary embodiment of the operation.

[0035] 图12是示出用于基于声誉的动态隔离的示例性操作方案的流程图。 [0035] FIG. 12 is a flowchart showing an exemplary operation scheme based on the reputation of dynamic isolation.

[0036] 图13是图像垃圾邮件通信的示例性图形用户界面显示。 [0036] FIG. 13 is an exemplary graphical user interface, e-mail communication with the image display garbage.

[0037] 图14是示出用于检测图像垃圾邮件的示例性操作方案的流程图。 [0037] FIG. 14 is a flowchart showing an exemplary operation scheme for detecting spam images.

[0038] 图15A是示出用于分析通信的结构的操作方案的流程图。 [0038] FIG 15A is a flowchart showing operation of the communication scheme for the analysis of structure.

[0039] 图15B是示出用于分析图像的特征的操作方案的流程图。 [0039] FIG. 15B is a flowchart illustrating a feature for analyzing an image of the operation program.

[0040] 图15C是示出用于标准化图像以用于垃圾邮件处理的操作方案的流程图。 [0040] FIG 15C is a flowchart showing an operation scheme for the normalized image processing for spam.

[0041] 图15D是示出用于分析图像的指纹以在多个图像中找到共同片段的操作方案的 [0041] FIG 15D is a diagram illustrating a fingerprint image analysis to find common segments in the plurality of images operation scheme

流程图。 flow chart.

[0042] 详细说明 [0042] Detailed Description

[0043] 图1是描述示例性网络环境的结构图,本公开的系统和方法可在该网络中进行操作。 [0043] Figure 1 is a configuration diagram of an exemplary network environment, the system and method of the present disclosure may operate in the network. 安全代理(security agent) 100—般可存在于在网络110 (例如,企业网)内部的防火墙系统(未示出)和服务器(未示出)之间。 Security Agent (security agent) 100- generally may be present in a network 110 (e.g., an enterprise network) inside the firewall system (not shown) and a server (not shown). 如应被理解的,网络110可包括很多服务器, 包括例如可由与网络110相关的企业使用的电子邮件服务器、网络服务器和各种应用服务器。 As should be appreciated, network 110 may include many servers, including for example, by the email server 110 associated with the enterprise network, a network server and various application servers. [0044] 安全代理100监控进入和离开网络110的通信。 [0044] Security monitoring agent 100 enter and leave the communications network 110. 一般通过互联网120从连接到互联网120的很多实体130a_f接收这些通信。 Usually 120 receives the communication from the many entities connected to the Internet 120 through the Internet 130a_f. 实体130a_f中的一个或更多个可为通信业务量的合法发起者。 130a_f one or more entities in the communication traffic may be legitimate originator. 然而,实体130a-f中的一个或更多个也可为发起不需要的通信的声誉差的实体。 However, the reputation of an entity. Poor 130a-f or more may be unnecessary to initiate communication. 因此,安全代理100包括声誉引擎。 Therefore, the security agent 100 includes a reputation engine. 声誉引擎可检查通信并确定与发起通信的实体相关联的声誉。 Reputation engine can communicate and check the reputation of an entity determines initiate communication associated. 安全代理100接着根据发端实体的声誉对通信执行动作。 Security agent 100 then performs communication in accordance with an operation of the reputation of the originating entity. 如果声誉指示通信的发起者声誉好,那么例如,安全代理可将通信转发到通信的接收者。 If the initiator reputation reputation indicates that the communication is good, so for example, a security agent communication can be forwarded to the recipient communication. 然而,如果声誉指示通信的发起者声誉差,那么其中例如,安全代理可隔离通信,对消息执行更多的测试, 或要求来自消息发起者的身份验证。 However, if the reputation of the communication originator reputation indicates a difference, then where, for example, the security agent may be isolated communication, perform more tests on message, or require authentication from the originator of the message. 在美国专利公布号2006/0015942中详细描述了声誉引擎,该申请由此通过引用被并入。 In U.S. Patent Publication No. 2006/0015942 reputation engine described in detail, which is hereby incorporated by reference.

[0045] 图2是描述本公开的示例性网络体系结构的结构图。 [0045] FIG. 2 is a block diagram of an exemplary network architecture described in the present disclosure. 安全代理100a-n被示为在逻辑上分别存在于网络llOa-n与互联网120之间。 Security agent 100a-n are shown as logically exists between the network 120 and the Internet llOa-n, respectively. 虽然没有在图2中示出,但应理解,防火墙可安装在安全代理100a-n和互联网120之间,以提供防止未授权的通信进入相应的网络110a-n的保护。 Although not shown in FIG. 2, it is to be understood that the firewall may be installed between the security agent 100a-n and the Internet 120, to provide protection against unauthorized access to protected communication network corresponding to 110a-n. 而且,结合防火墙系统可配置侵入检测系统(IDS)(未示出),以识别活动的可疑模式并在这样的活动被识别出时用信号通知警报。 Further, in conjunction with a firewall system may be configured intrusion detection system (the IDS) (not shown), to identify suspicious patterns and activities with a notification alert signal when such an event is identified.

[0046] 虽然这样的系统对网络提供了某种保护,但它们一般不处理应用层安全威胁。 [0046] Although such a system on the network to provide some protection, but they generally do not deal with security threats to the application layer. 例如,黑客常常试图使用各种网络类型的应用(例如,电子邮件、网络、即时消息(IM),等等) 来产生与网络110a-n的前文本连接,以便利用由使用实体130a-e的这些不同的应用所产生的安全漏洞。 For example, hackers often try to use various types of network applications (e.g., e-mail, Internet, instant messaging (IM), etc.) connected to the front to generate a text 110a-n in the network to take advantage from the use of an entity 130a-e these different applications produce security vulnerabilities. 然而,不是所有的实体130a-e都暗示对网络100a-n的威胁。 However, not all of the entities 130a-e imply a threat to the network 100a-n. 一些实体130a-e发起合法的业务量,允许公司的雇员与商业伙伴更有效地进行通信。 Some entities 130a-e initiated by legitimate business volume, the company allows employees and business partners to communicate more effectively. 虽然对可能的威胁来说检查通信是有用的,但是维持当前的威胁信息可能很难,因为攻击被不断地改进以解决最近的过滤技术。 Although communication is useful for checking the possible threat of it, but to maintain the current threat information may be difficult because the attacker is constantly improving filtering technology to address the most recent. 因此,安全代理100a-n可对通信运行多次测试,以确定通信是否是合法的。 Therefore, the security agents 100a-n can communicate on the run several tests to determine whether the communication is legitimate.

[0047] 此外,包括在通信中的发送者信息可用于帮助确定通信是否是合法的。 [0047] Further, the communication including sender information may be used to help determine whether the communication is legitimate. 因此,复杂的安全代理100a-n可跟踪实体并分析实体的特征,以帮助确定是否允许通信进入网络110a-n。 Thus, complex security agent 100a-n may track and analyze the physical characteristics of the entity, to help determine whether to permit communication access to the network 110a-n. 可接着给实体110a-n分配声誉。 It may then be allocated to the entity's reputation 110a-n. 对通信的决定可考虑发起通信的实体130a-e的声誉。 It decided to consider communication originating entity 130a-e reputation communication. 而且, 一个或更多个中央系统200可收集关于实体130a-e的信息,并将所收集的数据分发到其它中央系统200和/或安全代理100a-n。 Further, one or more central system 200 may collect information about entities 130a-e, and the collected distribution data into the other central system 200 and / or security agent 100a-n.

[0048] 声誉引擎可帮助识别大量恶意通信,而没有通信的内容的广泛和可能昂贵的局部分析(local analysis)。 [0048] reputation engine helps to identify a large number of malicious traffic, while extensive and potentially expensive local analysis is not the content of the communication (local analysis). 声誉引擎也可帮助识别合法通信,并优先考虑其传输,且减小了对合法通信进行错误分类的风险。 Reputation engine also helps identify legitimate traffic, and prioritize its transmission, and reduce the risk of misclassification of legitimate communications. 而且,声誉引擎可在物理世界或虚拟世界中对识别恶意以及合法事务的问题提供动态和预言性的方法。 Moreover, the reputation engine provides dynamic and prophetic approach to identify malicious and legal affairs problems in the physical world or virtual world. 例子包括在电子邮件、即时消息、VoIP、 SMS或利用发送者声誉和内容的分析的其它通信协议系统中过滤恶意通信的过程。 Examples include a process of filtering malicious traffic in email, instant messaging, VoIP, other communication protocols or systems analyzed using SMS sender reputation and content. 安全代理100a-n可接着应用全局或局部策略,以确定关于通信对声誉结果执行什么动作(例如拒绝、隔离、负载均衡、以所分配的优先级传输、以额外的细查局部地进行分析)。 Security agent 100a-n may then apply global or local policies to determine to what operation of the communication performed on the reputation of the results (e.g. rejection, isolation, load balancing, to the priority allocated for transmission, with additional drill locally analysis) . [0049] 然而,实体130a-e可用各种方法连接到互联网。 [0049] However, 130a-e entity is connected to the Internet in various ways. 如应理解的,实体130a-e可同时或在一段时间内具有多个标识符(例如,电子邮件地址、IP地址、标识符文件,等等)。 As should be appreciated, 130a-e entity may simultaneously or with a plurality of identifiers (e.g., email address, IP address, file identifier, etc.) over a period of time. 例如,具有变化的IP地址的邮件服务器可随着时间的过去具有多个身份。 For example, the mail server's IP address has changed can have multiple identities over time. 而且,一个标识符可与多个实体相关,例如,当IP地址被很多用户支持的组织共享时。 Also, an identifier may be associated with a plurality of entities, e.g., when the IP address is supported by many users share tissue. 而且,用于连接到互联网的特定方法可能使实体130a-e的识别模糊不清。 Furthermore, the particular method used to connect to the Internet may cause blurred to identify the entities 130a-e. 例如,实体130b可利用互联网服务提供商(ISP)200连接到互联网。 For example, an entity 130b may connect to the Internet 200 by using an Internet Service Provider (ISP). 很多ISP 200使用动态主机配置协议(DHCP)来将IP地址动态地分配给请求连接的实体130b。 Many ISP 200 using Dynamic Host Configuration Protocol (DHCP) to assign IP addresses dynamically to the entity requesting a connection 130b. 实体130a-e也可通过欺骗合法实体来伪装其身份。 Entity 130a-e also to disguise their identity by spoofing legitimate entity. 因此,收集关于每个实体130a-e的特征的数据可帮助对实体130a-e加以分类,并确定如何处理通信。 Thus, the data collection for each feature 130a-e entity of the entity can be classified help 130a-e, and determine how to handle the communication.

[0050] 在虚拟世界和物理世界中创建和欺骗身份的容易性可能产生用户恶意动作的动机,而不承担该动作的后果。 [0050] created in the virtual world and the physical world and the ease of spoofing the identity of the motivation may have malicious user action, rather than bear the consequences of that action. 例如,在互联网上被罪犯盗取的合法实体的IP地址(或在物理世界中的被盗的护照)可能使该罪犯能够通过假装被盗的身份而相对容易地参与恶意行动。 For example, IP addresses on the Internet by criminals to steal legal entity (or in the physical world passport stolen) may make the offender can be relatively easily involved in malicious actions by pretending stolen identity. 然而,通过给物理实体和虚拟实体分配声誉并识别它们可能使用的多个身份,声誉系统可能影响声誉好的实体和声誉差的实体来负责任地操作,以免变得声誉差且不能与其它网络实体交流或交互。 However, the virtual entities to physical entities and identifying a plurality of identities assigned reputation and they may be used, the reputation system may affect the entity's reputation and reputation good poor entity responsible manner, so as not to become poor and reputation with other networks entity communications or interactions.

[0051] 图3是描述通信和实体的例子的结构图,其包括利用用于检测实体之间的关系的标识符和属性。 [0051] FIG. 3 is a configuration diagram of an example of a communication and describes the entity, which comprises using an identifier and attributes for the relationship between the detectable entity. 安全代理100a-b可通过检查被送往相关网络的通信来收集数据。 Security Agent 100a-b may be collected by checking the data is sent to the communication network concerned. 安全代理100a-b也可通过检查由相关网络分程传递的通信来收集数据。 Security Agent 100a-b may also check the data collected by the relevant communications network relayed by. 通信的检查和分析可允许安全代理100a-b收集关于发送和接收消息的实体300a-c的信息,其中包括传输模式、数量(volume)、或实体是否有发送某些类型的消息(例如,合法消息、垃圾邮件、病毒、群发邮件,等等)的倾向。 Inspection and analysis may allow communication of the security agent 100a-b to collect information on the send and receive messages 300a-c entity, including transmission mode, the number (Volume), or whether certain types of entities messaging (e.g., legal news, spam, viruses, mass mailings, etc.) tendencies.

[0052] 如图3所示,每个实体300a-c分别与一个或更多个标识符310a-c相关联。 [0052] 3, each entity 300a-c, respectively, with one or more associated identifier 310a-c. 标识符310a-c可例如包括IP地址、统一资源定位器(URL)、电话号码、M用户名、消息内容、域, 或可描述实体的任何其它标识符。 Identifier 310a-c may comprise, for example, an IP address, a uniform resource locator (the URL), a phone number, user name M, message content, domain, or any other identifier of an entity described. 而且,标识符310a-c与一个或更多个属性320a-c相关联。 Further, the identifier 310a-c with one or more associated attributes 320a-c. 如应理解的,属性320a-c符合所描述的特定标识符310a-c。 As should be appreciated, the attribute 320a-c described in line with specific identifiers 310a-c. 例如,消息内容标识符可包括属性,例如恶意软件(malware)、数量、内容类型、运行状态,等等。 For example, the message may include a content identifier attributes, for example, malware (Malware), the number, content type, operating state, and the like. 类似地,与标识符例如IP地址相关联的属性320a-c可包括与实体300a-c相关联的一个或更多个IP地址。 Similarly, an identifier such as an IP address associated attribute 320a-c may include one or more IP addresses to entities 300a-c associated. [0053] 此外,应理解,可从通信330a-c(例如,电子邮件)收集的该数据一般包括发起通信的实体的一些标识符和属性。 [0053] Moreover, it should be understood that the data may be collected from the communication 330a-c (e.g., email) typically includes several identifiers and attributes of an entity initiating communications. 因此,通信330a-c提供用于将关于实体的信息传递到安全代理100a、100b的传送。 Accordingly, 330a-c provide communication for transmitting information about the entity to transfer security agent 100a, 100b of. 通过检查包括在消息中的标题信息、分析消息的内容,以及通过汇聚安全代理100a、100b以前收集的信息(例如,合计从实体接收的通信的数量),安全代理100a、100b可检测这些属性。 Check including header information in the message, analyze the content of the message, and by converging security agent previously collected information 100a, 100b (e.g., the sum from the number of entities received communication), security agents 100a, 100b can detect these properties.

[0054] 可汇聚并利用来自多个安全代理100a、100b的数据。 [0054] and can be brought together from a plurality of security using Proxy 100a, 100b of the data. 例如,数据可由中央系统汇聚和利用,中央系统接收与所有实体300a-c相关联的标识符和属性,安全代理100a、100b 为实体300a-c接收了通信。 For example, data may be brought together and use the central system, the central system receives all entities 300a-c and an identifier associated attributes, security agents 100a, 100b to the receiving communication entity 300a-c. 可选地,彼此传递关于实体300a-c的标识符和属性信息的安全代理100a、100b可作为分布式系统进行操作。 Alternatively, another security agent 100a transmitted identifiers and attribute information about the entity 300a-c, 100b may operate as a distributed system. 利用数据的过程可使实体300a-c的属性彼此关联,从而确定实体300a-c之间的关系(例如,事件出现、数量,和/或其它确定因素之间的关联)。 The process allows using the data entity attributes 300a-c associated with each other to determine the relationship between the entities 300a-c (e.g., events, number, and / or other factors to determine the association between).

[0055] 这些关系可接着用于根据与每个标识符相关的属性的关联为所有标识符建立多维声誉"矢量"。 [0055] These relationships may then be used to establish the reputation of a multidimensional "vector" for all the identifiers associated with each identifier based on the associated attributes. 例如,如果具有声誉差的已知声誉的声誉差的实体300a发送具有第一组属性350a的消息330a,且接着未知实体300b发送具有第二组属性350b的消息330b,则安全代理100a可确定第一组属性350a的全部或一部分是否匹配第二组属性350b的全部或一部分。 For example, if an entity having a reputation for poor reputation for poor reputation known 300a transmits a first set of message attributes 350a 330a, and 300b then send an unknown entity having a second set of message attributes 350b 330b, 100a may determine that the security agent of a set of attributes of all or part 350a matches all or a portion 350b of the second set of attributes. 当第一组属性350a的某个部分匹配第二组属性350b的某个部分时,可根据包括匹配的属性330a、33b的特定标识符320a、320b来建立关系。 When a portion matches a portion 350b of the second set of attributes of the first set of attributes 350a may 330a, 33b includes a specific identifier in accordance with matching attribute 320a, 320b to build relationships. 被发现具有匹配的属性的特定标识符340a、340b可用于确定与实体300a、300b之间的关系相关联的强度。 Matching identifier has been found that certain attributes 340a, 340b may be used to determine the entity 300a, 300b of the strength of the relationship between associated. 关系的强度可帮助确定声誉差的实体300a的声誉差的性质中有多少被归于未知实体300b的声誉。 Strength of the relationship can help determine the nature of the poor reputation of the poor reputation of the entity 300a of how much has been attributed to an unknown entity 300b reputation. [0056] 然而,还应认识到,未知实体300b可发起包括属性350c的通信330c,属性350c与发源于已知的声誉好的实体300c的通信330d的一些属性350d匹配。 [0056] However, it should also be appreciated, the unknown entity 300b 330c may include a communication initiation of attributes 350c, 350c in communication with the properties known reputable entity originated some properties 300c 350d 330d of matching. 被发现具有匹配的属性的特定标识符340c、340d可用于确定与实体300b、300c之间的关系相关联的强度。 It was found to have a specific identifier matching attributes 340c, 340d may be used to determine the strength of the relationship with an entity associated with 300b between 300c,. 关系的强度可帮助确定声誉好的实体300c的声誉好的性质中有多少被归于未知实体300b的声誉。 Strength of the relationship can help determine the reputation of a reputable entity 300c of how many good properties are attributed to unknown entity 300b reputation.

[0057] 分布式声誉引擎还允许关于最近的威胁前景的全球情报的实时协作共享,对可由过滤或风险分析系统执行的局部分析提供即时保护的益处,以及甚至在可能的新威胁出现之前就识别这种新威胁的恶意来源。 [0057] Distributed reputation engine also allows real-time collaboration on shared global threat intelligence recent promising to provide immediate protection for the benefit of local analysis by filtering or risk analysis performed by the system, and recognizes even before a possible new threats emerge this new sources of malicious threats. 使用位于很多不同地理位置处的传感器,可与中央系统200或与分布式安全代理100a、100b —起快速共享关于新威胁的信息。 Use a lot of sensors located at different geographical locations, 100a and 200 security agents may be distributed or centralized system, 100b - from quickly share information about new threats. 如应理解的,这样的分布式传感器可包括局部安全代理100a、100b,以及局部声誉好的客户机、业务量监控器,或适合于收集通信数据的任何其它设备(例如,开关、路由器、服务器,等等)。 As should be appreciated, such a distributed sensor may include a local security agent 100a, 100b, and a local client reputable, traffic monitor, or any other suitable device for collecting communication data (e.g., switches, routers, servers, ,and many more). [0058] 例如,安全代理100a、 100b可与中央系统200进行通信,以提供威胁和声誉信息的共享。 [0058] For example, the security agent 100a, 100b may communicate with the central system 200, to provide a shared threat and reputation information. 可选地,安全代理100a、100b可在彼此之间传递威胁和声誉信息,以提供最新的和准确的威胁信息。 Alternatively, the security agent 100a, 100b can pass threat and reputation information between each other to provide the latest and accurate threat information. 在图3的例子中,第一安全代理300a拥有关于未知实体300b和声誉差的实体300a之间的关系的信息,而第二安全代理300b拥有关于未知实体300b和声誉好的实体300c之间的关系的信息。 In the example of FIG. 3, the first security agent 300a has information on the relationship between the unknown entities 300a and 300b poor reputation of the entity, and the second security agent has 300b and 300b between the unknown entities of reputable entity 300c information on the relationship. 在没有共享信息的情况下,第一安全代理300a可根据所检测的关系对通信采取特定的动作。 In the absence of shared information, the first security agent 300a can take specific actions to communicate according to the detected relationship. 然而,知道未知实体300b和声誉好的实体300c之间的关系, 第一安全代理300a可利用来自未知实体300b的收到的通信来采取不同的动作。 However, knowing good relationships between entities unknown entity 300b and 300c reputation, the first security agent 300a may utilize communication received from an unknown entity 300b to take different actions. 安全代理之间的关系信息的共享因而提供更完整的一组关系信息,将针对该关系信息作出确定。 Sharing of information among security agents thus providing a more complete set of relationship information, will be made to determine the relationship for information. [0059] 系统试图将声誉(反映一般倾向和/或分类)分配给物理实体,例如执行事务的个人或自动化系统。 [0059] The system tried to reputation (to reflect the general tendency and / or classification) assigned to the physical entity, such as a personal or executing a transaction automation systems. 在虚拟世界中,实体由在实体正执行的特定事务(例如,发送消息或从银行帐号转移资金)中联系到这些实体的标识符(例如IP、URL、内容)表示。 In the virtual world, an entity represented by the entity in a particular transaction being performed (for example, send messages or transfer of funds from the bank account number) into contact identifier (eg IP, URL, content) these entities. 因此根据那些标识符的总体行为和历史模式以及那些标识符与其它标识符的关系,例如发送消息的IP 与包括在那些消息中的URL的关系,声誉可被分配到那些标识符。 Thus the relationship and the overall behavior of the historical pattern of those identifiers with other identifiers, and those identifiers, for example, an IP message sent in relation URL included in those messages to the reputation may be assigned to that identifier. 如果在标识符之间存在强关联,则单个标识符的"差"声誉可能使其它邻近的标识符的声誉恶化。 If there is a strong correlation between the identifiers, the single identifier of "poor" reputation reputation identifiers may cause deterioration of other adjacent. 例如,发送具有差声誉的URL的IP将由于URL的声誉而使其自己的声誉恶化。 For example, send the URL has a poor reputation due to the reputation of the URL of the IP and make their reputation deteriorated. 最后,单独的标识符声誉可被汇聚成与那些标识符相关联的实体的单个声誉(风险评分)。 Finally, a separate identifier reputation can be gathered into a single entity reputation of those associated with the identifier (risk score).

[0060] 应注意,属性可分成很多类别。 [0060] It is noted that many properties can be divided into categories. 例如,证据属性可表示关于实体的物理、数字或数字化的物理数据。 For example, the attribute may represent evidence of physical data about the physical entity, digital or digitized. 该数据可归于单个已知或未知的实体,或在多个实体之间共享(形成实体关系)。 The data may be attributable to a single entity known or unknown, or shared between a plurality of entities (Entity Relationship formed). 与消息安全有关的证据属性的例子包括IP(互联网协议)地址、已知的域名、URL、 实体所使用的数字指纹或签名、TCP签名,等等。 Examples of evidence related to the message security attributes include IP (Internet Protocol) address of a digital fingerprint, known domain name, URL, entity or signature used, TCP signature, and so on.

[0061] 作为另一例子,行为属性可表示关于实体或证据属性的人或机器分配的观测结果。 [0061] As another example, the attribute may represent the behavior of observations about the entity or person or machine evidence attribute assigned. 这样的属性可包括来自一个或多个行为参数文件(behavioralprofile)的一个、很多或所有属性。 Such attributes may include one or more action parameters from a file (behavioralprofile), many or all of the properties. 例如,通常与垃圾邮件发送者相关联的行为属性可依据从该实体发送的大量通信。 For example, a large number of communication normally associated with spammers can be based on attributes associated behavior sent from this entity.

[0062] 用于特定类型的行为的很多行为属性可被合并以得出行为参数文件。 [0062] Many behavior for a particular type of behavior attributes may be combined to obtain the behavior of the parameter file. 行为参数文件可包括一组预定义的行为属性。 Behavior parameter file may include a set of predefined behavior properties. 分配给这些参数文件的属性特征包括与限定匹配参数文件的实体的倾向有关的行为事件。 Property characteristics assigned to these parameters files include behavioral events tend to define entities matching parameter file related. 与消息安全有关的行为参数文件的例子可包括"垃圾邮件发送者"、"诈骗者"和"合法发送者"。 Examples of behavior associated with message security parameter file may include "spammers", "scammers" and "legitimate sender." 与每个参数文件相关的事件和/或证据属性限定参数文件应被分配到的适当实体。 Parameter file associated with each event and / or attributes defining evidence profile should be assigned to the appropriate entities. 这可包括特定的一组发送模式、黑名单事件或证据数据的特定属性。 This may include specific attributes of a particular set of transmission modes, event or evidence blacklist data. 一些例子包括:发送者/接收者身份识别;时间间隔和发送模式;有效载荷的严重度(severity)和配置;消息结构;消息质量;协议和相关的签名;通信介质。 Some examples include: sender / receiver identification; time interval and a transmission mode; severity (severity) and payload configuration; message structure; quality message; protocols and associated signature; communications media. [0063] 应理解,共享相同的证据属性中的一些或全部的实体具有证据关系。 [0063] It should be understood, that share the same evidence of some or all attributes of an entity relationship with evidence. 类似地,共享行为属性的实体具有行为关系。 Similarly, sharing behavior attribute of an entity with relationship behavior. 这些关系帮助形成相关参数文件的逻辑组,该关系接着被适应性地应用,以增强参数文件或略微差不多符合所分配的参数文件地来识别实体。 These relationships assist in forming a logical group of files related parameters, this relationship is then applied adaptively to enhance compliance profile similar to or slightly allocated to profile identified entity. [0064] 图4是描述用于检测关系并给实体分配风险的操作方案400的流程图。 [0064] Figure 4 is a flowchart for detecting a risk relationships and operation scheme 400 to physical distribution. 操作方案在步骤410通过收集网络数据开始。 Operation begins at step 410 the program by collecting network data. 数据收集可例如由安全代理100、客户设备、交换机、路由器或任何其它设备完成,所述其它设备可操作来从网络实体(例如,电子邮件服务器、网络服务器、頂服务器、ISP、文件传输协议(FTP)服务器、gopher服务器、VoIP设备等)接收通信。 Data collected by a security agent 100 may, for example, a client device, a switch, a router or any other device is completed, the other device is operable from a network entity (e.g., email servers, web servers, top servers, ISP, File Transfer Protocol ( FTP) server, gopher server, VoIP device, etc.) the received communications.

[0065] 在步骤420,标识符与所收集的数据(例如通信数据)相关联。 [0065] associated with the identifier of the data (e.g., communication data) collected in step 420. 步骤420可由可操作来从很多传感器设备汇聚数据的安全代理100或中央系统200执行,包括例如一个或更多个安全代理IOO。 Step 420 may be operable from many security sensor device 100 or the data gathered central proxy system 200 performs, for example, comprise one or more security agent IOO. 可选地,步骤420可由安全代理100本身执行。 Optionally, step 420 may perform security agent 100 itself. 标识符可基于所接收的通信的类型。 The type of the received communication identifier may be based. 例如,电子邮件可包括一组信息(例如,发起者和收信方的IP地址、文本内容、附件等),而VoIP通信可包括一组不同的信息(例如,主叫电话号码(或如果从VoIP客户发起则为IP地址)、接收的电话号码(或如果指定VoIP电话则为IP地址)、语音内容, 等等)。 For example, an email may comprise a set of information (e.g., IP addresses of the initiator and the addressee, text, attachments, etc.), the VoIP communication may include a different set of information (e.g., calling telephone number (or if the VoIP or IP address, initiated by a customer), received telephone number (or if you specify a VoIP phone or IP address,), voice content, etc.). 步骤420也可包括分配具有相关标识符的通信的属性。 Step 420 may also include assigning a communication attributes associated with the identifier.

[0066] 在步骤430,分析与实体相关联的属性,以确定在实体之间是否存在任何关系,为这些实体收集通信信息。 [0066] In step 430, attributes of the entity associated with the analysis to determine whether there is any relationship between the entities, the information collected for those communication entities. 步骤430可例如由中央系统200或一个或更多个分布式安全代理100执行。 Step 430 may, for example, by a central system 200 or one or more distributed security agent 100 executed. 分析可包括比较与不同实体有关的属性以找到实体之间的关系。 Analysis may include a comparison of the different entities and attributes to find the relationships between entities. 而且,根据作为关系的基础的特定属性,强度可与关系相关联。 Further, according to specific attributes of the relationship as a basis, the intensity may be associated with relationships.

[0067] 在步骤440,风险矢量被分配给实体。 [0067] In step 440, the risk of vector is assigned to the entity. 作为例子,风险矢量可由中央系统200或一个或更多个安全代理100分配。 By way of example, the risk of the vector by a central system 200 or one or more security agent 100 assigned. 分配给实体130 (图1-2) 、300(图3)的风险矢量可基于在实体之间存在的关系,并基于形成关系的基础的标识符。 Assigned to an entity 130 (FIG. 1-2), 300 (FIG. 3) may be a risk of the vector based on a relationship exists between the entities, and the identifier is formed on the basis of the relation.

[0068] 在步骤450,可根据风险矢量执行动作。 [0068] In step 450, the operation may be performed in accordance with the risk vector. 该动作可例如由安全代理100执行。 This action can be performed, for example, by a security agent 100. 可对与实体相关联的收到的通信执行动作,风险矢量被分配给该实体。 Communicating entity may perform an operation associated with the received vector is assigned to the risk entity. 其中,所述动作可包括允许、拒绝、隔离、负载均衡、以所分配的优先级传输、以额外的细查局部地进行分析。 Wherein the action may include allowing, denial, isolation, load balancing, assigned to the priority transmission, with additional drill analyzed locally. 然而,应理解,可单独地得到声誉矢量。 However, it should be understood that the vector may be individually obtained reputation.

[0069] 图5是示出示例性网络体系结构的结构图,其包括由局部声誉引擎510a-e得到的局部声誉500a-e和一个或更多个服务器530所储存的全局声誉520。 [0069] FIG. 5 is a block diagram illustrating an exemplary network architecture, which comprises a local reputation engine obtained from a local reputation 510a-e and 500a-e one or more server 530 stored in the global reputation 520. 局部声誉引擎510a-e 例如可与局部安全代理,例如安全代理100相关联。 Local reputation engine 510a-e may be, for example, the local security agent, such as a security agent 100 is associated. 可选地,局部声誉引擎510a-e可例如与本地客户机相关联。 Alternatively, the local reputation engine 510a-e may be, for example, associated with local clients. 声誉引擎510a-e中的每个包括一个或更多个实体的列表,声誉引擎510a-e为这些实体储存所得到的声誉500a-e。 Reputation engine 510a-e each include one or more entities in the list, reputation engine 510a-e for those entities store the resulting reputation 500a-e.

[0070] 然而,这些储存的得到的声誉在声誉引擎之间可能是不一致的,因为每个声誉引擎可观察到不同类型的业务量。 [0070] However, these give reputation stored between reputation engine may be inconsistent, since each reputation engine may observe different types of traffic. 例如,声誉引擎1510a可包括指示特定实体是声誉好的声誉,而声誉引擎2510b可包括指示同一实体是声誉差的声誉。 For example, the reputation of a particular engine may include an indication 1510a is reputable entity reputation and reputation engine 2510b may include an indication of the same entity is a poor reputation reputation. 这些局部的声誉不一致性可基于从实体接收的不同业务量。 These local reputation inconsistency may be based on different traffic received from the entity. 可选地,不一致性可基于来自局部声誉引擎1510a的用户的、指示通信是合法的反馈,而局部声誉引擎2510b提供指示同一通信是不合法的反馈。 Alternatively, from the local user inconsistency may be based on the reputation engine 1510a, the feedback indicates that the communication is legitimate, the local reputation engine 2510b provide an indication to the same communication feedback is not legal. [0071] 服务器530从局部声誉引擎510a-e接收声誉信息。 [0071] The server 530 receives information from the reputation 510a-e local reputation engine. 然而,如上所述, 一些局部声誉信息可能与其它局部声誉信息不一致。 However, as noted above, some of the local reputation information may be inconsistent with other local reputation information. 服务器530可在局部声誉500a-e之间进行仲裁, 以根据局部声誉信息500a-e确定全局声誉520。 Server 530 may arbitrate between the local reputation 500a-e, to determine a global reputation partial information 500a-e 520 reputation. 在一些例子中,全局声誉信息520可接着被提供回局部声誉引擎510a-e,以给这些引擎510a-e提供最新的声誉信息。 In some examples, the global reputation information 520 may then be provided back to a local reputation engine 510a-e, to the engines 510a-e to provide the latest reputation information. 可选地,局部声誉引擎510a-e可操作来查询服务器530以得到声誉信息。 Alternatively, the local reputation engine 510a-e is operable to query the server 530 to obtain reputation information. 在一些例子中,服务器530使用全局声誉信息520响应于查询。 In some examples, the global reputation server 530 using the information 520 in response to a query.

[0072] 在其它例子中,服务器530将局部声誉偏置(bias)应用到全局声誉520。 [0072] In other examples, the local reputation server 530 will bias (BIAS) 520 applied to the global reputation. 局部声誉偏置可对全局声誉执行变换,以给局部声誉引擎510a-e提供全局声誉矢量,其根据发起查询的特定局部声誉引擎510a-e的偏好而进行偏置。 Local reputation bias may perform global reputation transform to provide a vector to the local global reputation reputation engine 510a-e, which is performed according to the particular local reputation engine biased 510a-e initiates query preferences. 因此,管理员或用户对垃圾邮件消息指示高容忍度(tolerance)的局部声誉引擎510a可接收解释所指示的容忍度的全局声誉矢量。 Thus, the administrator or the user indicates a high tolerance (Tolerance) local reputation engine 510a may receive interpreted as indicating a global reputation vector tolerance spam message. 返回到声誉引擎510a的声誉矢量的特定分量可能包括由于与声誉矢量的其余部分的关系而降低重要性的声誉矢量的部分。 Reputation vector reputation engine returns to a particular component 510a may include reputation due to the relationship with the rest of the vector is lowered portion reputation vector importance. 同样,局部声誉引擎510b可接收放大与病毒声誉有关的声誉矢量的分量的声誉矢量,局部声誉引擎510b指示例如来自具有发起病毒的声誉的实体的低容忍度通信。 Similarly, the local reputation engine 510b may receive reputation zoom vector component associated with viral vectors reputation reputation, local reputation engine 510b indicate a low tolerance for example from a communication originating entity having a reputation of the virus.

[0073] 图6是示出基于局部声誉反馈的全局声誉的确定的结构图。 [0073] FIG. 6 is a configuration diagram illustrating determined based on the global reputation of the local feedback reputation. 局部声誉引擎600可操作来通过网络610向服务器620发送查询。 Local reputation engine 600 is operable to send a query to server 620 via network 610. 在一些例子中,局部声誉引擎600响应于从未知实体接收通信而发起查询。 In some examples, local reputation engine 600 in response to receiving a communication from an unknown entity initiated the query. 可选地,局部声誉引擎600可响应于接收任何通信而发起查询,从而促进更加新的声誉信息的使用。 Alternatively, the local reputation engine 600 in response to receiving a query initiated any communication, so as to promote the use of more new reputation information.

[0074] 服务器620可操作来使用全局声誉确定响应于查询。 [0074] The server 620 is operable to determine using a global reputation response to a query. 中央服务器620可使用全局声誉汇聚引擎630得到全局声誉。 The central server 620 may use a global reputation aggregation engine 630 to get a global reputation. 全局声誉汇聚引擎630可操作来从相应的多个局部声誉引擎接收多个局部声誉640。 Global reputation aggregation engine 630 is operable to receive a plurality of local reputation 640 from a respective plurality of local reputation engine. 在一些例子中,多个局部声誉640可由声誉引擎周期性地发送到服务器620。 In some examples, a plurality of local reputation reputation engine 640 may be periodically transmitted to the server 620. 可选地,多个局部声誉640可由服务器在从局部声誉引擎600中之一接收到查询时取回。 Alternatively, a plurality of local reputation server 640 may be retrieved upon receiving from one of the local reputation engine 600 to query.

[0075] 使用与每个局部声誉引擎有关的置信值(confidence value)并接着积累结果,可合并局部声誉。 [0075] The use of confidence values ​​relating to each local reputation engine (confidence value) and then accumulating the results can be combined local reputation. 置信值可指示与相关声誉引擎所产生的局部声誉相关联的置信度。 Confidence value may indicate a degree of confidence associated with the local reputation associated reputation engine generated. 与个人相关联的声誉引擎例如可接收在全局声誉确定中较低的权重。 Associated with the personal reputation engine global reputation for example receive a lower weight determination. 相反,与在大型网络上操作的声誉引擎相关联的局部声誉可根据与该声誉引擎相关联的置信值接收全局声誉确定中较大的权重。 In contrast, the local reputation and reputation associated with the engine operating on large networks can be determined in a larger weight and based on the received global reputation confidence value associated with the reputation engine.

[0076] 在一些例子中,置信值650可基于从用户接收的反馈。 [0076] In some examples, a confidence value 650 may be based on feedback received from a user. 例如,可给接收很多反馈的声誉引擎分配与该声誉引擎相关的局部声誉640的低置信值650,这些反馈指示通信未被正确地处理,因为与通信相关的局部声誉信息640指示错误的动作。 For example, a lot of feedback received reputation engine allocates local reputation associated with the reputation engine low confidence value of 650 640, the feedback indicates that the communication is not properly processed, since the local reputation associated with the communication operation information 640 indicating an error. 类似地,可给接收反馈的声誉引擎分配与该声誉引擎相关的局部声誉640的高置信值650,该反馈根据局部声誉信息640指示通信被正确地处理,局部声誉信息640与指示正确的动作的通信相关联。 Similarly, to the reputation engine dispensing receiving feedback local reputation associated with the reputation engine 640 is a high confidence value 650, the feedback is correctly processed according to the local reputation information 640 indicating communication, local reputation information 640 indicating correct operation of the associated with communication. 与不同声誉引擎相关联的置信值的调整可使用调节器660来完成,调节器660可操作来接收输入信息并根据所接收的输入调节置信值。 And adjustment confidence value associated with a different reputation engine 660 may be adjusted to complete the regulator 660 is operable to receive input information and adjust the confidence value according to the received input. 在一些例子中,根据被储存的用于被错误地分类的实体的统计资料,置信值650可由声誉引擎本身提供到服务器620。 In some cases, according to statistics used to be wrongly classified the entity is stored, the confidence value 650 reputation engine itself can be provided to the server 620. 在其它例子中,用于对局部声誉信息加权的信息可被传递到服务器620。 In other examples, the weighting information for the local reputation information can be transmitted to the server 620. [0077] 在一些例子中,偏置670可应用于最终形成的全局声誉矢量。 [0077] In some examples, the offset vector 670 may be applied to a global reputation finally formed. 偏置670可标准化声誉矢量,以向声誉引擎600提供标准化的全局声誉矢量。 Standardized reputation can be offset vector 670 to provide a standardized global reputation vector 600 to the reputation engine. 可选地,可应用偏置670以解释与发起声誉查询的声誉引擎600相关的局部偏好。 Alternatively, the bias can be applied to explain the reputation engine 670 with 600 initiated reputation queries related to local preferences. 因此,声誉引擎600可接收与查询的声誉引擎600的确定的偏好匹配的全局声誉矢量。 Thus, the global reputation engine 600 may receive reputation preference vector match query 600 to determine the reputation engine. 声誉引擎600可根据从服务器620接收的全局声誉矢量对通信采取动作。 Reputation engine 600 may take action based on the global reputation of the communication received from the server 620 vector.

[0078] 图7是示出全局声誉和局部声誉之间的示例性转化的结构图。 [0078] FIG. 7 is a block diagram illustrating an exemplary conversion between global and local reputation reputation. 局部安全代理700 与服务器720进行通信,以从服务器720取回全局声誉信息。 Local security agent 700 communicates with the server 720 to retrieve information from the global reputation server 720. 局部安全代理700可在702 接收通信。 Local security agent 702 receives 700 may communicate. 局部安全代理可在704关联通信以识别消息的属性。 Local security agent can identify the message attributes 704 associated with the communication. 消息的属性可包括例如发端实体、消息内容的指纹、消息大小,等等。 Properties of the message may include the originating entity, the fingerprint, the message size of the message content, and the like. 局部安全代理700在对服务器720的查询中包括该信息。 Local security agent 700 includes this information in the query to the server 720. 在其它例子中,局部安全代理700可将整个消息转发到服务器720,且服务器可执行消息的关联和分析。 In other examples, the local security agent 700 may forward the entire message to the server 720, and the server may perform correlation analysis and messages.

[0079] 服务器720使用从查询接收的信息,来根据服务器720的配置725确定全局声誉。 [0079] The query server 720 using the information received from the server 720 to determine the global reputation configuration 725 according to. 配置725可包括多个声誉信息,包括指示被查询的实体是声誉差的信息(730)和指示被查询的实体是声誉好的信息(735)。 Configuration 725 may include a plurality of reputation information, the query comprising entity is indicating poor reputation information entity (730) indicating the query is reputable information (735). 配置725也可将权重740应用于每个汇聚的声誉730、 735。 725 may also be configured weighting applied to each reputation convergence 740 730, 735. 声誉得分确定器745可提供用于给汇聚的声誉信息730、735加权(740)并产生全局声誉矢量的引擎。 Reputation score determination unit 745 may provide reputation information to the sink for a weighting 730, 735 (740) and generating a global reputation vector engine.

[0080] 局部安全代理700接着在706向局部声誉引擎发送查询。 [0080] local security agent 700 then sends a query to a local reputation engine 706. 局部声誉引擎708执行局部声誉的确定并在710返回局部声誉矢量。 Performing local reputation engine 708 determines the local reputation and reputation vector 710 returns the local. 局部安全代理700也接收以全局声誉矢量形式的、对发送到服务器720的声誉查询的响应。 Local security agent 700 also receives a global reputation in vector form, in response to the reputation server 720 transmits to the query. 局部安全代理700接着在712将局部声誉矢量和全局声誉矢量混合在一起。 700 local security agent 712 subsequently mixed together in the local and global reputation vector reputation vector. 接着在714关于所接收的消息采取动作。 Next, at about the received message 714 action is taken. [0081] 图8是用于调整与声誉服务器相关联的过滤器的设置的示例性图形用户界面800。 [0081] FIG 8 is an exemplary graphical user interface 800 is provided for adjustment of the filter associated with the reputation server. 图形用户界面800可允许局部安全代理的用户在一些不同的类别810,例如"病毒"、 "蠕虫"、"特洛伊木马"、"网络钓鱼"、"间谍软件"、"垃圾邮件"、"内容"和"群发"中调整局部过滤器的配置。 The graphical user interface 800 may allow a user to a local security agent 810 in a number of different categories, such as "viruses," "worms," ​​"Trojan horses", "phishing," "spyware," "junk mail", "content" and "mass" in adjusting the configuration of the local filter. 然而,应理解,所述类别810只是例子,且本公开不限于在这里被选为例子的类别810。 However, it should be understood that the category 810 are only examples, and the present disclosure is not limited to the category 810 is selected as an example here.

[0082] 在一些例子中,类别810可分成两种或更多类型的类别。 [0082] In some examples, the categories 810 may be divided into two or more types of categories. 例如,图8的类别810分成类别810的"安全设置"类型820以及类别的"策略设置"类型830。 For example, the category 810 of FIG. 8 810 into categories of "Security Settings" Type 820 and Type "Policy Settings" Type 830. 在每个类别810和类型820、830中,混合器条形表示840可允许用户调整与通信或实体声誉的相应类别810 相关联的特定过滤器设置。 In each category type 820, 830 and 810, the mixer bars represent particular filter 840 may allow a user to adjust the reputation of the communication entity or category of a respective associated set 810.

[0083] 而且,虽然"策略设置"类型830的类别810可根据用户自己的判断被自由调节,但是"安全设置"类型820的类别可被限制到在一范围内调整。 [0083] Further, although "policy setting" Type 830 Type 810 may be freely adjusted according to the user's own judgment, but the "Security Settings" type 820 may be limited to category adjusted within a range. 可产生该差别,以便阻止用户更改安全代理的安全设置超过可接受的范围。 This difference may be generated, so as to prevent the user to change the security settings security agent exceeds the acceptable range. 例如,不满意的雇员可能试图降低安全设置, 从而允许企业网易受攻击。 For example, dissatisfied employees may attempt to lower security settings, allowing the company NetEase attack. 因此,在"安全设置"类型820中置于类别810上的范围850可操作来在将安全保持在最低水平,以防止网络被危害。 Thus, placed in the "Security Settings" Type 820 810 850 range in the category operable to be kept to a minimum security level, to prevent network be compromised. 然而,如应注意的,"策略设置"类型830的类别810是不危害网络安全的那些类型的类别810,而是如果设置降低可能只是使用户或企业不方便。 However, as should be noted, 830 "policy setting" type category is those types of category 810 810 does not endanger the security of the network, but only if the user may set lower or company inconvenience.

[0084] 此外,应认识到,在各种例子中,范围限制850可置于全部类别810上。 [0084] Further, it should be appreciated that, in various examples, range limitations may be placed on all categories 850 810. 因此,局部安全代理将阻止用户将混合器条形表示840设置在所提供的范围850之外。 Thus, the local security agent will prevent the user of the mixer bars represent disposed outside the range 850,840 provided. 还应注意,在一些例子中,范围可不显示在图形用户界面800上。 It should also be noted that, in some instances, the range may not be displayed on the graphical user interface 800. 替代地,范围850将被从图形用户界面800提取出来,且所有设置将为相关的设置。 Alternatively, the range is from 850 to 800 to extract the graphical user interface, and all settings for the relevant setting. 因此,类别800可显示并看起来似乎允许设置的满范围,同时将设置变换成在所提供的范围内的设置。 Thus, the category and display 800 may appear to allow the full range of settings, while the set into a set in the range provided by. 例如,"病毒"类别810的范围850在本例中被设置在水平标记8和13之间。 For example, "virus" category range of 810 850 in the present example is disposed between the 8 and 13 in the horizontal tag. 如果图形用户界面800设置成从图形用户界面800提取出可允许的范围850,则"病毒"类别810将允许混合器条形表示840设置在0和14之间的任何位置。 If the graphical user interface 800 may be provided to allow a range from 850 to extract the graphical user interface 800, the "virus" category 810 allows the mixer 840 disposed bars represent anywhere between 0 and 14. 然而,图形用户界面800可将0-14设置变换成在8到13的范围850内的设置。 However, the graphical user interface 800 may be disposed within 0-14 provided 850 into the range from 8 to 13. 因此,如果用户请求在O和14之间中间的设置,则图形用户界面可将该设置变换成在8和13中间的设置。 Thus, if the user requests disposed intermediate between O and 14, the graphical user interface may be provided into the 8 and 13 disposed in the middle.

[0085] 图9是示出用于互联网协议语音电话(VoIP)或短消息服务(SMS)通信的基于声誉的连接抑制的结构图。 [0085] FIG. 9 is a diagram illustrating a Voice over Internet Protocol telephony (VoIP) or short message service (SMS) based on the reputation of a configuration of a communication inhibiting connected FIG. 如应理解的,主叫IP电话900可向接收的IP电话910安排VoIP呼叫。 As should be appreciated, caller IP telephone 900 may arrange a VoIP call to IP telephone 910 received. 这些IP电话900、910可以是例如计算机执行的软电话软件、网络支持的电话,等等。 These IP phones 900, 910 may be, for example soft phone software executed by a computer, network support calls, and so on. 主叫IP电话900可通过网络920 (例如互联网)安排VoIP呼叫。 Caller IP phone 900 VoIP calls can be arranged through the network 920 (eg the Internet). 接收的IP电话910可通过局域网930 (例如企业网)接收VoIP呼叫。 Received IP phone 910 can receive a VoIP call via a local area network 930 (eg corporate network).

[0086] 当建立VoIP呼叫时,主叫IP电话已建立与局域网930的连接。 [0086] When establishing a VoIP call, the caller is connected to the LAN IP phone 930 has been established. 该连接可与电子邮件、网络、即时消息或其它互联网应用可被用于提供与网络的未调节(unregulated)的连接的方式类似被使用。 The connection may be e-mail, network, Internet, or other instant messaging applications may be used to provide similar unmodulated (the UNREGULATED) connected to the network mode. 因此,可使用与接收的IP电话的连接,从而根据所建立的连接使在局域网930上操作的计算机940、950处于入侵、病毒、特洛伊木马、蠕虫和各种其它类型的攻击的危险中。 Thus, using the received IP telephone connection, so that the operation of a computer on the LAN 930 based on the established connection 940, 950 is at risk of intrusion, viruses, Trojan horses, worms, and various other types of attacks. 而且,由于VoIP通信的时间敏感性质,一般不检查这些通信,以确保没有误用连接。 Further, because of the time sensitive nature of VoIP communication, such communication is generally not checked, to ensure that no misuse of the connection. 例如,语音会话实时地发生。 For example, a voice conversation occurs in real time. 如果语音会话的一些分组被延迟,则会话变得不自然且难以理解。 If some packets are delayed voice session, the session becomes unnatural and difficult to understand. 因此,一旦建立了连接,就一般不能检查分组的内容。 Therefore, once the connection is established, it generally can not check the contents of the packet.

[0087] 然而,局部安全代理960可使用从声誉引擎或服务器970接收的声誉信息来确定与主叫IP电话相关的声誉。 [0087] However, the security agent 960 can use the local reputation information 970 received from the server to determine the reputation engine or associated with the calling IP telephone reputation. 局部安全代理960可使用发端实体的声誉来确定是否允许与发端实体的连接。 Local security agent 960 can use the reputation of the originating entity, determining whether to allow the connection with the originating entity. 因此,安全代理960可防止与声誉差的实体的连接,如不遵守局部安全代理960的策略的声誉所指示的。 Therefore, the security and reputation of poor proxy connection entity 960 prevents such non-compliance with local security agent 960's reputation strategy indicated.

[0088] 在一些例子中,局部安全代理960可包括连接抑制引擎,其可操作来使用在主叫IP电话900和接收的IP电话910之间建立的连接来控制正被传输的分组的流动速率。 [0088] In some examples, the security agent 960 may include a local connection inhibiting engine operable to use the flow rate of the connection established between the calling party 910 and IP phone 900 receives the IP telephone control packet being transmitted . 因此,可允许具有差声誉的发端实体900产生与接收的IP电话910的连接。 Thus, the difference may be allowed with the originating entity 900 generates a reputation coupled to receive IP telephone 910. 然而,分组通过量将被定上限,从而防止发端实体900使用连接来攻击局域网930。 However, the amount of packets to be set by the upper limit, thereby preventing the use of the originating entity 900 is connected to the LAN 930 attack. 可选地,连接抑制可通过执行从声誉差的实体发起的任何分组的详细检查来完成。 Alternatively, the connection may be accomplished by inhibition of performing a detailed examination of the packets originating from any difference in the reputation of the entity. 如上所述,所有VoIP分组的详细检查不是有效的。 As mentioned above, a detailed examination of all the VoIP packets are not valid. 因此,可为与声誉好的实体相关联的连接最大化服务质量(QoS),同时减少与声誉差的实体的连接相关联的QoS。 Therefore, to maximize the quality of the connection may be associated with an entity reputable service (QoS), while reducing the QoS associated with the reputation of the difference between the connected entity. 可对与声誉差的实体相关联的连接执行标准通信询问技术,以便发行从发端实体接收的任何被传输的分组是否包括对网络930的威胁。 Any packet may be transmitted from the originating entity is received by the network 930 including the threat and reputation for poor communication performance standards connected interrogation techniques associated with the entity, for release. 在美国专利号6, 941, 467、7, 089, 590、7, 096, 498和7, 124, 438中以及在美国专利申请号2006/0015942、2006/0015563、2003/0172302、2003/0172294、2003/0172291和2003/0173166中描述了各种询问技术和系统,由此以上这些通过引用被并入。 In U.S. Patent No. 6, 941, 467,7, 089, 590,7, 096, 498 and 7, 124, 438 and in U.S. Patent Application No. 2006 / 0015942,2006 / 0015563,2003 / 0172302,2003 / 0172294, 2003/0172291 and 2003/0173166 describe various systems and interrogation techniques, whereby these are incorporated by reference. [0089] 图10是示出基于声誉的负载均衡器1000的操作的结构图。 [0089] FIG. 10 is a diagram illustrating a load balancing based on the reputation of the operation of the structure 1000 of FIG. 负载均衡器1000可操作来通过网络1030(例如互联网)(分别地)从声誉好的实体1010和声誉差的实体1020接收通信。 Load balancer 1000 is operable from reputable entity 1010 receives and poor reputation communicate over a network 1030 (e.g., the Internet) (respectively) entity 1020. 负载均衡器1000与声誉引擎1040进行通信,以确定与进入或传出的通信相关联的实体1010、 1020的声誉。 Load balancer 1000 communicates with the reputation engine 1040, to determine the incoming or outgoing entity associated with a communication 1010, 1020 reputation.

[0090] 声誉引擎1030可操作来给负载均衡器提供声誉矢量。 [0090] reputation engine 1030 is operable to provide reputation vector to the load balancer. 声誉矢量可以各种不同的类别指示与通信相关联的实体1010、 1020的声誉。 Reputation vectors may indicate various categories of entities associated with the communication 1010, 1020 reputation. 例如,就发起垃圾邮件的实体1010、 1020而言,声誉矢量可指示实体1010U020的良好声誉,同时就发起病毒的实体1010、1020而言,也指示相同实体1010、 1020的差声誉。 For example, it initiates the spam entities 1010, 1020, the vector may indicate that an entity's reputation reputation 1010U020 while initiates viral entities 1010, 1020, the difference also indicates the same entity reputation 1010, 1020.

[0091] 负载均衡器1000可使用声誉矢量来确定关于与实体1010、 1020相关联的通信执行什么动作。 [0091] Load Balancer 1000 may be used to determine on the reputation of the entity vector 1010, 1020 what action to communication associated. 在声誉好的实体1010与通信相关联的情况下,消息被发送到消息传输代理(MTA) 1050并被传输给接收者1060。 Reputable entity 1010 without communicating with associated message is sent to the message transfer agent (MTA) 1050 1060 and transmitted to the recipient.

[0092] 在声誉差的实体1020拥有病毒的声誉但没有其它类型的声誉差的活动的声誉的情况下,通信被转发到多个病毒检测器1070中之一。 The [0092] has 1020 virus in the entity's reputation but no difference reputation reputation reputation differential activities of other types, the communication is forwarded to one of the plurality of the virus detector 1070. 负载均衡器1000可操作来根据病毒检测器的当前容量和发端实体的声誉来确定使用多个病毒检测器1070中的哪一个。 Load balancer 1000 is operable to determine which of a plurality virus detector 1070 in accordance with the reputation of the originating entity and the current capacity of the virus detector. 例如,负载均衡器1000可将通信发送到被最少利用的病毒检测器。 For example, load balancer 1000 may send a communication to the least utilized virus detector. 在其它例子中,负载均衡器1000可确定与发端实体相关联的差声誉度,并将声誉稍微差的通信发送到被最少利用的病毒检测器,同时将声誉非常差的通信发送到被高度利用的病毒检测器,从而抑制与声誉非常差的实体相关联的连接的QoS。 In other instances, load balancer 1000 may determine the degree of difference between the reputation associated with the originating entity transmits slightly poor reputation and is communicated to the least utilized virus detector, while transmitting a communication to a very poor reputation of being highly utilized virus detector, thereby suppressing very poor QoS and reputation associated with an entity connected.

[0093] 类似地,在声誉差的实体1020有发起垃圾邮件通信的声誉但没有其它类型的声誉差的活动的声誉的情况下,负载均衡器可将通信发送到专门的垃圾邮件检测器1080以排除其它类型的测试。 The [0093] Similarly, the reputation of the difference between the entities 1020 initiates the spam communication reputation without reputation reputation differential activities of other types of cases, the load balancer may send a communication to a specific spam detector 1080 to exclude other types of tests. 应理解,在通信与发起多种类型的声誉差的活动的声誉差的实体1020相关联的情况下,可发送通信以测试已知实体1020要显示的每种类型的声誉差的活动,同时避免与不知道实体1020要显示的声誉差的活动相关联的测试。 It should be understood, in the case of a communication poor reputation associated entity 1020 initiates a plurality of types of difference between the activities of the reputation, a reputation may send a communication to test the difference between the activity of each type of known entities 1020 to be displayed, while avoiding 1020 and do not know the entity to be displayed poor reputation associated with testing activities. [0094] 在一些例子中,每个通信可接收用于多种类型的不合法内容的例行测试。 [0094] In some examples, each of the communication may receive routines illegal plurality of types of content. 然而,当与通信相关联的实体1020显示某些类型的活动的声誉时,通信也可被隔离以用于内容的详细测试隔离,实体显示对于发起该内容的声誉。 However, when the reputation of certain types of activities and entities associated with the communication display 1020, the communication may also be isolated to test for content details isolation reputation for originating entity display the content.

[0095] 在又一些例子中,每个通信可接收相同类型的测试。 [0095] In yet other examples, each of the communication can receive the same type of test. 然而,与声誉好的实体1010相关联的通信被发送到有最短队列的测试模块或具有空闲的处理容量的测试模块。 However, the testing module 1010 reputable entity associated with a communication is sent to the shortest queue having a test module or the spare processing capacity. 另一方面,与声誉差的实体1020相关联的通信被发送到有最长队列的测试模块1070、1080。 On the other hand, has the longest queue is sent to the test modules 1070, 1080 of poor communication reputation associated with the entity 1020. 因此,与声誉好的实体1010相关联的通信可接受超过与声誉差的实体相关联的通信的传输优先权。 Thus, the communication 1010 reputable entity associated with the reputation of the difference exceeds the acceptable transmission priority communication associated with the entity. 因此对于声誉好的实体1010,服务质量被最大化,同时对于声誉差的实体1020,服务质量被降低。 For reputable entity 1010 Thus, the quality of service is maximized, while the difference is reduced to the reputation of an entity 1020, quality of service. 因此,基于声誉的负载平衡可通过降低声誉差的实体连接到网络930的能力来保护网络免于攻击。 Thus, the reputation-based load balancing may be connected via lower the reputation of an entity to a difference in the ability of the network 930 to protect the network from attacks.

[0096] 图IIA是示出用于收集基于地理位置的数据以进行身份验证分析的示例性操作方案的流程图。 [0096] FIG IIA is a flowchart showing a geographic location based on data collected in an exemplary embodiment the operation of the authentication analysis. 在步骤1100,操作方案从各种登录尝试收集数据。 In step 1100, the operation program to collect data from a variety of login attempts. 步骤1100可例如由局部安全代理,例如图1的安全代理100执行。 Step 1100 may, for example, by a local security agent, such as a security agent 100 of FIG. 1 is performed. 其中,所收集的数据可包括与登录尝试相关联的IP地址、登录尝试的时间、在成功之前的登陆尝试的次数,或所尝试的任何不成功的口令的详细资料。 Among them, the data collected may include login attempts IP address associated with the details of login attempts time, the number of times before landing in a successful attempt, or any unsuccessful attempt of the password. 所收集的数据接着在步骤1105被分析,以得出统计信息,例如登录尝试的地理位置。 The collected data is then analyzed in step 1105, in order to obtain statistical information, such as login attempts location. 步骤1105可例如由声誉引擎执行。 Step 1105 may be performed, for example, by the reputation engine. 接着在步骤1110与登录尝试相关联的统计信息被储存。 Then, in step 1110 and associated statistical information logon attempts is stored. 该储存可例如由系统数据存储器执行。 The storage system may, for example, performed by a data store.

[0097] 图11B是示出用于基于地理位置的身份验证的另一示例性操作方案的流程图。 [0097] FIG. 11B is a flowchart showing a geographic location based on the identity authentication according to another exemplary embodiment of the operation. 在步骤1115接收登录尝试。 In step 1115 receives a login attempt. 登录尝试可例如由可操作来通过网络提供安全财务数据的安全网络服务器接收。 Secure login attempts may be provided by a financial data network through a secure web server operable to receive, for example. 接着在步骤1120确定登录尝试是否匹配所储存的用户名和口令组合。 Next, at step 1120 determines whether the login attempt to match the stored username and password combination. 步骤1120可例如由可操作来验证登录尝试的安全服务器执行。 Step 1120 may be performed by the logon attempt is operable to verify the secure server, for example. 如果用户名和口令不匹配所存储的用户名/ 口令组合,则在步骤1125宣布登录尝试失败。 If a user name and password does not match the stored user name / password combination, in step 1125 declared failed login attempts.

[0098] 然而,如果用户名和口令确实匹配合法用户名/ 口令组合,则在步骤1130确定登录尝试的起源。 [0098] However, if a user name and password does match the legitimate user name / password combination, it is determined that the origin of login attempts in step 1130. 登录尝试的起源可由如图1所示的局部安全代理100确定。 Origin of login attempts may be partially illustrated in Figure 1 the security agent 100 is determined. 可选地,登录尝试的起源可由声誉引擎确定。 Alternatively, logon attempts by reputation engine to determine the origin. 登录尝试的起源可接着与在图IIA中得出的统计信息比较,如在步骤1135中示出的。 Origin of login attempts may then compare the statistical information derived in FIG IIA, as shown in step 1135. 步骤1135可例如由局部安全代理100或声誉引擎执行。 Step 1135 may, for example, by the local agent 100 or security engine to perform reputation. 在步骤1140确定起源是否与统计期望匹配。 In step 1140 to determine whether the origin and the statistical expectation match. 如果实际起源匹配统计期望,则在步骤1145验证用户。 If the actual origin of the statistical expectation match, then in step 1145 to authenticate the user.

[0099] 可选地,如果实际起源不匹配对于起源的统计期望,则在步骤1150执行进一步的处理。 [0099] Alternatively, if the actual origin of the origin does not match the statistical expectation is performed in step 1150 for further processing. 应理解,进一步的处理可包括从用户请求进一步的信息,以验证他或她的真实性。 It should be understood, the further processing may include a request for further information from the user to verify his or her authenticity. 这样的信息可包括例如家庭地址、母亲的婚前姓、出生地点,或关于用户已知的任何其它部分的信息(例如秘密问题)。 Such information may include, for example, home address, mother's maiden name, place of birth, or information about any other part of the user's known (such as secret questions). 额外处理的其它例子可包括搜索以前的登录尝试,以确定当前登录尝试的地点是否确实是异常的或仅仅是巧合的。 Other examples may include additional processing of login attempts before a search to determine whether the location of the current login attempt is indeed unusual or just a coincidence. 此外,与发起登录尝试的实体相关联的声誉可被得出并用于确定是否允许登录。 In addition, with the launch of login attempts reputation associated entities may be derived and used to determine whether to allow login.

[0100] 图IIC是示出用于使用发端实体的声誉进行基于地理位置的验证以确认身份验证的另一示例性操作方案的流程图。 [0100] FIG IIC is used for illustrating the reputation of the originating location based authentication entity flowchart to confirm authentication to another exemplary embodiment of the operation performed. 在步骤1115接收登录尝试。 In step 1115 receives a login attempt. 登录尝试可例如由可操作来通过网络提供安全财务数据的安全网络服务器接收。 Secure login attempts may be provided by a financial data network through a secure web server operable to receive, for example. 接着在步骤1160确定登录尝试是否匹配所储存的用户名和口令组合。 Next, at step 1160 determines whether the login attempt to match the stored username and password combination. 步骤1160可例如由可操作来验证登录尝试的安全服务器执行。 Step 1160 may be performed by the logon attempt is operable to verify the secure server, for example. 如果用户名和口令不匹配所存储的用户名/ 口令组合,则在步骤1165宣布登录尝试失败。 If a user name and password does not match the stored user name / password combination, in step 1165 declared failed login attempts.

[0101] 然而,如果用户名和口令确实匹配合法的用户名/ 口令组合,则在步骤1170确定登录尝试的起源。 [0101] However, if a user name and password does match a valid username / password combination, it is determined that the origin of login attempts in step 1170. 登录尝试的起源可由如图1所示的局部安全代理100确定。 Origin of login attempts may be partially illustrated in Figure 1 the security agent 100 is determined. 可选地,登录尝试的起源可由声誉引擎确定。 Alternatively, logon attempts by reputation engine to determine the origin. 接着可取回与发起登录尝试的实体相关联的声誉,如在步骤1175中示出的。 Then be initiated retrieves login attempts reputation associated with the entity, as shown in step 1175. 步骤1175可例如由声誉引擎执行。 Step 1175 may be performed, for example, by the reputation engine. 在步骤1180确定发端实体的声誉是否是声誉好的。 In step 1180 determines whether the reputation of the originating entity is reputable. 如果发端实体是声誉好的,则在步骤1185验证用户身份。 If the originating entity is reputable, then in step 1185 to authenticate users. [0102] 可选地,如果发端实体是声誉差的,则在步骤1190执行进一步的处理。 [0102] Alternatively, if the reputation of the originating entity is a difference, it is performed in step 1190 for further processing. 应理解,进一步的处理可包括从用户请求进一步的信息,以验证他或她的真实性。 It should be understood, the further processing may include a request for further information from the user to verify his or her authenticity. 这样的信息可包括例如家庭地址、母亲的婚前姓、出生地点,或关于用户已知的任何其它部分的信息(例如秘密问题)。 Such information may include, for example, home address, mother's maiden name, place of birth, or information about any other part of the user's known (such as secret questions). 额外处理的其它例子可包括搜索以前的登录尝试,以确定当前登录尝试的地点是否确实是异常的或仅仅是巧合的。 Other examples may include additional processing of login attempts before a search to determine whether the location of the current login attempt is indeed unusual or just a coincidence.

[0103] 因此,应理解,可应用声誉系统来识别金融交易中的欺诈行为。 [0103] Therefore, it should be understood that the application reputation system to identify fraud in financial transactions. 声誉系统可根据交易发起者的声誉或实际交易中的数据(来源、目的地、金额,等等)来提高交易的风险评分。 Reputation system can increase the risk score based on the transaction data (source, destination, amount, etc.) or the reputation of the actual transaction by the originator in. 在这样的情况下,金融机构可根据发端实体的声誉更好地确定特定交易是欺骗性的概率。 In such cases, financial institutions can better determine the reputation of the originating entity according to a particular transaction is the probability deceptive. [0104] 图12是示出用于基于声誉的动态隔离的示例性操作方案的流程图。 [0104] FIG. 12 is a flowchart showing an exemplary operation scheme based on the reputation of dynamic isolation. 在步骤1200接收通信。 Receiving a communication at step 1200. 接着在步骤1205分析通信,以确定它们是否与未知实体相关联。 Next, at step 1205 a communication analysis, to determine if they are associated with an unknown entity. 然而应注意,该操作方案可应用于所接收的任何通信,而不仅仅是从以前的未知实体接收的通信。 It should be noted, however, that the operating scheme is applicable to any communication received, rather than received from a previous unknown communication entities. 例如,从声誉差的实体接收的通信可被动态地隔离,直到确定了所接收的通信不对网络造成威胁为止。 For example, it can be dynamically isolated communication entity receiving the reputation from the difference, until it is determined the communication network not received until the threat caused. 在通信不与新实体相关联的场合,通信经历对进入的通信的正常处理,如在步骤1210中示出的。 In the case of communication with the new entity is not associated with the communication subjected to normal processing of incoming communications, as shown in step 1210.

[0105] 如果通信与新实体相关联,则在步骤1215初始化动态隔离计数器。 [0105] If the communication with the new entity is associated, at step 1215 initializes the counter of dynamic isolation. 接着在步骤1220,从新实体接收的通信被发送到动态隔离。 Next, in step 1220, the new entity receives a communication is sent to a dynamic separator. 接着在步骤1225检查计数器以确定计数器的时间是否已经过去了。 Next, at step 1225 checks whether the counter to determine the time has passed the counter. 如果计数器的时间没有过去,则在步骤1230递减计数器。 If the time is not past the counter, in step 1230 down counter. 在步骤1235可分析实体的行为以及被隔离的通信。 1235 may be the step of analyzing the behavior of the entity in communication as well as isolated. 在步骤1240确定实体的行为或被隔离的通信是否是异常的。 In step 1240 determines whether the behavior of the entity or isolated communication is abnormal. 如果没有发现异常情况,则操作方案返回到步骤1220,在这里隔离新的通信。 If no abnormality is found, the program operation returns to step 1220, where a new communication isolation.

[0106] 然而,如果在步骤1240发现实体的行为或通信是异常的,则在步骤1245给实体分配声誉差的声誉。 [0106] However, if the behavior found in the communicating entity or step 1240 is abnormal, at step 1245 assigned to an entity's reputation poor reputation. 通过将通知发送到管理员或发端实体所发送的通信的接收者来结束过程。 By sending a notification to the administrator or recipient communication originating entity transmitted to end the process.

[0107] 返回到步骤1220,隔离和检查通信和实体行为的过程继续进行,直到发现异常行为为止,或直到在步骤1225动态的隔离计数器的时间过去为止。 [0107] Returning to step 1220, and the isolation and check the communication entity acts process continues until it finds abnormal behavior, or until the time is up at step 1225 the counter past the dynamic separator. 如果动态的隔离计数器的时间过去了,则在步骤1255给实体分配声誉。 If the time elapsed counter dynamic separator, at step 1255 assigned to the entity's reputation. 可选地,在实体不是未知实体的情况下,在步骤1245或1255可更新声誉。 Alternatively, in the case where the entity is not unknown entity, in step 1245 or 1255 may be updated reputation. 在步骤1260通过释放动态隔离来结束该操作方案,其中动态的隔离计数器的时间已经过去,而在通信中或在发端实体的行为中没有发现异常情况。 At step 1260 to end the operation by releasing dynamic isolation scheme, wherein the dynamic isolation time counter has elapsed, or in communication nothing abnormal behavior originating entity. [0108] 图13是可被分类为不想要的图像或消息的图像垃圾邮件通信的示例性图形用户界面1300的显示。 [0108] FIG. 13 is an exemplary graphical user interface may be classified as an image or message unwanted spam mail communication with the image display 1300. 如应理解的,图像垃圾邮件对传统垃圾邮件过滤器造成问题。 As will be appreciated, image spam cause problems for traditional spam filters. 图像垃圾邮件通过将垃圾邮件的文本消息转换成图像格式来绕过垃圾邮件的传统文本分析。 Analysis by converting the text message into an image format spam to bypass traditional spam spam text image. 图13示出图像垃圾邮件的例子。 FIG 13 illustrates an example of an image spam. 消息显示图像1310。 Message display image 1310. 虽然图像1300看起来是文本,但它仅仅是文本消息的图形编码。 Although the image appears to be 1300 text, but it is only a graphical encoding of a text message. 一般地,图像垃圾邮件也包括文本消息1320,文本消息1320包括被正确地构造的但在消息背景下没有意义的句子。 In general, image spam text messages also include 1320, 1320 include text messages sentences are constructed correctly, but does not make sense in the context of the message. 消息1320设计成躲避接通通信的垃圾邮件过滤器,在该通信内只包括图像1310。 Message 1320 is designed to avoid spam filters switched communication, in the communication includes only the image 1310. 而且,消息1320设计成欺骗滤波器,这些滤波器对包括图像1310的通信的文本应用粗略的测试。 Further, the message 1320 is designed to spoofing filters that rough test application including a communication text image 1310. 进一步地,当这些消息确实在头部1330中包括关于消息的起源的信息时,用于发出图像垃圾邮件的实体的声誉可能是未知的,直到该实体被发觉发送图像垃圾邮件为止。 Further, when the message does include information about the origin of the message header 1330, the image spam reputation for issuing entity may not be known until the entity is found until the transmitted image spam.

[0109] 图14是示出用于检测不想要的图像(例如,图像垃圾邮件)的示例性操作方案的流程图。 [0109] FIG. 14 is a flowchart showing an exemplary operation program for an image (e.g., image spam) detection of unwanted. 应理解,附图14中所示的很多步骤可单独地或结合附图14中所示的其它步骤中的任何一个或全部来执行,以提供图像垃圾邮件的某种检测。 It should be understood, many of the steps illustrated in Figure 14 may be used alone or in combination with other steps shown in figures 14 is performed by any or all, in order to provide some image spam detection. 然而,附图14中的每个步骤的使用提供了用于检测图像垃圾邮件的全面的过程。 However, a comprehensive process for detecting spam images using each reference in the step 14.

[0110] 过程在步骤1400以通信的分析开始。 [0110] In step 1400 the process begins with the analysis of communication. 步骤1400 —般包括分析通信,以确定通信是否包括受到图像垃圾邮件处理的图像。 Step 1400 - as including communication analysis to determine whether communication including image spam being processed. 在步骤1410,操作方案执行通信的结构分析,以确定图像是否包括垃圾邮件。 In step 1410, the structure of a communication operation of the program execution is analyzed to determine whether the image comprises spam. 接着在步骤1420分析图像的头部。 Then analyzed at step 1420 head image. 图像头部的分析允许系统确定关于图像格式本身是否存在异常情况(例如,协议错误、讹误,等等)。 Analyzing the image of the head allows the system to determine whether the image format itself there is an abnormal situation (e.g., protocol errors, corruption, etc.). 在步骤1430分析图像的特征。 Wherein the image analysis at step 1430. 特征分析旨在确定图像的任何特征是否是异常的。 Feature analysis feature designed to determine whether any image is abnormal.

[0111] 可在步骤1440标准化图像。 [0111] In step 1440 the image may be normalized. 图像的标准化一般包括移除可能被垃圾邮件发送者添加以避免图像指纹识别技术的随机噪声。 Generally comprises removing normalized image may be added spammers to avoid random noise in the image of the fingerprint recognition technology. 图像标准化旨在将图像转换成在图像中可容易比较的格式。 Image normalization intended to convert the image into an image format can be easily compared. 可对被标准化的图像执行指纹分析,以确定图像是否匹配来自以前接收的已知图像垃圾邮件的图像。 Fingerprint analysis can be performed on an image to be standardized in order to determine whether the image matches the image from known spam images previously received.

[0112] 图15A是示出用于分析通信的结构的操作方案的流程图。 [0112] FIG 15A is a flowchart showing operation of the communication scheme for the analysis of structure. 操作方案在步骤1500以消息结构的分析开始。 To analyze the operation program started in step 1500 the message structure. 在步骤1505,分析通信的超文本标记语言(HTML)结构,以引入n-元文法(n-gram)标记作为贝叶斯分析的额外符号(token)。 In step 1505, analysis of HTML (HTML) communication structure, to introduce n--gram (n-gram) as an additional marker symbol (token) Bayesian analysis. 这样的处理可为异常情况分析包括在图像垃圾邮件通信中的文本1320。 Such a process may analyze text included in the case as an abnormal image spam Communication 1320. 可分析消息的HTML结构,以定义元令牌(meta-token)。 HTML message structure can be analyzed to define the meta-token (meta-token). 元令牌是消息的HTML内容,其被处理以丢弃任何不相关的HTML标记,并通过移除白空区而被压縮以生成用于贝叶斯分析的"符号"。 Meta-token is HTML content of the message, which is processed to discard any associated HTML tag, is compressed and Bayesian analysis to generate a "sign" by removing the white space area. 上述符号中的每个可用作对贝叶斯分析的输入,以与以前接收的通信比较。 Each of the above symbols may be used as input for Bayesian analysis is compared with the previously received communications.

[0113] 操作方案接着在步骤1515包括图像检测。 [0113] Next, at step 1515 the operation program includes an image detection. 图像检测可包括将图像分割成多个部 Image detector may comprise an image into a plurality of portions

分,以及对这些部分执行指纹识别来确定指纹是否匹配以前接收的图像的部分。 Points, and determining to perform these fingerprint portion of the fingerprint partial image matches the previously received.

[0114] 图15B是示出用于下述过程的操作方案的流程图,即分析图像的特征,以提取用 [0114] FIG. 15B is a flowchart illustrating an operation scheme for the process shown below, i.e. analysis of characteristics of an image to extract with

于输入到聚类引擎(clustering engine)中的消息的特征,以便识别符合已知图像垃圾邮 Input to the feature message engine cluster (clustering engine) in order to comply with a known image recognition spam

件的图像的组成部分。 Part of the image member. 操作方案在步骤1520开始,在这里图像的多个高水平特征被检测, In step 1520 begins operation scheme, where a plurality of high-level features of an image are detected,

以用在机器学习算法中。 For use in machine learning algorithm. 这样的特征可包括数值,例如独特的颜色的数量、噪声黑色像素 Such features may include values ​​such as the number of unique colors, black pixel noise

(noise black pixel)的数量、水平方向中边缘(形状之间的锐转变)的数量,等等。 Number (noise black pixel), the number of edges in the horizontal direction (sharp transitions between the shapes), and the like.

[0115] 操作方案所提取的特征之一可包括图像的柱状图模式的数量,如在步骤1525示 One feature quantity [0115] operation scheme may include a histogram of the extracted pattern image, as shown in step 1525

出的。 Out. 通过检查图像的光谱密度来产生模式的数量。 Generating a number of spectral density of the pattern by the inspection image. 如应理解的,人工图像一般包括比自 As will be appreciated, typically comprise an artificial image than from

然图像少的模式,这是因为自然图像颜色一般扩散到广谱(broad spectrum)。 However, a small image mode, since the color is generally a natural image to a broad spectrum diffusion (broad spectrum).

[0116] 如上所述,从图像提取的特征可用于识别异常情况。 [0116] As described above, extracted from the image feature may be used to identify anomalies. 在一些例子中,异常情况可包 In some instances, anomalies may be coated

括分析消息的特征以确定多个特征与所储存的不想要的图像的特征的相似性的程度。 Analysis features including message to determine the degree of similarity with the features of the plurality of images stored undesirable. 可选 Optional

地,在一些例子中,也可分析图像特征,以与已知的声誉好的图像比较,以确定与声誉好的 , In some instances, image features may also be analyzed to known reputable image comparison, to determine a reputable

图像的相似性。 Similarity image. 应理解,单独的所提取的特征都不能决定分类。 It should be understood that the individual features can not be extracted classification decision. 例如,特定的特征可与60% For example, a particular feature may be 60%

的不想要的消息相关联,同时也与40%的想要的消息相关联。 Unwanted messages associated, but also want the 40% of the associated message. 而且,当与特征相关联的数值 Further, when the value associated with the feature

变化时,消息是想要的或是不想要的概率可能变化。 When changes, the message is the probability that you want or do not want may change. 有很多可指示轻微倾向的特征。 There are many features may indicate slight tendency. 如果 in case

合并这些特征中的每个,则图像垃圾邮件检测系统可进行分类决定。 Each of these features combined, the image detection system can be spam classification decisions.

[0117] 接着在步骤1530检查高宽比,以确定关于图像尺寸或高宽比的是否存在任何异常情况。 [0117] Next, at step 1530 checks the aspect ratio, the image size to a determination of the aspect ratio or whether there is any abnormal condition. 图像尺寸或高宽比与已知图像垃圾邮件所共有的已知尺寸或高宽比的相似性可指示这种在高宽比中的异常情况。 The image size or aspect ratio of the known spam images common to known size or aspect ratio similarity may indicate such an anomaly in the high aspect ratio. 例如,图像垃圾邮件能够以特定的尺寸出现,以使图像垃圾邮件看起来更像普通电子邮件。 For example, image spam can occur in a specific size, so that the image looks more like an ordinary spam e-mail. 包括下述图像的消息更可能是垃圾邮件本身,即这些图像与已知垃圾邮件图像享有共同的尺寸。 Comprising the image of the message is more likely to be spam itself, that these images of known spam images share a common size. 可选地,存在不有利于垃圾邮件的图像尺寸(例如,如果垃圾邮件发送者将消息插入图像中,则1英寸xl英寸的正方形图像可能是难以读取的)。 Alternatively, the image size is not conducive to the presence of spam (e.g., if a spammer the message into the image, the one inch square inch xl image may be difficult to read). 已知不利于垃圾邮件的插入的包括图像的消息较不可能是图像垃圾邮件。 Known not conducive to insert spam messages include images of image spam is less likely. 因此,消息的高宽比可与在图像垃圾邮件中使用的共同的高宽比进行比较,以确定图像是不想要的图像或图像是声誉好的图像的概率。 Therefore, the aspect ratio with a common aspect ratio used in image spam messages are compared to determine whether the image is an unwanted image or the probability of a reputable image.

[0118] 在步骤1535,检查图像的频率分布。 [0118] In step 1535, the frequency distribution of the image inspection. 一般地,自然图像有具有相对少的明显的频率梯度(gradation)的均匀频率分布。 In general, natural images have a uniform frequency with relatively less significant frequency gradient (gradation) distribution. 另一方面,图像垃圾邮件一般包括常变的频率分布,这是因为黑色字母被放置在黑暗背景上。 On the other hand, typically comprise image spam often varying frequency distribution, because the black letters is placed on a dark background. 因此,这样的不均匀的频率分布可指示图像垃圾邮件。 Thus, such non-uniform frequency distribution may indicate that image spam.

[0119] 在步骤1540,可分析信噪比。 [0119] In step 1540, signal to noise ratio can be analyzed. 高信噪比可指示垃圾邮件发送者可能试图通过将噪声引入图像中来躲避指纹识别技术。 High signal to noise ratio may indicate that spammers may attempt to introduce noise into the image to avoid fingerprint identification technology. 由此增加噪声水平可指示图像是不想要的图像的概率增加。 Thereby increasing the noise level may increase the probability of indicating that the image is not the image you want.

[0120] 应理解,可在整个图像的规模上提取一些特征,而可从图像的子部分提取其它特征。 [0120] It should be understood, some features may be extracted over the entire image size, and other features can be extracted from a sub-portion of the image. 例如,图像可被细分成多个子部分。 For example, the image may be subdivided into multiple sub-portions. 每个矩形可使用快速付立叶变换(FFT)变换到频域中。 Each rectangle can use the fast Fourier transform (FFT) into the frequency domain. 在被变换的图像中,在多个方向上的频率的优势(predominance)可作为特征被提取。 The image is transformed, the dominant frequency in a plurality of directions (predominance) may be extracted as a feature. 也可检查所变换的图像的这些子部分,以确定高频和低频的数量。 These sub-portions may be checked on the converted images to determine the number of high and low frequencies. 在被变换的图像中,离原点较远的点表现出较高的频率。 The image is transformed, the farther from the origin point showed higher frequencies. 类似于其它被提取的特征,这些特征可接着与已知的合法和不想要的图像比较,以确定未知图像与每个类型的已知图像共享哪些特性。 Similar to other extracted features which may then be compared to known legal and unwanted images, to determine what an unknown image and the known image characteristics of each type of sharing. 而且,被变换的(例如频域)图像也可分成子部分(例如,片段(slice)、矩形、同心圆,等等),并与来自已知图像(例如,已知的不想要的图像和已知的合法的图像)的数据比较。 Further, transformed (e.g., frequency domain) may be divided into sub-image portion (e.g., a fragment (Slice), rectangular, concentric circles, etc.), and the images from the known (e.g., known undesirable images and comparison of known legitimate image) data. [0121] 图15C是示出用于标准化图像以用于垃圾邮件处理的的操作方案的流程图。 [0121] FIG 15C is a flowchart showing an operation scheme for the normalized image for spam processing. 在步骤1545,从图像除去模糊和噪声。 In step 1545, removed from the image blurring and noise. 如前所述,这些可能由垃圾邮件发送者引入来躲避指纹识别技术,例如通过改变无用信息的总数的散列法,使得它不与任何以前接收的已知图像垃圾邮件的无用信息的指纹匹配。 As previously described, these may be introduced by spammers to evade fingerprint recognition technology, for example by changing the total number of useless information hashing is that it does not match the fingerprint information is useless to any known spam image previously received . 模糊和噪声的移除可描述用于除去垃圾邮件发送者所引入的人为噪声的几种技术。 Removing blur and noise removal techniques can be used in several described artificially introduced by spammers noise. 应理解,人为噪声可包括垃圾邮件发送者所使用的技术,例如条带效应(其中包括在图像中的字体变化,以改变图像的无用信息)。 It should be understood, artifacts may include techniques used by spammers, e.g. banding (including font changes in the image, unnecessary to change the information of the image).

[0122] 在步骤1550,边缘检测算法可在标准化的图像上执行。 [0122], the edge detection algorithm may be performed on the normalized image in a step 1550. 在一些例子中,被进行边缘检测的图像被使用并提供到光学字符识别引擎,以将被进行边缘检测的图像转换成文本。 In some examples, the image is used for edge detection and is provided to the optical character recognition engine to the edge detection image into text. 边缘检测可用于从图片除去不必要的细节,该细节可能在相对于其他图像处理该图像中造成低效率。 Edge detection can be used for removing unnecessary details from the picture, the details may be other image processing in the image resulting in low efficiency over.

[0123] 在步骤1555,可应用中值滤波。 [0123] In step 1555, the median filter may be applied. 应用中值滤波来除去随机的像素噪声。 Applying a median filter to remove the random noise of pixels. 这样的随机像素可对图像的内容分析造成问题。 Such random pixels can cause problems to analyze the content of the image. 中值滤波可帮助除去垃圾邮件发送者所引入的单像素类型的噪声。 Median filtering may assist in the removal of a single pixel type spammers noise introduced. 应理解,单像素噪声由垃圾邮件发送者使用图像编辑器引入,以改变图像中的一个或多个像素,这可使图像在一些区域中看起来呈颗粒状的,从而使图像更难以检测。 It should be understood, single pixel noise from the spammers use image editor introduced to change the image of one or more pixels, which can in some regions of the image looks grainy, making the image more difficult to detect. [0124] 在步骤1560,量化图像。 [0124] In step 1560, the quantized image. 图像的量化除去不必要的颜色信息。 Quantized image remove unnecessary color information. 这种颜色信息一般需要更多的处理,并与垃圾邮件的试图传播无关。 This color information generally requires more processing, and trying to spread nothing to do with spam. 而且,垃圾邮件发送者可稍微改变图像中的颜色方案,并再次改变杂乱信息,以便已知图像垃圾邮件的杂乱信息不匹配从颜色变化的图像垃圾邮件得出的杂乱信息。 Moreover, spammers can slightly change the color scheme of the image, and change information again clutter, the clutter information to a known spam image clutter does not match the information derived from the color change of image spam.

[0125] 在步骤1565,执行对比度扩展。 [0125] In step 1565, the contrast stretching performed. 使用对比度扩展,图像中的颜色标度从黑到白被最大化,即使颜色只在灰度阴影中变化也是如此。 Use contrast stretching, color scale image is maximized from black to white, the color variation even in only shades of gray as well. 给图像的最亮的阴影分配白值,而给图像中最暗的阴影分配黑值。 Assigned to the brightest white shading value of the image, and the values ​​assigned to the black image in the darkest shadows. 与原始图像中最亮和最暗的阴影相比,给所有其它阴影分配他们在光谱(spectrum)中的相对位置。 Compared with the original image is brightest and darkest shadows, shading assign them to all the other relative position in the spectrum (Spectrum) in. 对比度扩展帮助限定图像中可能没有充分利用可用光谱的细节,因而可帮助阻止垃圾邮件发送者使用不同部分的光谱来避免指纹识别技术。 Contrast stretching help define the details in the image may not fully utilize available spectrum, and thus helps prevent spammers use different portions of the spectrum to avoid fingerprint recognition technology. 垃圾邮件发送者有时故意改变图像的密度范围,以使一些类型的特征识别引擎无效。 Spammers sometimes deliberately changing the density range of the image, so that some types of feature recognition engine invalid. 对比度扩展也可帮助标准化图像,以便它可与其它图像比较,以识别包含在图像中的共同特征。 Contrast stretching also help normalized image, so that it can be compared to other images to identify common features contained in the image. [0126] 图15D是示出用于分析图像的指纹以在多个图像中找到共同片段的操作方案的流程图。 [0126] FIG 15D is a diagram illustrating a fingerprint image analysis to find common segments in the plurality of images of a flow chart the program operation. 在步骤1570,操作方案通过界定图像内的区域开始。 In step 1570, the program begins by defining the operation region in the image. 接着对所界定的区域执行风选算法(winnowing algorithm),以识别图像的相关部分,在步骤1575应在该图像上提取指纹。 Subsequently the election algorithm execution areas defined wind (winnowing algorithm), to identify the relevant part of the image, at step 1575 to be picked up on the fingerprint image. 在步骤1580,操作方案对从风选操作得到的片段进行指纹识别,并确定在所接收的图像和已知垃圾邮件图像的指纹之间是否存在匹配。 In step 1580, the operation of the program fragment obtained from winnowing operation fingerprinting, and determines whether there is a match between the received fingerprint image and a known spam image. 在每个专利申请公布号2006/0251068中描述了类似的风选指纹识别方法,该专利由此通过引用被并入。 In each Patent Application Publication No. 2006/0251068 describe similar winnowing fingerprinting method, which is hereby incorporated by reference.

[0127] 如这里在说明书中使用的且在接下来的全部权利要求中,"一(a)"、"一个(an)"禾口"所述(the)"的意思包括复数涵义,除非上下文另外清楚地指出。 [0127] As used herein in the specification and in the following all the claims, "a (A)", "a (AN)" Wo mouth "of the (The)" is meant to include plural reference unless the context clearly dictates otherwise. 此外,如这里在说明书中使用的且在接下来的全部权利要求中,"在…中"的意思包括、"在…中"和"在…上",除非上下文另外清楚地指出。 Further, as used herein in the specification and in the following all the claims, "... in the" includes the meaning of "in ..." and "... on" unless the context clearly dictates otherwise. 最后,如这里在说明书中使用的且在接下来的全部权利要求中,"和"和"或"的意思包括联合的和分离的涵义,并可互换地使用,除非上下文另外清楚地指出。 Finally, as used herein in the specification and in the following claims all, "and" and "or" is meant to include joint and separate meaning and are used interchangeably, unless the context clearly dictates otherwise. [0128] 范围可在这里表示为从"大约"一个特定的值和/或到"大约"另一特定的值。 [0128] range may be expressed herein as from "about" one particular value and / or to "about" another particular value. 当表示这样的范围时,另一实施方式包括从一个特定的值和/或到另一特定的值。 When such a range is expressed, another embodiment includes from the one particular value to another particular value and / or to. 类似地,当值被表示为近似值时,通过使用前面的"大约",应理解,特定的值形成另一实施方式。 Similarly, when values ​​are expressed as approximations, by using the previous "about", it should be understood that the particular value forms another embodiment. 应进一步理解,每个范围的端点相对于另一端点来说是重要的,并独立于另一端点。 It is further understood that the endpoints of each of the ranges are significant with respect to the other endpoint, the endpoint and independently of the other. [0129] 描述了本发明的很多实施方式。 [0129] describes a number of embodiments of the present invention. 然而,应理解,可进行各种更改,而不偏离本发明的实质和范围。 However, it should be understood that various modifications may be made without departing from the spirit and scope of the invention. 因此,其它实施方式处于下面的权利要求的范围内。 Accordingly, other implementations are within the scope of the following claims.

Claims (135)

  1. 一种计算机实现的方法,其可操作来将声誉分配给与超文本传输协议通信相关联的基于网络的实体,所述方法包括以下步骤:在边缘保护设备处接收超文本传输协议通信;识别与所接收的所述超文本传输协议通信相关联的实体;查询声誉引擎以得到与所述实体相关联的声誉指示符;从所述声誉引擎接收所述声誉指示符;根据与所述实体相关联的所接收的所述声誉指示符,来关于所述超文本传输协议通信采取动作。 A computer-implemented method operable to be allocated to the reputation of a hypertext transfer protocol communications associated entity based network, the method comprising the steps of: receiving a hypertext transfer protocol communications at the edge of the protection device; identifying entity the received hypertext transfer protocol associated with the communication; reputation engine query to obtain reputation indicator associated with the entity; the reputation engine from receiving the reputation indicator; associated with the entity according to receiving the reputation of the indicator to a hypertext transfer protocol on the communication action is taken.
  2. 2. 如权利要求1所述的方法,其中所述实体是包括目的地统一资源定位符、域或IP地址的网络实体。 2. The method according to claim 1, wherein said entity is a destination network entity comprises a uniform resource locator, domain or IP address.
  3. 3. 如权利要求1所述的方法,其中所述实体的声誉基于从所述实体接收的以前的通信以及可得到的关于所述实体的公共或专用网络信息,所述公共或专用网络信息包括所有权或托管信息。 3. The method according to claim 1, wherein said entity reputation based on previous communications received from the public or private network entities and information about the entity available to the public or private network information comprises ownership or hosting information.
  4. 4. 如权利要求3所述的方法,其中所述以前的通信包括下述项中的一个或更多个:电子消息、超文本传输协议通信、即时消息、文件传输协议通信、简单对象访问协议消息、实时传输协议分组、短消息服务通信、多媒体消息服务通信,或互联网协议语音电话通信。 4. The method according to claim 3, wherein said previous communication comprises one or more of the following items: an electronic message, a hypertext transfer protocol communications, instant messaging, file transfer protocol communications, Simple Object Access Protocol news, real-time transport protocol packets, short message service communications, multimedia messaging service communications, or voice over Internet protocol telephony.
  5. 5. 如权利要求1所述的方法,其中所述动作是丢弃所述通信并通知与所述超文本传输协议通信相关联的企业网用户。 5. The method according to claim 1, wherein said action is to discard the communication and notifies the hypertext transfer protocol communications associated with the enterprise network users.
  6. 6. 如权利要求1所述的方法,其中所述实体与多种不同类型的网络通信相关联,所述网络通信包括至少超文本传输协议类型的通信,以及包括电子邮件通信、文件传输协议通信、即时消息通信、gopher通信、短消息服务通信或互联网协议语音电话通信中的至少一个。 6. The method according to claim 1, wherein said plurality of different types of entities associated with a communication network, said communication network comprising at least a hypertext transfer protocol types of communication, including e-mail and communication, file transfer protocol communication , instant messaging, gopher communications, short message service communication or voice over Internet protocol telephony least one.
  7. 7. 如权利要求1所述的方法,其中所述声誉引擎根据与所述实体相关联的声誉好的标准和与所述实体相关联的声誉差的标准的汇聚来确定所述声誉指示符。 7. The method according to claim 1, wherein the reputation engine determines the good reputation and reputation indicator according to the criteria associated with the entity and the entity associated with the reputation of the difference convergence criteria.
  8. 8. 如权利要求7所述的方法,其中所述声誉指示符是根据多个不同的标准来指示声誉的矢量的。 8. The method according to claim 7, wherein said reputation is an indicator to indicate the vector reputation based on a plurality of different criteria.
  9. 9. 如权利要求8所述的方法,进一步包括检查声誉矢量,以根据所述实体的声誉矢量来确定与所述边缘保护设备所保护的企业网相关联的策略是否允许与所述实体的通信。 9. The method according to claim 8, further comprising a vector checking reputation, a reputation is determined according to the policy of the entity with the vector edge protection apparatus associated with the enterprise network protected whether to permit communication with the entity .
  10. 10. 如权利要求1所述的方法,其中所述声誉引擎是可操作来给多个边缘保护设备提供声誉信息的声誉服务器。 10. The method according to claim 1, wherein the reputation engine is operable to provide reputation information to a plurality of edge protection devices reputation server.
  11. 11. 如权利要求io所述的方法,其中所述声誉引擎可操作来储存全局声誉指示符,并在输出所述声誉指示符之前使用局部偏置来偏置所述全局声誉指示符。 11. The method according to claim IO, wherein said engine is operable to store a global reputation reputation indicator and to bias said biasing using local global reputation indicator before outputting the reputation indicator.
  12. 12. 如权利要求1所述的方法,其中所述声誉指示符包括声誉矢量,所述声誉矢量包括所述实体的多维分类。 12. The method according to claim 1, wherein said indicator comprises a reputation reputation vector, said vector comprising reputation of the multidimensional categorization.
  13. 13. 如权利要求12所述的方法,其中所述多维分类包括以色情文学类别、新闻类别、计算机类别、安全类别、网络钓鱼类别、间谍软件类别、病毒类别或攻击类别中的两个或更多个进行的消息的分类。 13. The method according to pornography category, news category, computer classes, safety categories, category phishing, spyware categories, category or virus attack category two or more claims, wherein the multi-dimensional classification includes multiple classification messages carried out.
  14. 14. 如权利要求12所述的方法,其中所述声誉指示符进一步包括与所述实体的所述多维分类中的每一个相关联的置信度。 14. The method of claim 12, wherein said indicator further comprises a reputation multidimensional classification and the confidence level of the entity associated with each.
  15. 15. 如权利要求1所述的方法,进一步包括检测统一资源定位符的随机化。 15. The method according to claim 1, further comprising a random detector of a uniform resource locator.
  16. 16. 如权利要求15所述的方法,其中通过产生所述统一资源定位符的杂乱信息并比较所述杂乱信息与以前识别的声誉差的统一资源定位符,来确定所述统一资源定位符的随机化。 16. The method according to claim 15, wherein the clutter information is generated by the uniform resource locator information and comparing the clutter previously identified poor reputation Uniform Resource Locator, to determine the uniform resource locator randomized.
  17. 17. 如权利要求15所述的方法,其中通过对所述统一资源定位符的多个部分进行指纹识别并比较所述杂乱信息与以前识别的声誉差的统一资源定位符,来确定所述统一资源定位符的随机化。 17. The clutter information and comparing the previously identified poor reputation Uniform Resource Locator, to determine the uniform method of claim 15, wherein the fingerprint by a plurality of portions of the uniform resource locator resource locator randomized.
  18. 18. —种在边缘保护设备上的网络声誉系统,所述网络声誉系统可操作来接收网络通信并向与所述通信相关联的实体分配声誉,所述系统包括:通信接口,其可操作来接收网络通信;通信分析器,其可操作来分析所述网络通信以确定与所述网络通信相关联的实体;声誉引擎,其可操作来根据以前收集的与所述实体相关联的数据来提供与所述实体相关联的声誉,以及决策引擎,其可操作来从所述声誉引擎接收声誉指示符,并确定所述网络通信是否被传递到接收者。 18. - kind of edge protection on the reputation system of the network device, the network system is operable to receive a reputation of the network communication and the communication entity assigned reputation associated with, the system comprising: a communication interface operable to receiving network communications; traffic analyzer, operable to analyze the network entity to determine a communication with the network associated with communications; reputation engine, operable to be provided in accordance with the data associated with an entity previously collected and reputation associated with the entity, and a decision engine operable to receive an indicator from the reputation reputation engine, and determining whether the communication network is transmitted to the recipient.
  19. 19. 如权利要求18所述的系统,其中所述实体的所述声誉基于从所述实体接收的以前的通信,所述以前的通信包括下述项中的一个或更多个:电子消息、超文本传输协议通信、即时消息、文件传输协议通信、简单对象访问协议消息、实时传输协议分组、短消息服务通信、或互联网协议语音电话通信。 19. The system according to claim 18, wherein said reputation of the entity based on previous communications received from the entity, the previous communication comprises one or more items: electronic message, hypertext transfer protocol communications, instant messaging, file transfer protocol communication, simple Object access protocol messages, real-time transport protocol packets, short message service communications, or voice over Internet protocol telephony.
  20. 20. 如权利要求18所述的系统,其中所述决策引擎可操作来在所述通信没有传输到所述接收者的情况下通知与所述超文本传输协议通信相关联的企业网用户。 20. The system according to claim 18, wherein said decision engine is operable to notify the hypertext transfer protocol associated with the communication enterprise network in a case where the communication is not transmitted to the recipient.
  21. 21. 如权利要求18所述的系统,其中所述声誉引擎根据与所述实体相关联的声誉好的标准和与所述实体相关联的声誉差的标准来确定所述声誉指示符。 21. The system according to claim 18, wherein the reputation engine determines the good reputation and reputation indicator according to the entity associated with the entity's reputation standards and associated standard difference.
  22. 22. 如权利要求21所述的系统,其中所述声誉指示符是根据多个不同的标准指示声誉的矢量。 22. The system according to claim 21, wherein said indicator is a reputation based on a plurality of different reputation normal vector.
  23. 23. 如权利要求22所述的系统,进一步包括检查声誉矢量,以根据所述实体的声誉矢量确定与所述边缘保护设备所保护的企业网相关联的策略是否允许与所述实体的通信。 23. The system according to claim 22, further comprising a vector checking reputation, a reputation vector to determine the entity of the edge protection device protection policy associated with the enterprise network is allowed to communicate with the entity in accordance with.
  24. 24. 如权利要求18所述的系统,其中所述声誉引擎是可操作来给多个边缘保护设备提供声誉信息的声誉服务器,并且所述声誉引擎可操作来储存全局声誉指示符,以及在输出所述声誉指示符之前使用局部偏置来偏置所述全局声誉指示符。 24. The system of claim 18 in the output request, wherein the reputation engine is operable to provide reputation information to a plurality of edge protection devices reputation server, and the reputation engine is operable to store a global reputation indicator, and using the local offset indicator prior to biasing the global reputation reputation indicator.
  25. 25. 如权利要求18所述的系统,进一步包括询问引擎,所述询问引擎可操作来对所述通信执行多个测试并确定与所述网络通信相关联的参数文件。 25. The system according to claim 18, further comprising a query engine, the query engine is operable to perform a plurality of tests and determines the communication with the network profile associated with communications.
  26. 26. 如权利要求25所述的系统,其中所述决策引擎可操作来根据与所述网络通信相关联的所述参数文件来确定是否转发所述网络通信。 26. The system according to claim 25, wherein said decision engine is operable to determine whether to forward the network communication according to the parameter file with the network communications associated.
  27. 27. 如权利要求26所述的系统,其中所述声誉引擎可操作来使用所述参数文件更新与所述实体相关联的声誉信息。 27. The system according to claim 26, wherein the reputation engine operable to use reputation information file updating the parameter associated with the entity.
  28. 28. 如权利要求18所述的系统,其中所述声誉包括声誉矢量,所述声誉矢量包括所述实体的多维分类。 28. The system according to claim 18, wherein the reputation reputation vector comprises a vector comprising the reputation multidimensional classification entity.
  29. 29. 如权利要求28所述的系统,其中所述多维分类包括以色情文学类别、新闻类别、计算机类别、安全类别、网络钓鱼类别、间谍软件类别、病毒类别或攻击类别中的两个或更多个进行的消息的分类。 29. The system of claim 28, wherein the multi-dimensional classification categories including pornography, news category, computer classes, safety categories, category phishing, spyware categories, category or virus attack in two or more categories multiple classification messages carried out.
  30. 30. 如权利要求28所述的系统,其中所述声誉进一步包括与所述实体的所述多维分类中的每一个相关联的置信度。 30. The system according to claim 28, wherein the reputation further comprising a multidimensional classification confidence in with the entity associated with each.
  31. 31. 如权利要求18所述的系统,进一步包括检测统一资源定位符的随机化。 31. The system of claim 18, further comprising a random detector of a uniform resource locator.
  32. 32. 如权利要求31所述的方法,其中通过产生所述统一资源定位符的杂乱信息并比较所述杂乱信息与以前识别的声誉差的统一资源定位符,来确定所述统一资源定位符的随机化。 32. The method according to claim 31, wherein the clutter information is generated by the uniform resource locator information and comparing the clutter previously identified poor reputation Uniform Resource Locator, to determine the uniform resource locator randomized.
  33. 33. 如权利要求31所述的方法,其中通过对所述统一资源定位符的多个部分进行指纹识别并比较所述杂乱信息与以前识别的声誉差的统一资源定位符,来确定所述统一资源定位符的随机化。 33. The clutter information and comparing the previously identified poor reputation Uniform Resource Locator, to determine the uniform method of claim 31, wherein the fingerprint by a plurality of portions of the uniform resource locator resource locator randomized. .
  34. 34. 具有软件程序代码的一个或更多个计算机可读介质,所述软件程序代码可操作来向与所接收的通信相关联的发送消息的实体分配声誉,所述软件程序代码包括:在边缘保护设备处接收超文本传输协议通信;识别与所接收的所述超文本传输协议通信相关联的实体;查询声誉引擎以得到与所述实体相关联的声誉指示符;从所述声誉引擎接收所述声誉指示符;根据与所述实体相关联的所接收的所述声誉指示符,关于所述超文本传输协议通信采取行动。 34. The software program code having one or more computer-readable media, the software program code operable to, said software comprising program code allocated to the entity transmitting with the reputation associated with the communication messages received: the edge receiving a hypertext transfer protocol communications device protection; entity identifying the received hypertext transfer protocol associated with the communication; reputation engine query to obtain reputation indicator associated with the entity; receiving from the reputation engine said indicator of reputation; based on the received indicator of the reputation associated with the entity, and with respect to the hypertext transfer protocol communications action.
  35. 35. —种声誉系统,所述系统包括:集中式声誉引擎,其可操作来从多个局部声誉引擎接收反馈,所述多个局部声誉引擎可操作来根据一个或更多个实体以及分别地相关联的所述局部声誉引擎而确定局部声誉;汇聚引擎,其可操作来根据多个局部声誉的汇聚得到被查询的实体的全局声誉;以及其中所述集中式声誉引擎可操作来响应于从所述局部声誉引擎中的一个或更多个接收声誉查询而向所述局部声誉引擎中的所述一个或更多个提供被查询的实体的全局声誉。 35. - reputation species, the system comprising: a centralized reputation engine, operable to receive feedback from the plurality of local reputation engine, a plurality of local reputation engine operable in accordance with one or more entities, respectively, and the local reputation associated with the engine and determining a local reputation; aggregation engine is operable to obtain global reputation entity is queried in accordance with the convergence of a plurality of local reputation; and wherein the centralized reputation engine is operable in response to the a local reputation of the engine or more receiving reputation for providing a global reputation query entity is a query to the one or more of the local reputation engine.
  36. 36. 如权利要求35所述的系统,其中所述汇聚引擎可操作来储存与分别的局部声誉引擎相关联的置信值,所述汇聚引擎进一步可操作来使用与所述多个局部声誉中的每一个相关联的所述置信值、通过其分别的局部声誉引擎,来汇聚所述多个局部声誉。 36. The system according to claim 35, wherein the aggregation engine is operable to store the respective confidence value associated with a local reputation engine, said engine is further operable to use the convergence of the plurality of local reputation the confidence value associated with each through its respective local reputation engine to converge the plurality of local reputation.
  37. 37. 如权利要求36所述的系统,其中所述局部声誉系统是所述集中式声誉系统的子系统,并根据所述局部声誉引擎所接收的通信在局部规模上执行声誉评分,且所述集中式声誉引擎根据所述集中式声誉引擎所接收的通信和从所述局部声誉引擎接收的声誉信息来执行声誉评分。 37. The system according to claim 36, wherein the system is a subsystem of the local reputation reputation of the centralized system and executed at the local reputation score scale local reputation engine according to the received communication, and the centralized reputation score reputation engine performs the centralized reputation engine according to the received communication and reputation information received from the local reputation engine.
  38. 38. 如权利要求36所述的系统,其中所述局部声誉在所述局部声誉的汇聚之前根据其分别的置信值而被加权。 38. The system according to claim 36, wherein the local reputation is weighted according to its respective confidence values ​​prior to aggregation of the local reputation.
  39. 39. 如权利要求38所述的系统,其中根据从所述多个局部声誉引擎接收的反馈来调节所述置信值。 39. The system according to claim 38, wherein the confidence value is adjusted according to the received from the plurality of local feedback reputation engine.
  40. 40. 如权利要求35所述的系统,其中所述局部声誉和全局声誉是识别其所相关联的分别的实体的特征的矢量。 40. The system according to claim 35, wherein said local reputation and reputation is to identify a global feature vectors are entities which it is associated.
  41. 41. 如权利要求40所述的系统,其中所述特征包括下述项中的一个或更多个:垃圾邮件特征、网络钓鱼特征、群发邮件特征、病毒源特征、合法通信特征、入侵特征、攻击特征、间谍软件特征,或地理位置特征。 41. The system according to claim 40, wherein the feature comprises one or more of the items: spam features, characteristics phishing, characterized in mass mailings, wherein the virus source, characterized in legitimate traffic, intrusion signatures, attack signatures, spyware features, or geographic features.
  42. 42. 如权利要求35所述的系统,其中所述局部声誉基于声誉好的标准和声誉差的标准的汇聚。 42. The system according to claim 35, wherein said local reputation and reputation based reputable standard differential convergence criteria.
  43. 43. 如权利要求35所述的系统,其中所述集中式声誉系统可操作来根据发起声誉查询的所述局部声誉引擎而对所述全局声誉应用局部声誉偏置。 43. The system according to claim 35, wherein the local reputation engine reputation of the centralized system is operable to query the reputation of the application according to initiate local offset to the global reputation reputation.
  44. 44. 如权利要求43所述的系统,其中所述局部声誉偏置是基于从发起所述声誉查询的所述局部声誉引擎接收的输入的。 44. The system according to claim 43, wherein the bias is based on the local reputation local reputation engine queries originating from the reputation of the input received.
  45. 45. 如权利要求43所述的系统,其中所述局部声誉偏置是基于从发起所述声誉查询的所述局部声誉引擎接收的反馈的。 45. The system according to claim 43, wherein the bias is based on the local reputation local reputation engine queries originating from the reputation of the received feedback.
  46. 46. 如权利要求43所述的系统,其中所述局部声誉偏置可操作来根据所述局部声誉偏置增强声誉的某种标准,同时减少声誉的另一种标准。 46. ​​The system according to claim 43, wherein said local reputation The bias is operable to bias said local reputation enhanced reputation some standard, while reducing the reputation of another standard.
  47. 47. 如权利要求35所述的系统,其中局部声誉引擎可操作来在将所述全局声誉应用于从被查询的所述实体接收的通信之前将局部声誉偏置应用于所述全局声誉。 47. The system according to claim 35, wherein the local reputation engine operable to be applied prior to the global reputation of the entity receiving the query from the local reputation communication bias is applied to the global reputation.
  48. 48. 如权利要求35所述的系统,其中关于与所述局部声誉引擎相关联的被保护的企业网,所述局部声誉引擎响应于接收与外部实体相关联的通信而发起声誉查询。 48. The system according to claim 35, wherein the protected corporate network on the local reputation associated with the engine, the engine in response to a local reputation receive a communication with an external entity reputation associated query initiated.
  49. 49. 如权利要求48所述的系统,其中所述局部声誉引擎响应于与不确定的所述外部实体相关联的局部声誉而发起所述声誉查询。 49. The system according to claim 48, wherein initiating the reputation of the query engine, in response to a partial local reputation and reputation of the uncertainty associated with the external entity.
  50. 50. 如权利要求35所述的系统,其中所述集中式声誉引擎进一步可操作来汇聚与所述多个实体中的一个或更多个相关联的多个身份的声誉。 50. The system according to claim 35, wherein the centralized reputation engine is further operable to converge the reputation of a plurality of entities or more identities associated with more.
  51. 51. 如权利要求50所述的系统,其中所述集中式声誉引擎进一步可操作来使关联的属性与不同的身份相关联,以识别所述身份之间的关系,并将与一个实体相关联的声誉的一部分分配给另一个实体的声誉,其中在实体之间识别关系。 51. The system of claim 50 to identify the relationship between identity and entity associated with a claim, wherein said engine to enable centralized reputation associated with a different attribute is further operable associated with the identity, allocating a portion of the reputation of the entity's reputation to another, wherein the identifying relationships between entities.
  52. 52. —种产生全局声誉的方法,包括以下步骤: 从请求的局部声誉引擎接收声誉查询;取回多个局部声誉,所述局部声誉分别与多个局部声誉引擎相关联; 汇聚所述多个局部声誉; 从所述局部声誉的汇聚得到全局声誉;以及以所述全局声誉响应所述声誉查询。 52. - a global reputation generating method, comprising the steps of: receiving a query from a local reputation engine reputation request; retrieving a plurality of local reputation, the local reputation respectively associated with the plurality of local reputation engine; converging said plurality local reputation; global reputation obtained from the local reputation aggregation; and in response to the global reputation query the reputation.
  53. 53. 如权利要求52所述的方法,进一步包括取回与所述局部声誉引擎相关联的置信值,所述取回步骤使用所述置信值来得出所述全局声誉。 53. The method according to claim 52, further comprising retrieving a confidence value with the local reputation associated with the engine, said retrieving step of using the confidence value to derive said global reputation.
  54. 54. 如权利要求53所述的方法,其中所述得出步骤进一步包括使用所述全局声誉的分别的置信值来对所述全局声誉加权,并合并被加权的声誉以产生所述全局声誉。 54. A method according to claim 53, wherein said further comprising the step of separately obtained using the global reputation confidence weighting value to the global reputation and reputation weighted combined to generate the global reputation.
  55. 55. 如权利要求54所述的方法,进一步包括根据来自所述多个局部声誉引擎的反馈来调节所述置信值。 55. The method according to claim 54, further comprising adjusting the confidence value according to feedback from said plurality of local reputation engine.
  56. 56. 如权利要求52所述的方法,其中所述局部声誉和全局声誉是识别其所相关联的分别的实体的特征的矢量。 56. The method according to claim 52, wherein said local reputation and reputation is to identify a global feature vectors are entities which it is associated.
  57. 57. 如权利要求56所述的方法,其中所述特征包括下述项中的一个或更多个:垃圾邮件特征、网络钓鱼特征、群发邮件特征、间谍软件特征,或合法邮件特征。 57. The method according to claim 56, wherein the feature comprises one or more of the items: spam features, characteristics phishing, bulk mail characteristics, features spyware, or legitimate e-mail features.
  58. 58. 如权利要求52所述的方法,其中所述局部声誉是基于声誉好的标准和声誉差的标准的汇聚的。 58. The method according to claim 52, wherein said local reputation is a good reputation based standard and poor reputation convergence criteria.
  59. 59. 如权利要求52所述的方法,进一步包括将局部声誉偏置应用于所述局部声誉的汇聚以产生全局声誉矢量,所述局部声誉偏置是基于所述请求的局部声誉引擎的。 59. The method according to claim 52, further comprising a bias is applied to the local reputation of the local reputation aggregation to generate a global reputation vector, the local reputation is based on the local bias of the request reputation engine.
  60. 60. 如权利要求59所述的方法,其中所述局部声誉偏置是基于从所述请求的局部声誉引擎接收的输入的。 60. The method according to claim 59, wherein the bias is based on the reputation of locally received the request from the local reputation engine input.
  61. 61. 如权利要求59所述的方法,其中所述局部声誉偏置是基于从所述请求的局部声誉引擎接收的反馈的。 61. The method according to claim 59, wherein the bias is based on the reputation of locally received the request from the local reputation engine feedback.
  62. 62. 如权利要求59所述的方法,进一步包括根据所述局部声誉偏置增强声誉的某种标准,并且根据所述局部声誉偏置减少声誉的另一种标准。 62. The method of claim 59, further comprising a biasing said local reputation enhanced reputation some standard, and another standard offset reduction according to the local reputation reputation.
  63. 63. 如权利要求52所述的方法,其中关于与所述请求的局部声誉引擎相关联的被保护的企业网,所述请求的局部声誉引擎响应于接收与外部实体相关联的通信而发起所述声誉查询。 63. The method according to claim 52, wherein the protected corporate network on a local reputation engine associated with the request, the request in response to a local reputation engine receives a communication with an external entity associated with the initiated said the reputation of the query.
  64. 64. 如权利要求63所述的方法,其中所述请求的局部声誉引擎响应于与不确定的所述外部实体相关联的局部声誉而发起所述声誉查询。 64. The method according to claim 63, wherein initiating the reputation of the inquiry request in response to a partial local reputation engine Reputation and uncertainty associated with the external entity.
  65. 65. 如权利要求52所述的方法,其中得到所述全局声誉的所述步骤进一步基于所述多个局部声誉引擎中的任何一个都不能得到的公共信息和专用信息。 65. The method according to claim 52, wherein said obtaining the global reputation is further based on any public information and private information can not be obtained a plurality of the local reputation engine.
  66. 66. 具有软件程序代码的一个或更多个计算机可读介质,所述软件程序代码可操作来执行汇聚多个局部声誉矢量以产生全局声誉矢量的步骤,所述步骤包括:从请求的局部声誉引擎接收声誉查询;取回多个局部声誉,所述局部声誉分别与多个局部声誉引擎相关联; 汇聚所述多个局部声誉; 从所述局部声誉的汇聚得到全局声誉;以及以所述全局声誉响应声誉查询。 66. The software program code having one or more computer-readable media, the software program code is operable to perform a plurality of local reputation vectors converge to a global reputation vector generating step, said step comprising: a request from a local reputation reputation engine receives a query; retrieving a plurality of local reputation, the local reputation respectively associated with the plurality of local reputation engine; aggregation of the plurality of local reputation; global reputation obtained from the local reputation aggregation; and to the global reputation reputation query response.
  67. 67. —种声誉系统,所述系统包括:通信接口,其可操作来从中央服务器接收全局声誉信息,所述中央服务器可操作来根据从一个或更多个局部声誉引擎接收的反馈确定全局声誉,所述全局声誉分别与一个或更多个实体相关联;声誉引擎,其可操作来根据所定义的局部偏好而偏置从所述中央服务器接收的所述全局声誉;以及其中所述集中式声誉引擎可操作来响应于从所述通信接口接收声誉查询而向所述通信接口提供所查询的实体的全局声誉。 67. - reputation species, the system comprising: a communication interface operable to receive a global reputation information from a central server, the central server is operable to determine the global reputation received from the one or more local feedback reputation engine , the global reputation associated respectively with one or more entities; reputation engine, the global reputation operable to receive the offset from the central server according to local preferences defined; and wherein the centralized reputation engine is operable in response to the global reputation of an entity from the communication interface receives a reputation query queried to provide the communication interface.
  68. 68. —种声誉系统,所述系统包括:通信接口,其可操作来从一个或更多个分布式声誉引擎接收分布的声誉信息,所述分布式声誉引擎可操作来检查通信并得出与发起所述通信的一个或更多个实体相关联的声誉;声誉模块,其可操作来汇聚所述分布的声誉信息并根据所述分布的声誉信息的汇聚得出全局声誉,所述声誉模块进一步可操作来根据所述声誉模块所接收的通信得出局部声誉信息;以及业务量控制模块,其可操作来根据所述全局声誉和所述局部声誉确定与通信相关联的处理。 68. - reputation species, the system comprising: a communication interface operable to receive reputation information distributed from one or more distributed reputation engine, a distributed reputation engine and operable to check the communication results with initiating a communication to the reputation or more entities associated; reputation module operable to converge said distribution stars global reputation and reputation information in accordance with the convergence of the distribution of reputation information, the reputation module further operable to derive the local reputation information based on the reputation of the received communication module; and a traffic control module operable to determine the communication process associated with the reputation based on the global and the local reputation.
  69. 69. —种基于声誉的网络安全系统,所述系统包括:通信接口,其可操作来接收与网络相关联的进入的通信和传出的通信; 通信分析器,其可操作来得到与通信相关联的外部实体;声誉引擎,其可操作来得到与所述外部实体相关联的声誉矢量,所述声誉矢量包括以多个类别进行的声誉好的和声誉差的标准的汇聚,所述多个类别包括不同类型的通信;安全引擎,其可操作来接收所述声誉矢量并向多个询问引擎中的一个或更多个发送所述通信,其中所述安全引擎可操作来根据所述声誉矢量确定向所述多个询问引擎中的哪一个发送所述通信。 69. - kind of reputation-based network security system, the system comprising: a communication interface operable to receive incoming and outgoing communications associated with the network communication; traffic analyzer, operable to obtain relevant communication with external entities; reputation engine, operable to obtain the vector with the reputation associated external entity, the reputation of a vector comprising a plurality of categories to reputation and reputation good poor convergence criteria, said plurality category includes different types of communication; security engine, operable to receive said vector and to the reputation of the plurality of transmit interrogation engines or more of the communication, wherein the engine is operable to secure vector based on the reputation sending the query to determine which one of communication engine to said plurality.
  70. 70. 如权利要求69所述的系统,其中所述安全引擎可操作来避免向未经授权的无用询问引擎发送所述通信,其中所述声誉矢量不指示所述外部实体具有参与所述未经授权的询问弓I擎所识别的活动的声誉。 70. The system according to claim 69, wherein the security engine is operable to transmit the communication to prevent unauthorized interrogation useless engine, wherein the reputation indicating that the vectors are not participating in the external entity without having I bow to ask authorization reputation engine identified activities.
  71. 71. 如权利要求69所述的系统,其中所述一个或更多个询问引擎中的每一个包括所述询问引擎的多个实例。 71. The system according to claim 69, wherein the one or more query engines each comprise a plurality of instances of the query engine.
  72. 72. 如权利要求71所述的系统,其中在选择询问引擎时,所述安全引擎能够选择所述询问引擎的选定实例,其中所述询问引擎的所述选定实例是根据所述询问引擎的所述选定实例的能力而被选择的。 72. The system according to claim 71, wherein when the selected query engine, the security engine capable of selecting said selected instances query engine, wherein the interrogation of the engine is selected according to the example query engine examples of the ability of the selected are selected.
  73. 73. 如权利要求69所述的系统,其中所述安全引擎可操作来在所述外部实体是声誉好的实体的情况下将高优先级分配给与所述多个询问引擎相关联的询问队列中的通信,并在所述外部实体是声誉差的实体的情况下将低优先级分配给所述询问队列中的通信。 73. The system according to claim 69, wherein said engine is operable to secure the external entity is a reputable entity case where the high priority assigned to the plurality of interrogation associated with the engine inquiry queue a communication, and the external entity is a case where poor reputation of the entities assigned to the low priority queue interrogation communication.
  74. 74. 如权利要求73所述的系统,其中对声誉好的实体最大化服务质量,而对声誉差的实体最小化服务质量。 74. The system of claim 73 and to the reputation of an entity to minimize the difference between the quality of service requirements, wherein reputable entity for maximizing the quality of service.
  75. 75. 如权利要求69所述的系统,其中所述一个或更多个询问引擎中的每一个包括所述询问引擎的多个实例,所述询问引擎的所述实例可操作来驻留在边缘保护设备或企业客户机设备上。 75. The system according to claim 69, wherein each of the one or more query engine includes a plurality of instances of the query engine, the query engine is operable to Examples resides at the edge protective equipment or enterprise client devices.
  76. 76. 如权利要求69所述的系统,其中所述声誉引擎是可操作来向多个边缘保护设备或客户机设备提供声誉信息的声誉服务器。 76. The system according to claim 69, wherein the reputation engine is operable to provide reputation information to a plurality of edge protection devices reputation server or client devices.
  77. 77. —种基于声誉的网络安全系统,所述系统包括:通信接口,其可操作来接收与网络相关联的进入的和传出的通信; 通信分析器,其可操作来得到与通信相关联的外部实体;声誉引擎,其可操作来得到与所述外部实体相关联的声誉,所述声誉包括与所述外部实体相关联的声誉好的和声誉差的标准的汇聚;安全引擎,其可操作来给通信分配优先权信息,其中所述安全引擎可操作来接收所述声誉并在所述外部实体是声誉好的实体的情况下给通信分配高优先权,且在所述外部实体是声誉差的实体的情况下给通信分配低优先权,由此所述优先权信息被一个或更多个询问引擎使用来提高声誉好的实体的服务质量。 77. - kind of reputation-based network security system, the system comprising: a communication interface operable to receive the network associated with the incoming and outgoing traffic; traffic analyzer, and operable to communicate with associated obtain external entity; reputation engine, operable to obtain the reputation associated with the external entity, said external entity reputation comprising the associated good reputation and reputation poor convergence criteria; security engine, which may be assigning a priority to the communication operation information, wherein the security engine is operable to receive the reputation and the external entity is assigned a high priority to the communications reputable entity, the entity is in the external and reputation When the difference of the communication entity allocated a low priority, whereby said priority information with one or more query engine reputable entity used to improve quality of service.
  78. 78. —种计算机实现的方法,其可操作来根据与外部实体相关联的声誉而有效地处理通信,所述方法包括以下步骤:根据与所述通信相关联的发源或目的地信息来接收与外部实体相关联的通信; 识别与所接收的所述通信相关联的所述外部实体;根据与所述外部实体相关联的声誉好的和声誉差的标准得出与所述外部实体相关联的声誉;根据与所述外部实体相关联的所得出的声誉向所述通信分配优先权; 根据分配给所述通信的所述优先权对所述通信执行一个或更多个测试。 78. - Method species computer implemented efficiently operable to process communications in accordance with the reputation associated with the external entity, the method comprising the steps of: receiving the originating or destination information according to the communication associated with the external communication associated with the entity; the received identifying the communication associated with the external entity; stars associated with the external entity in accordance with the associated external entity good reputation and reputation worse standard reputation; assigning a priority to the communication with the external entity based on the derived reputation associated; perform one or more tests on the priority assigned to the communication according to the communication.
  79. 79. 如权利要求78所述的方法,进一步包括对于被分配了高优先权的消息最大化服务质量。 79. The method according to claim 78, further comprising a message for maximizing the quality of service is assigned a high priority.
  80. 80. 如权利要求78所述的方法,其中所得到的所述声誉是声誉矢量,所述声誉矢量以多个类别传递所述外部实体相关联的声誉。 80. The method according to claim 78, wherein said reputation is reputation resulting vector, said transfer vector reputation of the reputation associated with an entity external to a plurality of categories.
  81. 81. 如权利要求80所述的方法,进一步包括如果与所述通信相关联的所述声誉矢量指示所述外部实体关于被绕过的测试所测试的标准是声誉好的实体,则绕过所述一个或更多个测试中的任何一个。 81. The method according to claim 80, further comprising the normal vector reputation indicating that the external entity to be bypassed on the test if the test associated with said communication entity is a good reputation, bypassing the said any of a test or more.
  82. 82. 如权利要求78所述的方法,其中所述一个或更多个测试中的每一个包括可操作来执行所述一个或更多个测试的多个引擎。 82. The method according to claim 78, wherein said one or more tests each comprise operable to perform one or more of the plurality of test engines.
  83. 83. 如权利要求82所述的方法,其中所述安全引擎可操作来根据所述引擎的能力而均匀地在多个引擎上分配通信的测试,所述通信包括所接收的通信。 83. The method according to claim 82, wherein the security engine is operable to uniformly distribute the test engine over a plurality of communication according to the capabilities of the engine, said communication including the received communication.
  84. 84. 如权利要求78所述的方法,其中所述一个或更多个测试由可操作来执行所述测试的多个引擎执行,所述引擎可操作来驻留在边缘保护设备或企业客户设备上。 84. The method according to claim 78, wherein said one or more tests to perform a plurality of execution engines operable by the test, the engine is operable to reside in the edge protection device or corporate client device on.
  85. 85. 如权利要求78所述的方法,其中所述声誉从声誉服务器取回,所述声誉服务器可操作来向多个边缘保护设备和客户设备提供声誉信息。 85. The method according to claim 78, wherein the reputation retrieval from a reputation server, the reputation server operable to provide reputation information to a plurality of edge protection device and a client device.
  86. 86. 如权利要求78所述的方法,其中所述声誉从局部声誉引擎取回。 86. The method according to claim 78, wherein the reputation retrieval from the local reputation engine.
  87. 87. —种计算机实现的方法,其可操作来根据与外部实体相关联的声誉而有效地处理通信,所述方法包括:根据与所述通信相关联的发源或目的地信息来接收与外部实体相关联的通信; 识别与所接收的超文本传输协议通信相关联的所述外部实体;根据与所述外部实体相关联的声誉好的和声誉差的标准得出与所述外部实体相关联的声誉;将所述通信分配给从多个询问引擎中选择的一个或更多个询问引擎,所述一个或更多个询问引擎的选择是基于与所述外部实体相关联的所得出的声誉以及所述询问引擎的能力的;以及对所述通信执行所述一个或更多个询问引擎。 87. - Method species computer implemented efficiently operable to process communications in accordance with the reputation associated with the external entity, the method comprising: receiving an external entity according to originating or destination information associated with the communication associated with communication; identifying a hypertext transfer protocol communications received associated with the external entity; stars associated with the external entity in accordance with the associated external entity good reputation and reputation worse standard reputation; assigned to the communication selected from a plurality of interrogation of one or more engines query engine, the one or more query engine choice is based on the external entity associated with the derived reputation and the query engine capabilities; and performing the communication of the one or more query engine.
  88. 88. 具有软件程序代码的一个或更多个计算机可读介质,所述软件程序代码可操作来根据与通信相关联的外部实体的声誉有效地处理所述通信,所述软件程序代码包括:根据与所述通信相关联的发源或目的地信息来接收与外部实体相关联的通信; 识别与所接收的超文本传输协议通信相关联的所述外部实体;根据与所述外部实体相关联的声誉好的和声誉差的标准得到与所述外部实体相关联的声誉;根据与所述外部实体相关联的所得到的声誉将优先权分配给所述通信; 根据分配给所述通信的所述优先权对所述通信执行一个或更多个测试。 88. One or more computer-readable medium having software program code, the software program code is operable to efficiently process the communication according to the communication with an external entity reputation associated with the software program code comprising: the the originating or destination information of the communication associated with the received communications associated with external entities; said external entity identifying a hypertext transfer protocol communications received associated; external entity in accordance with the reputation associated good and poor reputation and reputation standards are associated with said external entity; priority is assigned to the communication according to the reputation associated with the external entity obtained; the priority assigned to the communication according to the the right to perform one or more tests for the communication.
  89. 89. —种计算机实现的方法,其可操作来根据与外部实体相关联的声誉来处理通信,所述方法包括:根据与所述通信相关联的发源或目的地信息来接收与外部实体相关联的通信; 识别与所接收的所述通信相关联的所述外部实体;根据与所述外部实体相关联的声誉好的和声誉差的标准得出与所述外部实体相关联的声誉;根据与所述外部实体相关联的所得出的声誉向所述通信分配处理路径。 89. - The method of the kind of computer implemented which is operable to handle communication with external entities according to the goodwill associated therewith, the method comprising: receiving an external entity associated with the originating or destination information in accordance with the communication associated with communication; identifying the external entity associated with the communication received; in accordance with the external entity associated reputable reputation and reputation derived difference with the standard external entity associated; according to said external processing path associated with the entity's reputation derived allocation to the communication.
  90. 90. —种用于互联网协议语音电话通信的基于声誉的连接抑制系统,所述系统包括: 通信接口,其可操作来在外部实体和与所述通信接口相关联的被保护网络之间建立连接之前,接收与所述外部实体相关联的互联网协议语音电话连接请求; 声誉引擎,其可操作来得出与所述外部实体相关联的声誉;以及连接控制引擎,其可操作来根据与所述互联网协议语音电话连接请求相关联的所述外部实体的所得出的声誉拒绝到所述被保护网络的所述互联网协议语音电话连接请求。 90. - Species reputation based Voice over Internet Protocol telephony connection suppression system, said system comprising: a communication interface operable to establish a connection between the protected network and external entities and the communication interface associated prior to receiving said external entity associated with the voice over Internet protocol telephony connection request; reputation engine, operable to obtain the reputation associated external entity; and a connection control engine operable to Internet in accordance with the derived reputation said external entity protocol voice telephony connection request rejection associated with the protected network to said Internet protocol voice telephone connection request.
  91. 91. 如权利要求90所述的系统,其中所述声誉引擎根据与所述外部实体相关联的声誉好的标准和声誉差的标准的汇聚而得出所述外部实体的声誉。 91. The system according to claim 90, wherein the reputation engine derived reputation of the entity in accordance with the external entity outside the standard associated with good reputation and reputation differential convergence criteria.
  92. 92. 如权利要求90所述的系统,其中所述连接控制引擎防止声誉差的实体产生与所述被保护网络的连接。 92. The system according to claim 90, wherein said connection control engine to prevent poor reputation generating entity connected to the network to be protected.
  93. 93. 如权利要求92所述的系统,其中所述声誉差的实体可操作来试图将互联网协议语音电话通信发送到所述被保护网络,力图对不合法的活动产生与所述被保护网络的前文本互联网协议语音电话连接并利用所述前文本互联网协议语音电话连接。 93. The system according to claim 92, wherein the difference reputation entity operable to attempt to send voice over internet protocol telephone communication to the network to be protected, an effort to produce illegal activities on the protected network voice over Internet protocol telephony text before connecting the front and text using voice over Internet protocol telephone connection.
  94. 94. 如权利要求90所述的系统,其中所述通信接口进一步可操作来接收短消息服务连接请求,且所述连接控制引擎可操作来根据与发起所述短消息服务连接请求的短消息服务实体相关联的声誉来拒绝所述短消息服务连接请求。 94. The system as recited in claim 90, wherein the communication interface is further operable to receive a short message service connection request, the connection control and the engine is operable to initiate a short message to the short message service connection request service reputation associated with an entity to reject the connection request to the short message service.
  95. 95. 如权利要求90所述的系统,进一步包括消息询问引擎,所述消息询问引擎可操作来检查从所述外部实体发起的通信的内容,以确定所述外部实体是否使用互联网协议语音电话连接。 95. The system as recited in claim 90, further comprising a message asking engine, the query engine is operable to check the message content originating from the external communication entity, said external entity to determine whether a voice telephone connection using Internet Protocol .
  96. 96. 如权利要求90所述的系统,其中所述声誉引擎是声誉服务器,所述声誉服务器可操作来从所述连接控制引擎接收声誉查询并给所述连接控制引擎提供所得到的声誉。 96. The system according to claim 90, wherein said engine is a reputation server reputation, a reputation server operable to provide the reputation obtained from said connection control and query engine receives reputation is connected to the control engine.
  97. 97. 如权利要求96所述的系统,其中所述声誉服务器通过汇聚与所述外部实体相关联的多个局部声誉来得到所述外部实体的所述声誉,所述多个局部声誉由多个局部声誉引擎提供。 97. The system as recited in claim 96, wherein said plurality of local reputation server aggregation reputation associated with the external entity to obtain the reputation of the external entity by a plurality of said plurality of local reputation local reputation engine provides.
  98. 98. 如权利要求90所述的系统,所述连接控制引擎包括策略,所述声誉与所述策略比较以确定是否允许所述互联网协议语音电话连接请求。 98. The system as recited in claim 90, said engine comprising a connection control policy, the reputation comparison with the policy to determine whether to allow the Voice over Internet Protocol telephony connection request.
  99. 99. 如权利要求98所述的系统,所述策略定义外部实体的一个或更多个类别,到所述外部实体的互联网协议语音电话请求被允许。 99. The system of claim 98 said policy defines one or more external entities claim categories, to the external entity requesting internet protocol voice calls are allowed.
  100. 100. 如权利要求90所述的系统,所述连接控制引擎可操作来对于从声誉差的外部实体接收的任何连接降低服务质量,并对于从声誉好的外部实体接收的任何连接最大化服务质量。 100. The system of claim 90, wherein said connection control engine operable to reduce the quality of service for any connection received from an external entity poor reputation, any connection is maximized and the quality of service received from an external entity for reputable .
  101. 101. 如权利要求90所述的方法,进一步包括:接收多个同时的连接请求;关联所述同时的连接请求以确定所述请求包括攻击;以及更新与关联于所述同时的连接请求的一个或更多个实体相关联的声誉,以便引起所述多个连接请求的抑制。 101. The method according to claim 90, further comprising: receiving a plurality of simultaneous connection requests; simultaneously associated with the connection request to determine if the request includes an attack; and updating associated with the connection request while a reputation or more entities associated, so as to cause said plurality of connection requests suppressed.
  102. 102. 如权利要求90所述的方法,进一步包括得到与所述外部相关联的声誉,所述声誉指示所述外部实体的参与拒绝服务攻击的声誉,其中参与拒绝服务攻击的声誉根据来自电话听筒的输入或策略触发所述连接控制引擎以立即抑制连接。 102. The method of claim 90, further comprising obtain reputation associated with the outside, indicating that the reputation of the reputation of the entities involved in the external denial of service attacks, denial of service attacks which participation reputation based handset from or policy trigger input connected to the engine control to suppress immediately connected.
  103. 103. 如权利要求90所述的方法,其中请求到所述被保护网络上的设备的连接,所述设备包括移动的位置感知设备。 103. The method according to claim 90, wherein the protected connection request to devices on a network, the device comprises a mobile location-aware devices.
  104. 104. —种用于短消息通信的基于声誉的连接抑制系统,所述系统包括:通信接口,其可操作来在所述外部实体和与所述通信接口相关联的被保护网络之间建立连接之前,接收与外部实体相关联的短消息服务连接请求;声誉引擎,其可操作来得到与所述外部实体相关联的声誉;以及连接控制引擎,其可操作来根据与所述短消息服务连接请求相关联的得到的所述外部实体的声誉,拒绝到所述被保护网络的所述短消息服务连接请求。 104. - kind of reputation-based communication connection for the short message suppression system, said system comprising: a communication interface operable to establish a connection between the protected network and to said external entity associated with the communication interface before, coupled to receive a short message service entity associated with the external request; reputation engine, operable to obtain the reputation associated with the external entity; and a connection control engine operable to connect to the service according to the short message the external entity requesting the reputation associated with the obtained reject the protected network to a short message service connection request.
  105. 105. 如权利要求104所述的系统,其中所述声誉引擎根据与所述外部实体相关联的声誉好的标准和声誉差的标准的汇聚,来得到所述外部实体的所述声誉。 105. The system of claim 104, wherein the reputation engine in accordance with the external entity associated with good reputation and reputation standard differential convergence criteria to obtain the reputation of the external entity.
  106. 106. 如权利要求105所述的系统,其中所述连接控制引擎防止声誉差的实体产生与所述被保护网络的连接。 106. The system according to claim 105, wherein said connection control engine to prevent poor reputation generating entity connected to the network to be protected.
  107. 107. 如权利要求106所述的系统,其中所述声誉差的实体可操作来试图将短消息服务通信发送到所述被保护网络,力图对于不合法的活动产生与所述被保护网络的前文本短消息服务连接并利用所述前文本短消息服务连接。 107. The system according to claim 106, wherein said entity is operable to poor reputation attempt to send a short message service communication to the protected network, before trying illegal activities for the protected network short message service text connected to the front using the short message service text connection.
  108. 108. 如权利要求104所述的系统,进一步包括消息询问引擎,所述消息询问引擎可操作来检查从所述外部实体发起的通信的内容,以确定所述外部实体是否使用短消息服务连接。 108. The system according to claim 104, further comprising a message asking engine, the query engine is operable to check the message content of the communication originating from the external entity, said external entity to determine whether to use the Short Message Service connection.
  109. 109. 如权利要求104所述的系统,其中所述声誉引擎是声誉服务器,所述声誉服务器可操作来从所述连接控制引擎接收声誉查询并给所述连接控制引擎提供所得到的声誉。 109. The system of claim 104, wherein said engine is a reputation server reputation, a reputation server operable to provide the reputation obtained from said connection control and query engine receives reputation is connected to the control engine.
  110. 110. 如权利要求109所述的系统,其中所述声誉服务器通过汇聚与所述外部实体相关联的多个局部声誉来得到所述外部实体的声誉,所述多个局部声誉由多个局部声誉引擎提供。 110. The system according to claim 109, wherein said plurality of local reputation server aggregation with the external entity's reputation to get the reputation associated with the external entity by a plurality of local reputation of a plurality of local reputation engine provides.
  111. 111. 如权利要求104所述的系统,其中所述连接控制引擎包括策略,所述声誉与所述策略比较以确定是否允许所述互联网协议语音电话连接请求。 111. The system of claim 104, wherein said connector comprises a policy engine control, compared with the reputation of the policy to determine whether to allow the Voice over Internet Protocol telephony connection request.
  112. 112. 如权利要求111所述的系统,其中所述策略定义外部实体的一个或个多个类别, 到所述外部实体的互联网协议语音电话请求被允许。 112. The system of claim 111, wherein a policy defines the external entity or more categories, the Voice over Internet Protocol phone to an external entity request is allowed.
  113. 113. —种基于声誉的连接抑制的方法,包括以下步骤:接收互联网协议语音电话连接请求,所述互联网协议语音电话连接请求与外部实体有关;查询声誉引擎以得到与所述外部实体相关联的声誉; 将所述声誉与相关联于被保护的企业网的策略进行比较;根据确定与所述互联网协议语音电话连接请求有关的所述外部实体的所述声誉遵守所述策略,来允许所述连接请求。 113. - reputation-based method of Connectors inhibition, comprising the steps of: receiving a Voice over Internet Protocol telephony connection request, the Voice over Internet Protocol telephony connection request related to an external entity; query engine to obtain reputation associated with the external entities reputation; policy linked to the reputation of the protected enterprise network related to compare; voice telephone connection request related to the reputation of the external entity is determined in accordance with the Internet protocol to comply with the policy to allow the the connection request. 根据确定与所述互联网协议语音电话连接请求有关的所述外部实体的所述声誉不遵守所述策略,来抑制所述连接请求。 The determination of the Voice over Internet Protocol telephony connection request relating to the reputation of the entity does not comply with the external policy, the connection request is suppressed.
  114. 114. 一种基于声誉的连接抑制的方法,包括以下步骤:接收连接请求,所述连接请求请求外部实体和被保护的企业网之间的连接; 查询声誉引擎以得到与所述外部实体相关联的声誉,所述声誉包括与所述外部实体相关联的声誉好的和声誉差的标准的汇聚;将所述声誉与相关联于所述被保护的企业网的策略进行比较;根据确定与所述互联网协议语音电话连接请求有关的所述外部实体的所述声誉遵守所述策略,来允许所述连接请求。 114. A method of inhibiting the reputation-based connection, comprising the steps of: receiving a connection request, the connection request requesting a connection between the external entities and protected enterprise network; reputation engine query to obtain external entity associated with the reputation, the reputation of the external entity comprises a reputable and associated poor reputation convergence criteria; the reputation associated with the policy is compared to the protected corporate network; determined according to the said Internet protocol voice call connection request relating to the reputation of the external entities follow the policy to permit the connection request. 根据确定与所述互联网协议语音电话连接请求有关的所述外部实体的所述声誉不遵守所述策略,来抑制所述连接请求。 The determination of the Voice over Internet Protocol telephony connection request relating to the reputation of the entity does not comply with the external policy, the connection request is suppressed.
  115. 115. —种基于声誉的防火墙,包括:防火墙,其可操作来接收被送往被保护网络的数据分组并根据与所述被保护网络相关联的安全策略来确定所述数据分组的处理,所述安全策略包括基于与所述数据分组相关联的外部实体的声誉的至少一个规则;声誉引擎,其可操作来确定与所述数据分组相关联的所述外部实体,并根据所述外部实体的确定向所述防火墙提供声誉;以及其中处理步骤包括允许所述数据分组进入到所述被保护网络或拒绝所述数据分组进入到所述被保护网络。 115. - kind of reputation-based firewall, comprising: a firewall, which is operable to receive data packet is sent to the protected network, and determining the handling of the data packet in accordance with the security policy associated with the network to be protected, the said security policy comprises a rule based on at least an external entity reputation packets associated with the data; reputation engine, operable to determine the external entity associated with the data packet, and according to the external entity determining said firewall to provide reputation; and wherein said processing step comprises allowing data packets into the protected network or rejects the data packets into the protected network.
  116. 116. —种系统,包括:安全控制接口,其可操作来产生多个安全控制表示,所述多个安全控制表示中的每一个可操作来控制与被保护实体相关联的多个安全设置;以及策略控制接口,其可操作来产生多个策略控制表示,所述多个策略控制表示中的每一个可操作来控制与被保护实体相关联的多个策略设置;过滤模块,其可操作来根据所述多个安全设置并根据所述多个策略设置来过滤一个或更多个通信流。 116. - kind of system, comprising: a safety control interface operable to generate a plurality of security controls said each of the plurality operable to control a plurality of security to be protected is provided with safety control entity representation; and a policy control interface operable to generate a plurality of policy control said each of the plurality operable to control the plurality of policies to be protected with an entity associated with the control strategy set representation; filtering module operable to the security provided by the plurality of filters and one or more of said plurality of communication streams according to the policy settings.
  117. 117. 如权利要求116所述的系统,其中所述安全控制表示包括在多个安全类别中的多个安全滑块表示,所述安全滑块表示可操作来控制与所述被保护网络相关联的所述安全设置。 117. The system according to claim 116, wherein said representation comprises a plurality of safety control slider plurality of safety security category represents the security slider representation operable to control the associated network to be protected the security settings.
  118. 118. 如权利要求117所述的系统,其中所述多个安全类别包括病毒类别、网络钓鱼类别、蠕虫类别或特洛伊木马类别中的两个或更多个。 118. The system of claim 117, wherein said plurality of categories include two security classes viruses, phishing category, worms or Trojan horse classes or more categories.
  119. 119. 如权利要求118所述的系统,其中所述多个安全控制表示每一个都可操作来对于所述安全设置中相关联的一个安全设置调节阈灵敏度。 119. The system of claim 118, wherein each of said plurality represents a safety control is operable to adjust the threshold sensitivity of the security settings for a security settings associated.
  120. 120. 如权利要求119所述的系统,其中所述阈灵敏度包括通信流特征和与所述安全类别相关联的特征之间的相似性水平。 120. The system of claim 119, wherein the threshold comprises a sensitivity level of similarity between the feature and the communication flow with the security feature associated with a category.
  121. 121. 如权利要求117所述的系统,其中所述策略控制表示包括在多个策略类别中的多个策略滑块表示,所述策略滑块表示可操作来控制与所述被保护网络相关联的所述策略设置。 121. The system of claim 117, wherein said representation comprises a plurality of policy control policy in the plurality of sliders policy category represents the policy representation slider is operable to control the associated protected network the policy settings.
  122. 122. 如权利要求121所述的系统,其中所述多个策略类别包括垃圾邮件类别、内容类别、间谍软件类别或群发邮件类别中的两个或更多个。 122. The system of claim 121, wherein said plurality of policies comprises two categories spam category, a content category, spyware, or bulk mail category or more categories.
  123. 123. 如权利要求122所述的系统,其中所述多个策略控制表示每一个都可操作来对于所述策略设置中相关联的一个策略设置调节阈灵敏度。 123. The system of claim 122, wherein said plurality of policy control is operable to represent each adjust the threshold sensitivity for setting a policy in the policy settings associated.
  124. 124. 如权利要求123所述的系统,其中所述阈灵敏度包括通信流特征和与所述策略类别相关联的特征之间的相似性水平。 124. The system according to claim 123, wherein the threshold comprises a sensitivity level of similarity between the communication and flow characteristics and features of the policy associated with the category.
  125. 125. 如权利要求116所述的系统,其中所述被保护实体是计算设备、通信设备、移动设备,或网络中之一。 125. The system of claim 116, wherein the protected entity is one of the devices, a communication device, mobile device, or network computing.
  126. 126. 如权利要求116所述的系统,其中所述安全控制接口和所述策略控制接口由管理员控制。 126. The system of claim 116, wherein said security control interface and the control interface is controlled by the policy administrator.
  127. 127. 如权利要求41所述的系统,其中所述安全控制接口和所述策略控制接口由终端用户控制。 127. The system according to claim 41, wherein said security policy control interface and the control interface by the end user controlled.
  128. 128. 如权利要求127所述的系统,其中所述安全控制接口包括与所述多个安全控制表示相关联的多个范围,所述安全控制设置可操作来在所述范围内被调节。 128. The system according to claim 127, wherein the control interface includes a safety and security of the plurality of control indicates a plurality of ranges associated with the security control is provided operable to be adjusted within the range.
  129. 129. —种计算机实现的方法,包括: 从管理员接收多个范围;向用户提供安全控制接口,所述安全控制接口包括与安全控制相关联的多个安全控制表示,每个安全控制机制包括来自所述多个范围中的相关联的范围,所述相关联的范围限定与分别的安全控制相关联的最小设置和最大设置;通过所述安全控制接口从所述用户接收多个安全控制设置;调节与从所述用户接收的多个控制设置有关的多个阈值,所述多个阈值与可能的违反安全的类别的容忍度相关联;以及根据所述多个阈值过滤来自与所述用户相关联的被保护实体的通信流。 129. - kind of computer-implemented method, comprising: receiving a plurality of ranges from the administrator; provide security to a user control interface, the control interface comprises a plurality of security associated with the safety control represents a security control, each safety control mechanism comprises range from said plurality of ranges associated with the respective defined range of the associated security settings to control the minimum and maximum settings associated; security interface receives a plurality of control settings from the user via the security control ; adjustment settings for a plurality of thresholds and a plurality of control received from the user, the plurality of types of threshold potential security breach associated tolerance; and filtering from the user according to the plurality of thresholds It is associated with protecting the traffic entity.
  130. 130. 如权利要求129所述的系统,其中所述安全控制表示包括在多个安全类别中的多个安全滑块表示,所述安全滑块表示可操作来控制与所述被保护网络相关联的所述安全设置。 130. The system of claim 129, wherein said representation comprises a plurality of safety control slider plurality of safety security category represents the security slider representation operable to control the associated network to be protected the security settings.
  131. 131. 如权利要求130所述的系统,其中所述多个安全类别包括病毒类别、网络钓鱼类别、蠕虫类别、特洛伊木马类别、垃圾邮件类别、内容类别、间谍软件类别或群发邮件类别中的两个或更多个。 131. The system of claim 130, wherein said plurality of categories include two security classes viruses, phishing category, category worms, Trojan horses category, the spam category, a content category, spyware, or bulk mail category category or more.
  132. 132. 如权利要求131所述的系统,其中所述多个安全控制表示每一个都可操作来对于所述安全设置中相关联的一个安全设置调节阈灵敏度。 132. The system of claim 131, wherein each of said plurality represents a safety control is operable to adjust the threshold sensitivity of the security settings for a security settings associated.
  133. 133. 如权利要求132所述的系统,其中所述阈灵敏度包括通信流特征和与所述安全类别相关联的特征之间的相似性水平。 133. The system of claim 132, wherein the threshold comprises a sensitivity level of similarity between the feature and the communication flow with the security feature associated with a category.
  134. 134. 如权利要求129所述的系统,其中所述被保护实体是计算设备、通信设备、移动设备或网络中之一。 134. The system of claim 129, wherein the protected entity is a computing device, communication device, mobile device or one of the network.
  135. 135. 具有软件程序代码的一个或更多个计算机可读介质,所述软件程序代码可操作来实现对进入和传出的通信流的过滤调节,所述软件程序代码包括:从管理员接收多个范围;向用户提供安全控制接口,所述安全控制接口包括与多个安全控制设置相关联的多个安全控制表示,每个安全控制机制包括来自所述多个范围中的相关联的范围,所述相关联的范围限定与分别的安全控制相关联的最小设置和最大设置;通过所述安全控制接口从所述用户接收输入,所述输入要求所述多个安全控制设置的调节;调节与从所述用户接收的多个控制设置有关的多个阈值,所述多个阈值与可能的违反安全的类别的容忍度相关联;以及根据所述多个阈值过滤来自与所述用户相关联的被保护实体的通信流。 135. The software program code having one or more computer-readable media, the software program code operable to implement the adjustment of the filter and into the stream of outgoing communication, the software program code comprising: receiving from a plurality administrator ranges; providing security control interface to a user, the security control interface comprises a plurality of security controls associated with a plurality of safety control of said security control mechanism comprises for each of said plurality of ranges from the range associated, respectively defining the scope of the associated security controls associated minimum setting and a maximum setting; by the security control interface receives input from the user, the input of the plurality of security in claim adjusting control settings; regulation and For setting a plurality of thresholds received from the user more control, the plurality of types of threshold value may be a security breach associated tolerance; and a filter associated with the user from the plurality of thresholds based on It is protecting the traffic entity.
CN200880009672A 2002-03-08 2008-01-24 Web reputation scoring CN101730892A (en)

Priority Applications (9)

Application Number Priority Date Filing Date Title
US11/626,470 US8561167B2 (en) 2002-03-08 2007-01-24 Web reputation scoring
US11/626,644 2007-01-24
US11/626,644 US8179798B2 (en) 2007-01-24 2007-01-24 Reputation based connection throttling
US11/626,479 US7937480B2 (en) 2005-06-02 2007-01-24 Aggregation of reputation data
US11/626,620 2007-01-24
US11/626,620 US7779156B2 (en) 2007-01-24 2007-01-24 Reputation based load balancing
US11/626,470 2007-01-24
US11/626,479 2007-01-24
PCT/US2008/051865 WO2008091980A1 (en) 2007-01-24 2008-01-24 Web reputation scoring

Publications (1)

Publication Number Publication Date
CN101730892A true CN101730892A (en) 2010-06-09

Family

ID=39644880

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200880009672A CN101730892A (en) 2002-03-08 2008-01-24 Web reputation scoring

Country Status (4)

Country Link
EP (1) EP2115642A4 (en)
CN (1) CN101730892A (en)
AU (1) AU2008207924B2 (en)
WO (1) WO2008091980A1 (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102685200A (en) * 2011-02-17 2012-09-19 微软公司 Managing unwanted communications using template generation and fingerprint comparison features
US8549611B2 (en) 2002-03-08 2013-10-01 Mcafee, Inc. Systems and methods for classification of messaging entities
US8561167B2 (en) 2002-03-08 2013-10-15 Mcafee, Inc. Web reputation scoring
US8578480B2 (en) 2002-03-08 2013-11-05 Mcafee, Inc. Systems and methods for identifying potentially malicious messages
US8589503B2 (en) 2008-04-04 2013-11-19 Mcafee, Inc. Prioritizing network traffic
US8621638B2 (en) 2010-05-14 2013-12-31 Mcafee, Inc. Systems and methods for classification of messaging entities
US8621559B2 (en) 2007-11-06 2013-12-31 Mcafee, Inc. Adjusting filter or classification control settings
US8635690B2 (en) 2004-11-05 2014-01-21 Mcafee, Inc. Reputation based message processing
CN103559413A (en) * 2013-11-15 2014-02-05 北京搜房科技发展有限公司 Data processing method and device
US8763114B2 (en) 2007-01-24 2014-06-24 Mcafee, Inc. Detecting image spam
US8762537B2 (en) 2007-01-24 2014-06-24 Mcafee, Inc. Multi-dimensional reputation scoring
CN106716508A (en) * 2014-09-26 2017-05-24 迈克菲股份有限公司 Context-aware reputation of a place

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004061703A1 (en) * 2002-12-23 2004-07-22 Microsoft Corporation Reputation system for web services
US20060015942A1 (en) * 2002-03-08 2006-01-19 Ciphertrust, Inc. Systems and methods for classification of messaging entities
US20060095404A1 (en) * 2004-10-29 2006-05-04 The Go Daddy Group, Inc Presenting search engine results based on domain name related reputation

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040177120A1 (en) * 2003-03-07 2004-09-09 Kirsch Steven T. Method for filtering e-mail messages
US20060155553A1 (en) * 2004-12-30 2006-07-13 Brohman Carole G Risk management methods and systems
EP1856639A2 (en) * 2005-03-02 2007-11-21 Markmonitor, Inc. Distribution of trust data
US7822620B2 (en) * 2005-05-03 2010-10-26 Mcafee, Inc. Determining website reputations using automatic testing
US20060277259A1 (en) * 2005-06-07 2006-12-07 Microsoft Corporation Distributed sender reputations

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060015942A1 (en) * 2002-03-08 2006-01-19 Ciphertrust, Inc. Systems and methods for classification of messaging entities
WO2004061703A1 (en) * 2002-12-23 2004-07-22 Microsoft Corporation Reputation system for web services
US20060095404A1 (en) * 2004-10-29 2006-05-04 The Go Daddy Group, Inc Presenting search engine results based on domain name related reputation

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8549611B2 (en) 2002-03-08 2013-10-01 Mcafee, Inc. Systems and methods for classification of messaging entities
US8561167B2 (en) 2002-03-08 2013-10-15 Mcafee, Inc. Web reputation scoring
US8578480B2 (en) 2002-03-08 2013-11-05 Mcafee, Inc. Systems and methods for identifying potentially malicious messages
US8635690B2 (en) 2004-11-05 2014-01-21 Mcafee, Inc. Reputation based message processing
US9009321B2 (en) 2007-01-24 2015-04-14 Mcafee, Inc. Multi-dimensional reputation scoring
US8762537B2 (en) 2007-01-24 2014-06-24 Mcafee, Inc. Multi-dimensional reputation scoring
US8763114B2 (en) 2007-01-24 2014-06-24 Mcafee, Inc. Detecting image spam
US9544272B2 (en) 2007-01-24 2017-01-10 Intel Corporation Detecting image spam
US10050917B2 (en) 2007-01-24 2018-08-14 Mcafee, Llc Multi-dimensional reputation scoring
US8621559B2 (en) 2007-11-06 2013-12-31 Mcafee, Inc. Adjusting filter or classification control settings
US8606910B2 (en) 2008-04-04 2013-12-10 Mcafee, Inc. Prioritizing network traffic
US8589503B2 (en) 2008-04-04 2013-11-19 Mcafee, Inc. Prioritizing network traffic
US8621638B2 (en) 2010-05-14 2013-12-31 Mcafee, Inc. Systems and methods for classification of messaging entities
CN102685200A (en) * 2011-02-17 2012-09-19 微软公司 Managing unwanted communications using template generation and fingerprint comparison features
CN103559413A (en) * 2013-11-15 2014-02-05 北京搜房科技发展有限公司 Data processing method and device
CN103559413B (en) * 2013-11-15 2016-11-02 北京搜房科技发展有限公司 A data processing method and apparatus
CN106716508A (en) * 2014-09-26 2017-05-24 迈克菲股份有限公司 Context-aware reputation of a place
CN106716508B (en) * 2014-09-26 2019-07-09 迈克菲有限公司 The context aware reputation in place

Also Published As

Publication number Publication date
EP2115642A4 (en) 2014-02-26
EP2115642A1 (en) 2009-11-11
WO2008091980A1 (en) 2008-07-31
AU2008207924B2 (en) 2012-09-27
AU2008207924A1 (en) 2008-07-31

Similar Documents

Publication Publication Date Title
US7761583B2 (en) Domain name ownership validation
CN101674307B (en) Hierarchical application of security services with a computer network
US8037144B2 (en) Electronic message source reputation information system
US7954155B2 (en) Identifying unwanted electronic messages
US9756079B2 (en) System and method for providing network and computer firewall protection with dynamic address isolation to a device
US8935348B2 (en) Message classification using legitimate contact points
US8935785B2 (en) IP prioritization and scoring system for DDoS detection and mitigation
US9003526B2 (en) Detecting malicious behaviour on a network
US8555388B1 (en) Heuristic botnet detection
US8286239B1 (en) Identifying and managing web risks
US9762543B2 (en) Using DNS communications to filter domain names
US20070199060A1 (en) System and method for providing network security to mobile devices
US20150089229A1 (en) Rapid identification of message authentication
US7007302B1 (en) Efficient management and blocking of malicious code and hacking attempts in a network environment
JP4688420B2 (en) System and method for enhancing the electronic security
US20100235915A1 (en) Using host symptoms, host roles, and/or host reputation for detection of host infection
US6981280B2 (en) Intelligent network scanning system and method
US20050015626A1 (en) System and method for identifying and filtering junk e-mail messages or spam based on URL content
US7823202B1 (en) Method for detecting internet border gateway protocol prefix hijacking attacks
US20080313738A1 (en) Multi-Stage Deep Packet Inspection for Lightweight Devices
US9098459B2 (en) Activity filtering based on trust ratings of network
KR100871581B1 (en) E-mail management services
US8832833B2 (en) Integrated data traffic monitoring system
CN102859934B (en) Network access management and security protection systems and methods can access computer services
US8307431B2 (en) Method and apparatus for identifying phishing websites in network traffic using generated regular expressions

Legal Events

Date Code Title Description
C06 Publication
C10 Entry into substantive examination
C12 Rejection of a patent application after its publication