CN101730892A - Web reputation scoring - Google Patents

Abstract

Be used for the method and system at the enterprising line operate of one or more data processor, it is used for distributing reputation for based on network entity according to the data of collecting in the past.

Description

Web reputation scoring

Technical field

Presents is usually directed to be used for handle the system and method for communication (communication), especially relates to being used for the system and method for classifying to the entity relevant with communication.

Background

In the anti-rubbish mail industry, the spammer uses various inventive device to hide the detection that twit filter carries out.Like this, communication can provide another indication that whether should allow given communication to enter the enterprise network environment from the entity of its origin.

Yet, be used for the current tool that the sender of the message analyzes and comprise Internet protocol (IP) blacklist (being sometimes referred to as RBL (RBL)) and IP white list (white list (RWL) in real time).White list and blacklist have increased benefit to the spam assorting process certainly; Yet white list and blacklist are limited to inherently in response to each inquiry provides a binary type (YES/NO).And blacklist and white list be processing entities independently, and ignores the evidence that various attribute provided relevant with entity.

General introduction

The system and method that is used for Web reputation scoring is provided.Be used for distributing the system of reputation can comprise communication interface, communication analyzer, reputation engine and decision engine to based on network entity.Communication interface can receive network service, but and the entity of communication analyzer phase-split network communication to determine to be associated with network service.The reputation engine can provide the reputation that is associated with entity according to the data that are associated with entity of former collection, and decision engine can determine whether network service is passed to the recipient according to reputation.

Be used for distributing the method for reputation to comprise: receive HTML (Hypertext Markup Language) communication at edge-protected equipment place to based on network entity; Discern the entity of communicating by letter and being associated with the HTML (Hypertext Markup Language) that is received; The reputation designator of inquiry reputation engine to obtain being associated with entity; Receive the reputation designator from the reputation engine; And communicate by letter about HTML (Hypertext Markup Language) according to the reputation designator that is received that is associated with entity and to take action.

Operation is carried out and is converged local reputation data and can carry out following steps with the example of the computer-readable medium that produces overall reputation vector on processor: receive the reputation inquiry from the local reputation engine of request; Fetch a plurality of local reputations, described local reputation is associated with a plurality of local reputation engines respectively; Converge a plurality of local reputations; Obtain overall reputation from converging of local reputation; And inquire about in response to reputation with overall reputation.

Other example system can comprise communication interface and reputation engine.Communication interface can receive overall reputation information from central server, and overall reputation is associated with entity.The reputation engine can be setovered from the overall reputation of central server reception according to defined local preference.

Another example system can comprise communication interface, reputation module and portfolio control module.Communication interface can receive the reputation information that distributes from distributed reputation engine.The reputation module can converge the reputation information of distribution and draw overall reputation according to the converging of reputation information that distributes, and the reputation module also can draw local reputation information according to the communication that the reputation module is received.The portfolio control module can be determined and the processing of communicating by letter and being associated with local reputation according to overall reputation.

The system and method that is used to converge reputation information is provided.The system that is used to converge reputation information can comprise centralized reputation engine and aggregation engine.Centralized reputation engine can receive feedback from a plurality of local reputation engines.Aggregation engine can obtain the overall reputation of the entity inquired about according to converging of a plurality of local reputations.Centralized reputation engine can further provide the overall reputation of the entity of being inquired about in response to receiving the reputation inquiry from local reputation engine to local reputation engine.

The method that converges reputation information can comprise: receive the reputation inquiry from the local reputation engine of request; Fetch a plurality of local reputations, described local reputation is associated with a plurality of local reputation engines respectively; Converge a plurality of local reputations; Obtain overall reputation from converging of local reputation; And inquire about in response to reputation with overall reputation.

Operation is converged local reputation data and can be carried out following steps with the example of the computer-readable medium that produces overall reputation vector on processor: receive the reputation inquiry from the local reputation engine of request; Fetch a plurality of local reputations, described local reputation is associated with a plurality of local reputation engines respectively; Converge a plurality of local reputations; Obtain overall reputation from converging of local reputation; And inquire about in response to reputation with overall reputation.

Other exemplary reputation collecting system can comprise communication interface and reputation engine.Communication interface can receive overall reputation information from central server, and overall reputation is associated with entity.The reputation engine can be according to the overall reputation of defined local preference biasing from the central server reception.

Further example system can comprise communication interface, reputation module and portfolio control module.Communication interface can receive the reputation information that distributes from distributed reputation engine.The reputation module can converge the reputation information of distribution and draw overall reputation according to the converging of reputation information that distributes, and the reputation module also can draw local reputation information according to the communication that the reputation module is received.The portfolio control module can be determined and the processing of communicating by letter and being associated with local reputation according to overall reputation.

The system and method that is used for based on the network safety system of reputation is provided.Network safety system based on reputation can comprise communication interface, communication analyzer, reputation engine and security engine.Communication interface can receive the communication that enters that is associated with network with communicating by letter of spreading out of.Communication analyzer can obtain and the external entity of communicating by letter and being associated.The reputation engine can obtain the reputation vector that is associated with external entity.Security engine can receive the reputation vector and send communication to the inquiry engine, and wherein security engine is according to which the inquiry communication in the definite inquiry of the reputation vector engine.

Other network safety system based on reputation can comprise communication interface, communication analyzer, reputation engine and security engine.Communication interface can receive the communication that enters that is associated with network with communicating by letter of spreading out of.Communication analyzer can obtain and the external entity of communicating by letter and being associated.The reputation engine can obtain the reputation that is associated with external entity.Security engine is distributed to communication with priority information, wherein security engine externally entity be can be under the situation of reputable entity to the allocation of communications high priority, and externally entity is can be to the allocation of communications low priority under the situation of entity of reputation difference, and priority information makes the quality that is used for improving to the service of reputable entity by one or more inquiry engine thus.

Handling method for communicating effectively according to the reputation of security threat can comprise: according to rising of being associated with communication or destination information receives the communication that is associated with external entity; The external entity that identification is associated with the communication that is received; Draw the reputation that is associated with external entity according to the reputable and standard reputation difference that is associated with external entity; According to the reputation that is drawn that is associated with external entity to the allocation of communications right of priority; According to the right of priority of distributing to communication one or more test is carried out in communication.

Handling method for communicating effectively according to reputation can comprise: according to rising of being associated with communication or destination information receives the communication that is associated with external entity; Discern the external entity of communicating by letter and being associated with the HTML (Hypertext Markup Language) that is received; Draw the reputation that is associated with external entity according to the reputable and standard reputation difference that is associated with external entity; To one or more inquiry engine of selecting from a plurality of inquiry engines, the selection of described one or more inquiry engine is based on the ability of reputation that is drawn that is associated with external entity and inquiry engine with allocation of communications; And described one or more carried out in communication inquired engine.

The system and method that is used for based on the connection inhibition of reputation is provided.Be used for to comprise communication interface, reputation engine and being connected Control Engine based on the system that the connection of reputation suppresses.Communication interface can receive the connection request that is associated with external entity before the connection that is established to external entity.The reputation engine can draw the reputation that is associated with external entity.Connecting Control Engine can refuse the connection request to protected network according to the reputation that is drawn of external entity.

The method that suppresses connection request according to reputation can comprise: receive connection request, described connection request is relevant with external entity; The reputation of inquiry reputation engine to obtain being associated with external entity; Described reputation and the strategy that is associated in protected enterprise network are compared; Observe strategy according to the reputation of determining the external entity relevant, allow connection request with connection request; And do not observe tactfully according to the reputation of determining the external entity relevant with Internet protocol voice call connection request, suppress connection request.

Description of drawings

Fig. 1 is a structural drawing of describing example networks, and system and method for the present disclosure can be operated in this network.

Fig. 2 is a structural drawing of describing example network architecture of the present disclosure.

Fig. 3 is a structural drawing of describing the example of communication and entity, and it comprises identifier and the attribute that is used to detect the relation between the entity.

Fig. 4 describes the process flow diagram that is used to detect relation and distributes the operation scheme of risk to entity.

Fig. 5 is the structural drawing that example network architecture is shown, and it comprises stored local reputation and the stored overall reputation of one or more server of secure topical agency.

Fig. 6 is the structural drawing of determining that illustrates based on the overall reputation of local reputation feedback.

Fig. 7 is the process flow diagram that the exemplary conversion (resolution) between overall reputation and the local reputation is shown.

Fig. 8 is the exemplary graphical user that is used to regulate the setting of the filtrator that is associated with the reputation server.

Fig. 9 be illustrate be used for the communication of Internet protocol voice call (VoIP) or Short Message Service (SMS) suppress the structural drawing of (connection throttling) based on the connection of reputation.

Figure 10 is the structural drawing that illustrates based on the load equalizer of reputation.

Figure 11 A illustrates the process flow diagram that is used for based on the exemplary operation scheme of the authentication in geographic position.

Figure 11 B illustrates the process flow diagram that is used for based on another exemplary operation scheme of the authentication in geographic position.

Figure 11 C illustrates the process flow diagram that is used for based on another exemplary operation scheme of the authentication in geographic position.

Figure 12 illustrates the process flow diagram that is used for based on the exemplary operation scheme of the dynamic isolation of reputation.

Figure 13 is that the exemplary graphical user of image junk mail communication shows.

Figure 14 is the process flow diagram that the exemplary operation scheme that is used for the detected image spam is shown.

Figure 15 A is the process flow diagram that the operation scheme of the structure that is used for analyzing communication is shown.

Figure 15 B is the process flow diagram that the operation scheme of the feature that is used for analysis image is shown.

Figure 15 C illustrates to be used for the process flow diagram of standardized images with the operation scheme that is used for spam and handles.

Figure 15 D be illustrate be used for analysis image fingerprint to find the process flow diagram of the operation scheme of common fragment at a plurality of images.

Describe in detail

Fig. 1 is a structural drawing of describing example network environment, and system and method for the present disclosure can be operated in this network.Security Agent (security agent) 100 generally can be present between network 110 (for example, enterprise network) inner firewall system (not shown) and server (not shown).As being understood, network 110 can comprise a lot of servers, for example comprises e-mail server, the webserver and the various application server that can be used by the enterprise relevant with network 110.

Security Agent 100 monitoring enters and the communicating by letter of deviated from network 110.Generally receive these communication from a lot of entity 130a-f that are connected to internet 120 by internet 120.Among the entity 130a-f one or more can be the legal promoter of message volume.Yet one or more among the entity 130a-f also can be the entity of the reputation difference of initiating unwanted communication.Therefore, Security Agent 100 comprises the reputation engine.The reputation that the reputation engine can be checked communication and determine to be associated with the entity of initiating communication.Security Agent 100 is then carried out action according to the reputation of the entity of making a start to communication.If the promoter of reputation indication communication has a good character, so for example, Security Agent can be forwarded to communication the recipient of communication.Yet if promoter's reputation of reputation indication communication is poor, so wherein for example, but the Security Agent isolated communication is carried out more test to message, or requires the authentication from message initiator.Describe the reputation engine in detail in U.S. Patent Publication number 2006/0015942, this application is merged in thus by reference.

Fig. 2 is a structural drawing of describing example network architecture of the present disclosure.Security Agent 100a-n is shown in and is present in respectively in logic between network 110a-n and the internet 120.Though do not have shown in Figure 2ly, should be understood that fire wall can be installed between Security Agent 100a-n and the internet 120, prevent that to provide undelegated communication from entering the protection of corresponding network 110a-n.And, in conjunction with the configurable intrusion detection system of firewall system (IDS) (not shown), signal alarm when movable identified with the str mode of identification activity and such.

System although it is so provides certain protection to network, but they generally do not handle the application layer security threat.For example, the application that the hacker usually attempts to use variety of network types (for example, Email, network, instant message (IM), or the like) produce with the preceding text of network 110a-n and be connected, so that utilize by these different security breaches that application produced of using entity 130a-e.Yet not every entity 130a-e hints the threat to network 100a-n.Some entity 130a-e initiate legal portfolio, allow the employee and the business parnter of company more effectively to communicate.Though check that concerning possible threat communication is useful, keeping current threat information may be difficult to, and is constantly improved to solve nearest filtering technique because attack.Therefore, Security Agent 100a-n can be to repeatedly test of communication operation, to determine whether communication is legal.

In addition, the sender information that is included in the communication can be used for helping whether the communication of determining is legal.Therefore, complicated Security Agent 100a-n can follow the tracks of the feature of entity and analysis entities, to help determining whether to allow communication to enter network 110a-n.Can distribute reputation then for entity 110a-n.Can consider the reputation of the entity 130a-e that initiates to communicate by letter to the decision of communication.And one or more center system 200 can be collected the information about entity 130a-e, and collected data distribution is arrived other center system 200 and/or Security Agent 100a-n.

The reputation engine can help to discern a large amount of malicious communications, and does not have extensively expensive with the possibility partial analysis (local analysis) of the content of communication.The reputation engine also can help to discern legitimate correspondence, and pays the utmost attention to its transmission, and has reduced legitimate correspondence is carried out the risk of mis-classification.And the reputation engine can the problem to identification malice and legal affairs provide dynamic and Deuteronomic method in physical world or virtual world.Example be included in Email, instant message, VoIP, SMS or utilize sender's reputation and other communication protocol system of the analysis of content in filtering fallacious process of communicating by letter.Security Agent 100a-n can then use the overall situation or local strategy, to determine about the communication reputation result being carried out what action (for example refuse, isolation, load balancing, with the priority transmission that distributed, analyze with extra going through partly).

Yet entity 130a-e can in all sorts of ways and be connected to the internet.As should be understood, entity 130a-e can simultaneously or have a plurality of identifiers (for example, e-mail address, IP address, identifier file, or the like) in a period of time.What for example, have that the mail server of the IP address of variation can be along with the time has a plurality of identity in the past.And an identifier can be relevant with a plurality of entities, for example, and when the tissue of being supported by a lot of users when the IP address is shared.And the ad hoc approach that is used to be connected to the internet may make the identification of entity 130a-e smudgy.For example, entity 130b can utilize ISP (ISP) 200 to be connected to the internet.A lot of ISP 200 use DHCP (DHCP) that the entity 130b that request connects is dynamically distributed in the IP address.Entity 130a-e also can pretend its identity by the deception legal entity.Therefore, collection can help entity 130a-e is classified about the data of the feature of each entity 130a-e, and determines how to handle communication.

The easiness of establishment and spoofed identity may produce the motivation of user's malicious action in virtual world and physical world, and does not bear the consequence of this action.For example, the IP address (or the stolen passport in physical world) of the legal entity of being stolen by criminal on the internet may make this criminal relatively easily participate in malicious act by pretending stolen identity.Yet, by distributing reputation for physical entity and pseudo-entity and discerning a plurality of identity that they may use, the reputation system may influence the entity of reputable entity and reputation difference operates responsibly, in order to avoid the reputation difference and can not exchange with other network entity or mutual of becoming.

Fig. 3 is a structural drawing of describing the example of communication and entity, and it comprises identifier and the attribute that is used to the relation between the entity that detects.Security Agent 100a-b can collect data by the communication that inspection is sent to network of relation.Security Agent 100a-b also can collect data by the communication of network of relation branch journey transmission by checking.The inspection of communication and analysis can allow Security Agent 100a-b to collect about sending and receive the information of the entity 300a-c of message, comprising transmission mode, quantity (volume) or entity whether have send some type message (for example, legitimate messages, spam, virus, group mail, or the like) tendency.

As shown in Figure 3, each entity 300a-c is associated with one or more identifier 310a-c respectively.Identifier 310a-c can for example comprise IP address, uniform resource locator (URL), telephone number, IM user name, message content, territory, maybe can describe any other identifier of entity.And identifier 310a-c is associated with one or more attribute 320a-c.As should be understood, attribute 320a-c meets described unique identifier 310a-c.For example, the message content identifier can comprise attribute, for example Malware (malware), quantity, content type, running status, or the like.Similarly, with identifier for example IP address associated attributes 320a-c can comprise one or more IP address that is associated with entity 300a-c.

In addition, should be understood that some identifiers and the attribute that can generally comprise the entity of initiating communication from these data that communication 330a-c (for example, Email) collects.Therefore, communication 330a-c is provided for the information about entity is delivered to the transmission of Security Agent 100a, 100b.Be included in the heading message in the message, the content of analysis message by inspection, and by (for example converging the former information of collecting of Security Agent 100a, 100b, total is from the quantity of the communication of entity reception), Security Agent 100a, 100b can detect these attributes.

Can converge and be used to data from a plurality of Security Agent 100a, 100b.For example, data can be converged and be utilized by center system, and center system receives identifier and the attribute that is associated with all entity 300a-c, and Security Agent 100a, 100b have received communication for entity 300a-c.Alternatively, transmit each other about the identifier of entity 300a-c and Security Agent 100a, the 100b of attribute information and can be used as distributed system and operate.Utilize the process of data can make the attribute of entity 300a-c associated with each other, thereby determine the relation (for example, incident occurs, quantity, and/or other determines the association between the factor) between the entity 300a-c.

These relations can be then used in according to all identifiers that are associated as of the attribute relevant with each identifier and set up multi-dimensional reputation " vector ".For example, send message 330a if having the entity 300a of reputation difference of the known reputation of reputation difference with first group of attribute 350a, and then unknown entity 300b sends the message 330b with second group of attribute 350b, then Security Agent 100a can determine first group of attribute 350a all or part of whether mate all or part of of second group of attribute 350b.When certain part of first group of attribute 350a is mated certain part of second group of attribute 350b, can come opening relationships according to unique identifier 320a, the 320b of the attribute 330a, the 33b that comprise coupling.Unique identifier 340a, the 340b that is found attribute with coupling can be used for determining with entity 300a, 300b between the intensity that is associated of relation.The intensity of relation can help to determine in the character of reputation difference of entity 300a of reputation difference the reputation that how much is attributed to unknown entity 300b is arranged.

Yet, it will also be appreciated that unknown entity 300b can initiate to comprise the communication 330c of attribute 350c, attribute 350c mates with some attribute 350d of the 330d that communicates by letter that rises in known reputable entity 300c.Unique identifier 340c, the 340d that is found attribute with coupling can be used for determining with entity 300b, 300c between the intensity that is associated of relation.The intensity of relation can help to determine in the reputable character of reputable entity 300c the reputation that how much is attributed to unknown entity 300b is arranged.

Distributed reputation engine also allows to share about the live collaboration of the global intelligence of nearest threat prospect; to the benefit of instant protection can be provided by the partial analysis of filtering or the venture analysis system carries out, and even before occurring, possible new threat just discerns the malice source of this new threat.Use is positioned at the sensor at a lot of diverse geographic locations place, can act on behalf of the shared fast information about new threat of 100a, 100b with center system 200 or with distributed security.As should be understood, such distributed sensor can comprise that secure topical acts on behalf of 100a, 100b, and local reputable client computer, portfolio watch-dog, or any miscellaneous equipment that is suitable for the collection communication data (for example, switch, router, server, or the like).

For example, Security Agent 100a, 100b can communicate with center system 200, so that sharing of threat and reputation information to be provided.Alternatively, Security Agent 100a, 100b can transmit threaten and reputation information each other, to provide up-to-date and threat information accurately.In the example of Fig. 3, the first Security Agent 300a has the information about the relation between the entity 300a of unknown entity 300b and reputation difference, and the second Security Agent 300b has the information about the relation between unknown entity 300b and the reputable entity 300c.Do not sharing under the situation of information, the first Security Agent 300a can take specific action to communication according to the relation that is detected.Yet, knowing the relation between unknown entity 300b and the reputable entity 300c, the first Security Agent 300a can be used to take different actions from the communication of receiving of unknown entity 300b.Sharing thereby one group of more complete relation information being provided of relation information between the Security Agent will be made definite at this relation information.

System attempts reputation (general tendency of reflection and/or classification) is distributed to physical entity, for example carries out the individual or the automated system of affairs.In virtual world, entity is by identifier (for example IP, URL, the content) expression of relating to these entities the particular transaction of just carrying out at entity (for example, send message or from the account No. transfer fund).Therefore according to the overall behavior of those identifiers and the relation of historical pattern and those identifiers and other identifier, for example send the IP and the relation that is included in the URL in those message of message, reputation can be assigned to those identifiers.If there is strong association between identifier, then " poor " reputation of single identifier may make the reputation of other contiguous identifier worsen.For example, the IP that sends the URL with poor reputation will make its own reputation deterioration owing to the reputation of URL.At last, independent identifier reputation can be pooled the single reputation (risk score) of the entity that is associated with those identifiers.

It should be noted that attribute can be divided into a lot of classifications.For example, the evidence attribute can be represented physics, numeral or the digitized physical data about entity.These data are attributable to single known or unknown entity, or share (formation entity relationship) between a plurality of entities.The example of the evidence attribute relevant with message safety comprises IP (Internet protocol) address, the known employed digital finger-print of domain name, URL, entity or signature, TCP signature, or the like.

As another example, behavior property can be represented about the people of entity or evidence attribute or the observed result of machine assignment.Such attribute can comprise, a lot of or all properties from one or more behavior Parameter Files (behavioralprofile).For example, the behavior property that is associated with the spammer usually can be according to the mass communication that sends from this entity.

The a lot of behavior properties that are used for the behavior of particular type can be merged to draw the behavior Parameter File.The behavior Parameter File can comprise one group of predefined behavior property.The attributive character of distributing to these Parameter Files comprises the relevant behavior incident of tendency with the entity that limits the matching parameter file.The example of the behavior Parameter File relevant with message safety can comprise " spammer ", " swindler " and " legitimate sender ".The suitable entity that incident relevant with each Parameter File and/or evidence attributes defining Parameter File should be assigned to.This can comprise the particular community of specific one group of sending mode, blacklist incident or evidence data.Some examples comprise: sender/recipient's identification; The time interval and sending mode; Severity of useful load (severity) and configuration; Message structure; Message quality; Agreement and relevant signature; Communication media.

Should be understood that some or all the entity of sharing in the identical evidence attribute has the evidence relation.Similarly, the entity of shared behavior property has behavior relation.These relations help to form the logical groups of correlation parameter file, and this relation is then used adaptively, discern entity to strengthen Parameter File or slightly almost to meet the Parameter File ground that is distributed.

Fig. 4 describes the process flow diagram that is used to detect relation and distributes the operation scheme 400 of risk to entity.Operation scheme begins by the collection network data in step 410.Data aggregation can for example be finished by Security Agent 100, customer equipment, switch, router or any miscellaneous equipment, described miscellaneous equipment can be operated from network entity (for example, e-mail server, the webserver, IM server, ISP, file transfer protocol (FTP) (FTP) server, gopher server, VoIP equipment etc.) received communication.

In step 420, identifier is associated with collected data (for example communication data).Step 420 can comprise for example one or more Security Agent 100 by operating the Security Agent 100 or center system 200 execution of converging data from a lot of sensor devices.Alternatively, step 420 can itself be carried out by Security Agent 100.Identifier can be based on the type of the communication that is received.For example, Email (for example can comprise one group of information, promoter and destination's IP address, content of text, annex etc.), and VoIP communication can comprise that a different set of information (for example, calling telephone number (if or initiate then be the IP address), the telephone number (if or specify voip phone then be the IP address), the voice content that receive from VoIP client, or the like).Step 420 also can comprise the attribute that distributes the communication with relevant identifier.

In step 430, analyze and the entity associated attributes, to determine between entity, whether having any relation, be these entity collection communication information.Step 430 can for example be carried out by center system 200 or one or more distributed security agency 100.Analysis can comprise that the comparison attribute relevant with different entities is to find the relation between the entity.And according to the particular community as the basis that concerns, intensity can be associated with relation.

In step 440, the risk vector is assigned to entity.As an example, the risk vector can be distributed by center system 200 or one or more Security Agent 100.The risk vector of distributing to entity 130 (Fig. 1-2), 300 (Fig. 3) can be based on the relation that exists between entity, and based on the identifier on the basis that forms relation.

In step 450, can carry out action according to the risk vector.This action can for example be carried out by Security Agent 100.Can carry out action to the communication of receiving that is associated with entity, the risk vector is assigned to this entity.Wherein, described action can comprise permission, refusal, isolation, load balancing, transmit, analyzes with extra going through partly with the priority of being distributed.However, it should be understood that and to obtain the reputation vector individually.

Fig. 5 is the structural drawing that example network architecture is shown, and it comprises the overall reputation 520 that the local reputation 500a-e that obtained by local reputation engine 510a-e and one or more server 530 are stored.Local reputation engine 510a-e for example can act on behalf of with secure topical, and for example Security Agent 100 is associated.Alternatively, local reputation engine 510a-e can for example be associated with local client computer.Among the reputation engine 510a-e each comprises the tabulation of one or more entity, and reputation engine 510a-e stores resulting reputation 500a-e for these entities.

Yet the reputation that obtains of these storages may be inconsistent between the reputation engine, because each reputation engine can be observed dissimilar portfolios.For example, reputation engine 1510a can comprise that the indication special entity is reputable reputation, and reputation engine 2510b can comprise that the same entity of indication is the reputation of reputation difference.These local reputation inconsistencies can be based on the different business amount that receives from entity.Alternatively, inconsistency can based on from the user of local reputation engine 1510a, indication communication is legal feedback, and local reputation engine 2510b the same communication of indication is provided is illegal feedback.

Server 530 receives reputation information from local reputation engine 510a-e.Yet, as mentioned above, some local reputation information may with other local reputation information inconsistency.Server 530 can be arbitrated between local reputation 500a-e, to determine overall reputation 520 according to local reputation information 500a-e.In some instances, overall reputation information 520 can then be provided back local reputation engine 510a-e, provides up-to-date reputation information to give these engines 510a-e.Alternatively, local reputation engine 510a-e can operate querying server 530 to obtain reputation information.In some instances, server 530 uses overall reputation information 520 in response to inquiry.

In other example, server 530 with local reputation setover (bias) be applied to overall reputation 520.Local reputation biasing can be carried out conversion to overall reputation, provides overall reputation vector to give local reputation engine 510a-e, and its preference according to the specific portion reputation engine 510a-e that initiates inquiry is setovered.Therefore, keeper or user indicate the local reputation engine 510a of high tolerance (tolerance) can receive the overall reputation vector of explaining indicated tolerance to spam messages.The certain components that turns back to the reputation vector of reputation engine 510a may comprise since with the relation of the remainder of reputation vector the part of the reputation vector of deemphasis.Equally, local reputation engine 510b can receive the reputation vector of the component that amplifies the reputation vector relevant with viral reputation, and local reputation engine 510b indication is for example from the low tolerance communication with the entity of initiating viral reputation.

Fig. 6 is the structural drawing of determining that illustrates based on the overall reputation of local reputation feedback.Local reputation engine 600 can be operated by network 610 and send inquiry to server 620.In some instances, local reputation engine 600 is in response to initiate inquiry from the unknown entity received communication.Alternatively, local reputation engine 600 can be initiated inquiry in response to receiving any communication, thereby promotes the use of newer reputation information.

Server 620 can be operated and use overall reputation to determine in response to inquiry.Central server 620 can use overall reputation aggregation engine 630 to obtain overall reputation.Overall situation reputation aggregation engine 630 can operate to receive a plurality of local reputations 640 from corresponding a plurality of local reputation engines.In some instances, a plurality of local reputations 640 can by the reputation engine cycle send to server 620.Alternatively, a plurality of local reputations 640 can be fetched when receiving inquiry one of from local reputation engine 600 by server.

Use the value of the confidence (confidence value) relevant and then accumulate the result, can merge local reputation with each local reputation engine.The degree of confidence that the value of the confidence can indicate the local reputation that produced with relevant reputation engine to be associated.The reputation engine that is associated with the individual for example can be received in overall reputation determine in lower weight.On the contrary, the local reputation that is associated with the reputation engine of on catenet, operating can according to the value of the confidence that is associated with this reputation engine receive overall reputation determine in bigger weight.

In some instances, the value of the confidence 650 can be based on the feedback that receives from the user.For example, the low the value of the confidence 650 that distribute the local reputation 640 relevant can for the reputation engine that receives a lot of feedbacks with this reputation engine, these feedback indication communications are not correctly handled, because the action of local reputation information 640 misdirections relevant with communication.Similarly, distribute the high the value of the confidence 650 of the local reputation 640 relevant can for the reputation engine that receives feedback with this reputation engine, this feedback is correctly handled according to local reputation information 640 indication communications, and local reputation information 640 is associated with the communication of the action of indicating correct.The adjustment of the value of the confidence that is associated with different reputation engines can use regulator 660 to finish, and regulator 660 can be operated and receive input information and regulate the value of the confidence according to the input that is received.In some instances, the statistical data of the entity of being classified mistakenly according to being used for of being stored, the value of the confidence 650 can itself be provided to server 620 by the reputation engine.In other example, be used for to be passed to server 620 to the information of local reputation information weighting.

In some instances, biasing 670 can be applicable to the final overall reputation vector that forms.But biasing 670 standardization reputation vectors are to provide standardized overall reputation vector to reputation engine 600.Alternatively, can use biasing 670 to explain the local preference relevant with initiating reputation engine that reputation inquires about 600.Therefore, the overall reputation vector of the preference of the determining coupling of the reputation engine 600 reputation engine 600 that can receive and inquire about.Reputation engine 600 can be taked action to communication according to the overall reputation vector that receives from server 620.

Fig. 7 is the structural drawing that the exemplary conversion between overall reputation and the local reputation is shown.Secure topical agency 700 communicate with server 720, to fetch overall reputation information from server 720.Secure topical agency 700 can be at 702 received communications.The secure topical agency can be at the attribute of 704 related communications with identification message.The attribute of message can comprise fingerprint, the message size of for example make a start entity, message content, or the like.Secure topical agency 700 comprises this information in the inquiry to server 720.In other example, secure topical agency 700 can arrive server 720 with whole forwards, and server can be carried out the related and analysis of message.

Server 720 uses the information that receives from inquiry, comes to determine overall reputation according to the configuration 725 of server 720.Configuration 725 can comprise a plurality of reputation information, comprises that entity that indication is inquired about is the information (730) of reputation difference and to indicate the entity of being inquired about be reputable information (735).Configuration 725 also can be applied to weight 740 each reputation that converges 730,735.Reputation score determiner 745 can be provided for to reputation information 730,735 weightings (740) of converging and the engine that produces overall reputation vector.

Secure topical agency 700 then sends inquiry 706 to local reputation engine.Local reputation engine 708 is carried out determining of local reputation and is returned local reputation vector 710.Secure topical agency 700 also receive with overall reputation vector form, to the response of the reputation inquiry that sends to server 720.Secure topical agency 700 then mixes local reputation vector and overall reputation vector 712.Then take action about the message that is received 714.

Fig. 8 is the exemplary graphical user 800 that is used to adjust the setting of the filtrator that is associated with the reputation server.Graphic user interface 800 can allow secure topical agency's user in some different classifications 810, for example adjusts the configuration of partial filter in " virus ", " worm ", " Trojan Horse ", " phishing ", " spyware ", " spam ", " content " and " mass-sending ".However, it should be understood that just example of described classification 810, and the disclosure is not limited to be chosen as the classification 810 of example here.

In some instances, classification 810 can be divided into the classification of two or more types.For example, the classification 810 of Fig. 8 is divided into " security set " type 820 of classification 810 and " strategy is provided with " type 830 of classification.In each classification 810 and type 820,830, the mixer bar shaped represents that 840 can allow the user to adjust the certain filter setting that is associated with the respective classes 810 of communication or entity reputation.

And though the classification 810 of " strategy be provided with " type 830 can be according to user's oneself judgement by free adjustment, the classification of " security set " type 820 can be limited in a scope to be adjusted.Can produce this difference, so that the security set that stops the user to change Security Agent surpasses acceptable scope.For example, unsatisfied employee may attempt to reduce security set, thereby allows enterprise network vulnerable.Therefore, in " security set " type 820, place the scope 850 on the classification 810 can operate safety is being remained on floor level, to prevent that network from being endangered.Yet as should noting, the classification 810 of " strategy is provided with " type 830 is the classifications 810 that do not endanger those types of network security, if but reduction is set may only be to use family or enterprise's inconvenience.

In addition, it should be understood that in various examples that scope restriction 850 can place on whole classifications 810.Therefore, the secure topical agency will stop the user that the mixer bar shaped is represented that 840 are arranged on outside the scope 850 that is provided.It shall yet further be noted that in some instances scope can not be presented on the graphic user interface 800.Alternatively, scope 850 will be extracted from graphic user interface 800, and all are provided with and will be relevant setting.Therefore, classification 800 can show and appear to the full scope that allows setting, and the setting in the scope that is provided simultaneously setting is provided.For example, the scope 850 of " virus " classification 810 is set between horizontal mark 8 and 13 in this example.If graphic user interface 800 is arranged to extract admissible scope 850 from graphic user interface 800, then " virus " classification 810 will allow the mixer bar shaped to represent that 840 are arranged on any position between 0 and 14.Yet graphic user interface 800 can be provided with the setting that is transformed in 8 to 13 scope 850 with 0-14.Therefore, if the user asks setting middle between 0 and 14, then graphic user interface can be transformed into this setting the settings in the middle of 8 and 13.

Fig. 9 illustrates the structural drawing that the connection based on reputation that is used for the communication of Internet protocol voice call (VoIP) or Short Message Service (SMS) suppresses.As should be understood, caller IP phone 900 can be arranged voip call to the IP phone 910 that receives.These IP phone 900,910 can be the soft phone software of for example computing machine execution, the phone of network support, or the like.Caller IP phone 900 can be passed through network 920 (for example internet) and arrange voip call.The IP phone 910 that receives can be passed through LAN (Local Area Network) 930 (for example enterprise network) and receive voip call.

When setting up voip call, the caller IP phone has been set up and being connected of LAN (Local Area Network) 930.This connection can be used to provide similar being used of ways of connecting with the not adjusting (unregulated) of network with Email, network, instant message or other internet, applications.Therefore, can use and being connected of the IP phone that receives, thereby the computing machine 940,950 of operation on LAN (Local Area Network) 930 is in the danger of attack of invasion, virus, Trojan Horse, worm and various other types according to the connection of being set up.And, because the time-sensitive character of VoIP communication is not generally checked these communications, to guarantee not misapply connection.For example, voice conversation takes place in real time.If some groupings of voice conversation are delayed, become not nature and indigestion of session then.Therefore, in case set up connection, just generally can not check the content of grouping.

Yet secure topical agency 960 can use from the reputation information of reputation engine or server 970 receptions and determine the reputation relevant with the caller IP phone.Secure topical agency 960 can use the reputation of the entity of making a start to determine whether to allow and being connected of the entity of making a start.Therefore, Security Agent 960 can prevent and being connected of the entity of reputation difference, and is indicated as the reputation of the strategy of not observing secure topical agency 960.

In some instances, secure topical agency 960 can comprise that connection suppresses engine, and it can be operated and use the connection of setting up between the IP phone 910 of caller IP phone 900 and reception to control the flow rate of the grouping that just is being transmitted.Therefore, the entity 900 of making a start that can allow to have poor reputation produces and being connected of the IP phone 910 of reception.Yet the grouping throughput will be decided the upper limit, attack LAN (Local Area Network) 930 thereby the entity 900 that prevents to make a start uses to connect.Alternatively, connecting inhibition can finish from the detailed inspection of any grouping of the entity initiation of reputation difference by execution.As mentioned above, the detailed inspection of all VoIP groupings is not effective.Therefore, can be with reputable entity is associated and be connected maximization service quality (QoS), reduce QoS simultaneously with the join dependency connection of the entity of reputation difference.The operative norm traffic enquiry technology that is connected that can be associated to the entity with the reputation difference is so that whether any grouping that is transmitted that distribution receives from the entity of making a start comprises the threat to network 930.At U.S. Patent number 6,941,467,7,089,590,7,096,498 and 7, described various interrogatings and system in 124,438 and in Application No. 2006/0015942,2006/0015563,2003/0172302,2003/0172294,2003/0172291 and 2003/0173166, above these are merged in by reference thus.

Figure 10 is the structural drawing that illustrates based on the operation of the load equalizer 1000 of reputation.Load equalizer 1000 can be operated by entity 1020 received communications of network 1030 (for example internet) (respectively) from reputable entity 1010 and reputation difference.Load equalizer 1000 communicates with reputation engine 1040, with the reputation of definite entity 1010,1020 that is associated with the communication that enters or spread out of.

Reputation engine 1030 can be operated to load equalizer provides the reputation vector.The reputation vector can be various the reputation of classification indication and the entity 1010,1020 that is associated of communicating by letter.For example, with regard to the entity 1010,1020 of initiating spam, the reputation vector can be indicated the good reputation of entity 1010,1020, with regard to the entity 1010,1020 of initiating virus, also indicates the poor reputation of identical entity 1010,1020 simultaneously.

Load equalizer 1000 can use the reputation vector to determine to carry out what action about the communication that is associated with entity 1010,1020.Under reputable entity 1010 and communication situation about being associated, message is sent to message transport agents (MTA) 1050 and is transferred to recipient 1060.

Have the reputation of virus at the entity 1020 of reputation difference but do not have under the situation of reputation of activity of reputation difference of other type, communication one of is forwarded in a plurality of virus detectors 1070.Load equalizer 1000 can be operated and determine in a plurality of virus detectors 1070 of use which according to the reputation of the current capacity of virus detectors and the entity of making a start.For example, load equalizer 1000 can send to communication by the virus detectors of minimum utilization.In other example, load equalizer 1000 can be determined the poor reputation degree that is associated with the entity of making a start, and the communication that reputation is poor a little sends to by the virus detectors of minimum utilization, communication with the non-constant of reputation simultaneously sends to the virus detectors of highly being utilized, thereby suppresses the QoS that is connected that is associated with the entity of the non-constant of reputation.

Similarly, at the entity 1020 of reputation difference the reputation of initiating spam communication is arranged but do not have under the situation of reputation of activity of reputation difference of other type, load equalizer can send to communication special spam detection device 1080 to get rid of the test of other type.Should understand, under communication and situation that the entity 1020 of reputation difference of the activity of the polytype reputation difference of initiation is associated, can send the activity of communication, avoid the test that is associated with the activity of not knowing the reputation difference that entity 1020 will show simultaneously with test known entities 1020 every type the reputation difference that will show.

In some instances, each communication can receive the routine test that is used for polytype illegal content.Yet when the entity that is associated with communication 1020 showed the reputation of activity of some type, the DCO that communication also can be isolated to be used for content was isolated, and entity shows for the reputation of initiating this content.

In other example, each communication can receive the test of same type.Yet the communication that is associated with reputable entity 1010 is sent to the test module of the shortest formation or has the test module of idle processing capacity.On the other hand, the communication that is associated with the entity 1020 of reputation difference is sent to the test module 1070,1080 of maximum queue.Therefore, the communication that is associated with reputable entity 1010 can accept to surpass the transmission priority of the communication that is associated with the entity of reputation difference.Therefore for reputable entity 1010, service quality is maximized, and for the entity 1020 of reputation difference, service quality is lowered simultaneously.Therefore, the ability that can be connected to network 930 by the entity that reduces the reputation difference based on the load balance of reputation comes protecting network to avoid attacking.

Figure 11 A illustrates to be used to collect based on the data in the geographic position process flow diagram with the exemplary operation scheme of carrying out authentication and analyzing.In step 1100, operation scheme is collected data from various login attempts.Step 1100 can be for example by the secure topical agency, and for example the Security Agent 100 of Fig. 1 is carried out.Wherein, collected data can comprise the IP address that is associated with login attempt, the time of login attempt, the number of times that lands trial before success, or the particulars of any unsuccessful password of being attempted.Collected data are then analyzed in step 1105, to draw statistical information, and the geographic position of login attempt for example.Step 1105 can for example be carried out by the reputation engine.Then the statistical information that is associated with login attempt in step 1110 is stored.This storage can for example be carried out by system data storage.

Figure 11 B illustrates the process flow diagram that is used for based on another exemplary operation scheme of the authentication in geographic position.Receive login attempt in step 1115.Login attempt can for example provide the Secure Network Server of safe financial data to receive by operating by network.Then determine in step 1120 whether login attempt mates stored the user name and password combination.Step 1120 can for example be carried out by operating the security server of verifying login attempt.If the user name/password combination that the user name and password does not match and stored is then announced the login attempt failure in step 1125.

Yet,, determine the origin of login attempt in step 1130 if the user name and password mates validated user name/password combination really.The origin of login attempt can be determined by secure topical agency 100 as shown in Figure 1.Alternatively, the origin of login attempt can be determined by the reputation engine.The origin of login attempt can be then with the statistical information that in Figure 11 A, draws relatively, as shown in the step 1135.Step 1135 can for example be carried out by secure topical agency 100 or reputation engine.Determine in step 1140 whether origin mates with statistical expection.If actual origin coupling statistical expection is then step 1145 checking user.

Alternatively, if actual origin does not match for the statistical expection of origin, then carry out further and handle in step 1150.Should be understood that further processing can comprise from the user asks further information, to verify his or her authenticity.Such information can comprise for example home address, mother's birth name, place of birth, or about the information (for example privacy problems) of the known any other parts of user.Whether other example of extra process can comprise the login attempt before the search, be unusual really or only be coincidence with the place of determining current login attempt.In addition, the reputation that is associated with the entity of initiating login attempt can be derived and be used to determine whether allow and login.

Figure 11 C illustrates to be used to use the make a start reputation of entity to carry out based on the checking in the geographic position process flow diagram with another exemplary operation scheme of confirming authentication.Receive login attempt in step 1115.Login attempt can for example provide the Secure Network Server of safe financial data to receive by operating by network.Then determine in step 1160 whether login attempt mates stored the user name and password combination.Step 1160 can for example be carried out by operating the security server of verifying login attempt.If the user name/password combination that the user name and password does not match and stored is then announced the login attempt failure in step 1165.

Yet,, determine the origin of login attempt in step 1170 if the user name and password mates legal users name/password combination really.The origin of login attempt can be determined by secure topical agency 100 as shown in Figure 1.Alternatively, the origin of login attempt can be determined by the reputation engine.The then reputation that is associated with the entity of initiation login attempt of retrieval is as shown in the step 1175.Step 1175 can for example be carried out by the reputation engine.Whether in step 1180 determine the to make a start reputation of entity is reputable.Entity is reputable if make a start, then at step 1185 identifying user identity.

Alternatively, poor if the entity of making a start is a reputation, then carry out further and handle in step 1190.Should be understood that further processing can comprise from the user asks further information, to verify his or her authenticity.Such information can comprise for example home address, mother's birth name, place of birth, or about the information (for example privacy problems) of the known any other parts of user.Whether other example of extra process can comprise the login attempt before the search, be unusual really or only be coincidence with the place of determining current login attempt.

Therefore, should be understood that can use the reputation system discerns fraud in the financial transaction.The reputation system can improve the risk score of transaction according to transaction promoter's reputation or the data in the real trade (source, destination, the amount of money, or the like).Under these circumstances, financial institution can determine that better particular transaction is fraudulent probability according to the reputation of the entity of making a start.

Figure 12 illustrates the process flow diagram that is used for based on the exemplary operation scheme of the dynamic isolation of reputation.At step 1200 received communication.Then, whether be associated with unknown entity to determine them at step 1205 analyzing communication.Yet it should be noted that this operation scheme can be applicable to any communication that is received, and be not only from before the communication that receives of unknown entity.For example, can dynamically be isolated from the communication that the entity of reputation difference receives, till the communication of having determined to be received does not threaten to network.In the occasion that is not associated with novel entities of communication, the communication experience is to the normal process of the communication that enters, as shown in the step 1210.

If communication is associated with novel entities, then at step 1215 initialization dynamic isolation counter.Then in step 1220, the communication that receives from novel entities is sent to dynamic isolation.Then check in step 1225 whether counter is over and done with the time of determining counter.If the time of counter is not in the past, then at step 1230 down counter.But behavior and segregate communication in step 1235 analysis entities.Whether behavior or the segregate communication of determining entity in step 1240 are unusual.If there is not unusual circumstance, then operation scheme turns back to step 1220, isolates new communication here.

Yet,, distribute the reputation of reputation difference to entity in step 1245 if find that in step 1240 behavior or the communication of entity are unusual.Come terminal procedure by the recipient who notice is sent to the keeper or the communication that entity sent of making a start.

Turn back to step 1220, isolation is communicated by letter with inspection and the process of entity behavior is proceeded, till the behavior of noting abnormalities, or up to till past time of the dynamic isolation of step 1225 counter.Gone over if isolate the time of counter dynamically, then distributed reputation to entity in step 1255.Alternatively, not under the situation of unknown entity at entity, in step 1245 or 1255 renewable reputations.Finish this operation scheme in step 1260 by discharging dynamic isolation, the time of wherein isolating counter dynamically is over and done with, and does not have unusual circumstance in communication or in the behavior of the entity of making a start.

Figure 13 is the demonstration of exemplary graphical user 1300 that can be classified as the image junk mail communication of undesired image or message.As should be understood, image junk mail throws into question to traditional twit filter.Image junk mail converts the traditional text analysis that picture format is walked around spam to by the text message with spam.Figure 13 illustrates the example of image junk mail.Message display image 1310.Though image 1300 looks like text, it only is the encoding of graphs of text message.Usually, image junk mail also comprises text message 1320, text message 1320 comprise correctly constructed but under the message background nonsensical sentence.Message 1320 is designed to hide the twit filter of connecting communication, includes only image 1310 in this communication.And message 1320 is designed to cheat wave filter, and these wave filters are to the rough test of text application of the communication that comprises image 1310.Further, when these message comprised information about the origin of message really in head 1330, the reputation that is used to send the entity of image junk mail may be unknown, up to this entity realized send image junk mail till.

Figure 14 is the process flow diagram that the exemplary operation scheme that is used to detect undesired image (for example, image junk mail) is shown.Should be understood that a lot of steps shown in the accompanying drawing 14 can be individually or any one in the step of other shown in 14 or all carry out in conjunction with the accompanying drawings, so that certain detection of image junk mail to be provided.Yet the use of each step in the accompanying drawing 14 provides the comprehensive process that is used for the detected image spam.

Process begins in the analysis of step 1400 with communication.Step 1400 generally comprises analyzing communication, is subjected to the image that image junk mail is handled to determine whether communication comprises.In step 1410, the structure analysis of operation scheme executive communication is to determine whether image comprises spam.Follow head at step 1420 analysis image.The analysis permission system of picture headers determines whether there are abnormal conditions (for example, protocol error, error, or the like) about picture format itself.Feature at step 1430 analysis image.Signature analysis is intended to determine whether any feature of image is unusual.

Can be in step 1440 standardized images.The standardization of image generally comprises and removes and may be added to avoid the random noise of finger image recognition technology by the spammer.Image standardization is intended to image transitions is become the form can compare easily in image.Can whether mate image to determine image to being carried out fingerprint analysis by standardized image from the known image spam of former reception.

Figure 15 A is the process flow diagram that the operation scheme of the structure that is used for analyzing communication is shown.Operation scheme begins in the analysis of step 1500 with message structure.In step 1505, the HTML(Hypertext Markup Language) structure of analyzing communication is to introduce the additional symbols (token) of the n-unit syntax (n-gram) mark as Bayesian analysis.Such processing can be the abnormal conditions analysis and is included in text 1320 in the image junk mail communication.Can analyze the HTML structure of message, to define first token (meta-token).Unit's token is the HTML content of message, and it is processed abandoning any incoherent HTML mark, and is compressed " symbol " that is used for Bayesian analysis with generation by removing white dead zone.In the above-mentioned symbol each can be used as the input to Bayesian analysis, to compare with communicating by letter of former reception.

Operation scheme then comprises image detection in step 1515.Image detection can comprise image segmentation is become a plurality of parts, and to these parts carry out fingerprint recognition determine fingerprint whether mate before the part of image of reception.

Figure 15 B is the process flow diagram that the operation scheme that is used for following process is shown, it is the feature of analysis image, be used for being input to the feature of the message of Clustering Engine (clustering engine) with extraction, so that identification meets the ingredient of the image of known image spam.Operation scheme is in step 1520 beginning, and here a plurality of high-level feature of image is detected, to be used in the machine learning algorithm.Such feature can comprise numerical value, the quantity at edge (sharp transition between the shape) in the quantity of the quantity of Du Te color, noise black picture element (noise black pixel), the horizontal direction for example, or the like.

One of feature that operation scheme extracted can comprise the quantity of the histogram formulation of image, as step 1525 illustrate.Produce the quantity of pattern by the spectral concentration of check image.As should be understood, artificial image generally comprises the pattern of lacking than natural image, and this is because the natural image color generally is diffused into wide spectrum (broad spectrum).

As mentioned above, the feature of extracting from image can be used for discerning abnormal conditions.In some instances, abnormal conditions can comprise the feature of the analyzing message degree with the similarity of the feature of determining a plurality of features and stored undesired image.Alternatively, in some instances, but also analysis image feature, with known reputable image relatively, to determine the similarity with reputable image.Should be understood that the independent feature of being extracted all can not determine classification.For example, specific feature can be associated with 60% undesired message, also is associated with 40% the message of wanting simultaneously.And when with numerical value change that feature is associated, message is that probability that want or undesired may change.The feature that much can indicate slight tendency is arranged.If merge each in these features, the then image junk mail detection system decision of can classifying.

Then check depth-width ratio, to determine any abnormal conditions that whether exist about picture size or depth-width ratio in step 1530.The known dimensions that picture size or depth-width ratio and known image spam are common or the similarity of depth-width ratio can be indicated this abnormal conditions in depth-width ratio.For example, image junk mail can occur with specific size, so that image junk mail seems more as the ordinary electronic mail.The message that comprises following image more may be spam itself, and promptly these images and known spam image are enjoyed common size.Alternatively, there is the picture size (for example, if the spammer inserts message in the image, then the square-shaped image of 1 inch x1 inch may be difficult to read) that does not help spam.Knownly be unfavorable for that the message that comprises image of the insertion of spam can not be image junk mail.Therefore, the depth-width ratio of message can compare with the common depth-width ratio of using in image junk mail, to determine that image is that undesired image or image are the probability of reputable image.

In step 1535, the frequency distribution of check image.Usually, natural image has the even frequency distribution with few relatively tangible frequency gradient (gradation).On the other hand, image junk mail generally comprises the frequency distribution of normal change, and this is because black letters is placed on the dark background.Therefore, but so uneven frequency distribution indicating image spam.

In step 1540, can analyze signal to noise ratio (S/N ratio).High s/n ratio can indicate the spammer may attempt to hide fingerprint identification technology in the image by noise is introduced.But increase the noise level indicating image thus is the probability increase of undesired image.

Should be understood that and on the scale of entire image, to extract some features, and can extract further feature from the subdivision of image.For example, image can be subdivided into a plurality of subdivisions.Each rectangle can use rapid fourier change (FFT) to transform in the frequency domain.In the image that is transformed, the advantage of the frequency on a plurality of directions (predominance) can be used as feature and is extracted.Also can check these subdivisions of the image of institute's conversion, to determine the quantity of high and low frequency.In the image that is transformed, the point far away from initial point shows higher frequency.Be similar to the feature that other is extracted, these features can be then with known legal and undesired image relatively, to determine unknown images and shared which characteristic of the known image of each type.And (for example frequency domain) image that is transformed also can be divided into subdivision (for example, fragment (slice), rectangle, concentric circles, or the like), and with from the data of known image (for example, known undesired image and known legal image) relatively.

Figure 15 C be illustrate be used for standardized images be used for that spam handles the process flow diagram of operation scheme.In step 1545, remove deblurring and noise from image.As previously mentioned, these may be introduced by the spammer and hide fingerprint identification technology, the hashing of the sum by changing garbage for example, make it not with any before the fingerprint matching of garbage of the known image spam that receives.The removing of fuzzy and noise can be described several technology that are used to remove the culture noise that the spammer introduces.Should be understood that culture noise can comprise the employed technology of spammer, for example banding (changing comprising the font in image) to change the garbage of image.

In step 1550, edge detection algorithm can be carried out on standardized image.In some instances, be carried out edge-detected image and be used and be provided to optical character recognition engine, convert text to will be carried out edge-detected image.Rim detection can be used for removing unnecessary details from picture, and this details may cause poor efficiency in respect to this image of other Flame Image Process.

In step 1555, can use medium filtering.The application medium filtering is removed pixel noise at random.Such random pixel can throw into question to the content analysis of image.Medium filtering can help to remove the noise of single type of pixel that the spammer introduces.Should be understood that single pixel noise uses image editor to introduce by the spammer, to change the one or more pixels in the image, this can make image seem to be granular in some zones, thereby makes image more be difficult to detect.

In step 1560, quantized image.Unnecessary colouring information is removed in the quantification of image.This colouring information generally needs more the processing, and with spam attempt propagate irrelevant.And the spammer can change the color scheme in the image a little, and changes gibberish once more, so that the gibberish that the gibberish of known image spam does not match and draws from the image junk mail of change color.

In step 1565, carry out contrast expansion.Use contrast expansion, the colour scale in the image to being maximized in vain, also is like this even color only changes in shades of gray from black.Distribute white value for the brightest shade of image, and distribute black value for shade the darkest in the image.Compare with the darkest shade with the brightest in the original image, distribute their relative position in spectrum (spectrum) for all other shades.Contrast expansion helps to limit in the image and may not make full use of the details of available spectrum, thereby can help to stop the spammer to use the spectrum of different piece to avoid fingerprint identification technology.The spammer deliberately changes the density range of image sometimes, so that the feature identification engine of some types is invalid.Contrast expansion also can help standardized images, so as it can with other image relatively, be included in common trait in the image with identification.

Figure 15 D be illustrate be used for analysis image fingerprint to find the process flow diagram of the operation scheme of common fragment at a plurality of images.In step 1570, operation scheme begins by the zone of defining in the image.Then selection by winnowing algorithm (winnowing algorithm) is carried out in the zone of being defined,, should on this image, be taken the fingerprint in step 1575 with the relevant portion of recognition image.In step 1580, operation scheme carries out fingerprint recognition to the fragment that obtains from the selection by winnowing operation, and determines whether there is coupling between the fingerprint of image that is received and known spam image.Described similar selection by winnowing fingerprint identification method in each public announcement of a patent application number 2006/0251068, this patent is merged in thus by reference.

As in instructions, use here and in ensuing whole claims, the meaning of " one (a) ", " one (an) " and " described (the) " comprises plural connotation, unless context is clearly pointed out in addition.In addition, as in instructions, use here and in ensuing whole claims, " ... in " the meaning comprise, " ... in " and " ... on ", unless context is clearly pointed out in addition.At last, as in instructions, use here and in ensuing whole claims, " with " with " or " the meaning comprise associating and connotation that separate, and use interchangeably, unless context is clearly pointed out in addition.

Scope can here be expressed as from " approximately " specific value and/or to " approximately " another specific value.When representing such scope, another embodiment comprises from a specific value and/or to another specific value.Similarly, on duty when being represented as approximate value, by using " approximately " of front, should be understood that specific value forms another embodiment.Should be further understood that the end points of each scope is important with respect to another end points, and be independent of another end points.

A lot of embodiment of the present invention has been described.However, it should be understood that and to carry out various changes, and do not depart from the spirit and scope of the invention.Therefore, other embodiment is in the scope of following claim.

Claims (135)

1. computer implemented method, it can be operated reputation is distributed to the based on network entity of communicating by letter and being associated with HTML (Hypertext Markup Language), said method comprising the steps of:

Receive HTML (Hypertext Markup Language) communication at edge-protected equipment place;

Discern the entity of communicating by letter and being associated with the described HTML (Hypertext Markup Language) that is received;

The reputation designator of inquiry reputation engine to obtain being associated with described entity;

Receive described reputation designator from described reputation engine;

According to the described reputation designator that is received that is associated with described entity, come to take action about described HTML (Hypertext Markup Language) communication.

2. the method for claim 1, wherein said entity is the network entity that comprises destination URL(uniform resource locator), territory or IP address.

3. the method for claim 1, the reputation of wherein said entity is based on communication and available public or private network information about described entity before receiving from described entity, and described public or private network information comprises entitlement or trustship information.

4. method as claimed in claim 3, communication before wherein said comprises one or more in following: electronic information, HTML (Hypertext Markup Language) communication, instant message, file transfer protocol (FTP) communication, simple object access protocol message, RTP grouping, short message service communication, Multimedia Message communication for service, or Internet protocol voice call communication.

5. the method for claim 1, wherein said action are to abandon the intranet user that described communication and notice and described HTML (Hypertext Markup Language) are communicated by letter and be associated.

6. the method for claim 1, wherein said entity is associated with the network service of number of different types, described network service comprises the communication of HTML (Hypertext Markup Language) type at least, and comprises in E-mail communication, file transfer protocol (FTP) communication, instant messaging, gopher communication, short message service communication or the Internet protocol voice call communication at least one.

7. the method for claim 1, wherein said reputation engine converges to determine described reputation designator according to the standard of reputable standard that is associated with described entity and the reputation difference that is associated with described entity.

8. method as claimed in claim 7, wherein said reputation designator are the vectors of indicating reputation according to a plurality of different standards.

9. method as claimed in claim 8 further comprises and checks the reputation vector, and whether the strategy that is associated with the enterprise network of determining according to the reputation vector of described entity to be protected with described edge-protected equipment allows and the communicating by letter of described entity.

10. the method for claim 1, wherein said reputation engine is to operate the reputation server that reputation information is provided to a plurality of edge-protected equipment.

Store overall reputation designator 11. method as claimed in claim 10, wherein said reputation engine can be operated, and before the described reputation designator of output, use the local bias described overall reputation designator of setovering.

12. the method for claim 1, wherein said reputation designator comprises the reputation vector, and described reputation vector comprises the multidimensional classification of described entity.

13. method as claimed in claim 12, wherein said multidimensional classification comprises the classification with two or more message of carrying out in pornography classification, news category, computing machine classification, security class, phishing classification, spyware classification, viral classification or the attack classification.

14. method as claimed in claim 12, wherein said reputation designator further comprise each degree of confidence that is associated in the described multidimensional classification with described entity.

15. the method for claim 1 further comprises the randomization that detects URL(uniform resource locator).

16. method as claimed in claim 15 wherein passes through to produce the gibberish of described URL(uniform resource locator) and the URL(uniform resource locator) of more described gibberish and the former reputation difference of discerning, and determines the randomization of described URL(uniform resource locator).

17. method as claimed in claim 15, wherein, determine the randomization of described URL(uniform resource locator) by a plurality of parts of described URL(uniform resource locator) being carried out the URL(uniform resource locator) of fingerprint recognition and more described gibberish and the former reputation difference of discerning.

Receive network service and distribute reputation to the entity that is associated with described communication 18. the Web reputation system on edge-protected equipment, described Web reputation system can operate, described system comprises:

Communication interface, it can be operated and receive network service;

Communication analyzer, it can be operated and analyze the entity of described network service to determine to be associated with described network service;

The reputation engine, it can operate according to the data that are associated with described entity of collecting in the past provides the reputation that is associated with described entity, and

Decision engine, it can be operated from described reputation engine and receive the reputation designator, and determines whether described network service is passed to the recipient.

19. system as claimed in claim 18, the described reputation of wherein said entity is based on the communication before receiving from described entity, and described communication in the past comprises one or more in following: electronic information, HTML (Hypertext Markup Language) communication, instant message, file transfer protocol (FTP) communication, simple object access protocol message, RTP grouping, short message service communication or Internet protocol voice call communication.

20. system as claimed in claim 18, wherein said decision engine can be operated and come the intranet user that sends a notice and communicate by letter and be associated with described HTML (Hypertext Markup Language) in the situation that described communication is not transferred to described recipient.

21. system as claimed in claim 18, the standard of reputable standard that wherein said reputation engine basis is associated with described entity and the reputation difference that is associated with described entity is determined described reputation designator.

22. system as claimed in claim 21, wherein said reputation designator is the vector of indicating reputation according to a plurality of different standards.

23. the system as claimed in claim 22 further comprises and checks the reputation vector, whether the strategy that is associated with the enterprise network that the reputation vector is determined and described edge-protected equipment is protected according to described entity allows and the communicating by letter of described entity.

24. system as claimed in claim 18; wherein said reputation engine is to operate the reputation server that reputation information is provided to a plurality of edge-protected equipment; and described reputation engine can be operated and store overall reputation designator, and uses the local bias described overall reputation designator of setovering before the described reputation designator of output.

25. system as claimed in claim 18 further comprises the inquiry engine, described inquiry engine can operate the Parameter File that described communication is carried out a plurality of tests and determined to be associated with described network service.

26. system as claimed in claim 25, wherein said decision engine can be operated according to the described Parameter File that is associated with described network service and determine whether to transmit described network service.

27. system as claimed in claim 26, wherein said reputation engine can be operated and use described Parameter File to upgrade the reputation information that is associated with described entity.

28. system as claimed in claim 18, wherein said reputation comprises the reputation vector, and described reputation vector comprises the multidimensional classification of described entity.

29. system as claimed in claim 28, wherein said multidimensional classification comprises the classification with two or more message of carrying out in pornography classification, news category, computing machine classification, security class, phishing classification, spyware classification, viral classification or the attack classification.

30. system as claimed in claim 28, wherein said reputation further comprise each degree of confidence that is associated in the described multidimensional classification with described entity.

31. system as claimed in claim 18 further comprises the randomization that detects URL(uniform resource locator).

32. method as claimed in claim 31 wherein passes through to produce the gibberish of described URL(uniform resource locator) and the URL(uniform resource locator) of more described gibberish and the former reputation difference of discerning, and determines the randomization of described URL(uniform resource locator).

33. method as claimed in claim 31, wherein, determine the randomization of described URL(uniform resource locator) by a plurality of parts of described URL(uniform resource locator) being carried out the URL(uniform resource locator) of fingerprint recognition and more described gibberish and the former reputation difference of discerning.。

34. have one or more computer-readable medium of software program code, described software program code can operate the entity to the transmission message that is associated with the communication that is received to distribute reputation, described software program code comprises:

Receive HTML (Hypertext Markup Language) communication at edge-protected equipment place;

Discern the entity of communicating by letter and being associated with the described HTML (Hypertext Markup Language) that is received;

The reputation designator of inquiry reputation engine to obtain being associated with described entity;

Receive described reputation designator from described reputation engine;

According to the described reputation designator that is received that is associated with described entity, take action about described HTML (Hypertext Markup Language) communication.

35. a reputation system, described system comprises:

Centralized reputation engine, it can be operated from a plurality of local reputation engines and receive feedback, and described a plurality of local reputation engines can be operated according to one or more entity and the described local reputation engine that is associated respectively and determine local reputation;

Aggregation engine, it can operate the overall reputation of coming to obtain according to converging of a plurality of local reputations the entity inquired about; And

Wherein said centralized reputation engine can be operated and come that described one or more in described local reputation engine provides the overall reputation of the entity of being inquired about in response to from described local reputation engine one or more receives reputation inquiry.

36. system as claimed in claim 35, wherein said aggregation engine can be operated and be stored and divide other local acoustical reputation the value of the confidence that engine is associated, described aggregation engine further can operate use with described a plurality of local reputations in each described the value of the confidence that is associated, divide other local acoustical reputation engine by it, converge described a plurality of local reputation.

37. system as claimed in claim 36, wherein said local reputation system is the subsystem of described centralized reputation system, and on local scale, carry out reputation scoring, and the communication that received according to described centralized reputation engine of described centralized reputation engine and carry out reputation scoring from the reputation information that described local reputation engine receives according to the communication that described local reputation engine is received.

38. system as claimed in claim 36, wherein said local reputation divided other the value of the confidence to be weighted according to it before the converging of described local reputation.

39. system as claimed in claim 38 wherein regulates described the value of the confidence according to the feedback that receives from described a plurality of local reputation engines.

40. system as claimed in claim 35, wherein said local reputation and overall reputation are the vectors of the feature of identification other entity of branch that it was associated.

41. system as claimed in claim 40, wherein said feature comprises one or more in following: spam feature, phishing feature, group mail feature, viral source feature, legitimate correspondence feature, invasion feature, attack signature, spyware feature, or geographic location feature.

42. system as claimed in claim 35, wherein said local reputation converges based on the standard of reputable standard and reputation difference.

43. system as claimed in claim 35, wherein said centralized reputation system can operate according to the described local reputation engine of initiating the reputation inquiry and to the local reputation biasing of described overall reputation applications.

44. system as claimed in claim 43, wherein said local reputation biasing is based on the input that receives from the described local reputation engine of initiating described reputation inquiry.

45. system as claimed in claim 43, wherein said local reputation biasing is based on the feedback that receives from the described local reputation engine of initiating described reputation inquiry.

46. system as claimed in claim 43, wherein said local reputation biasing can operate certain standard that strengthens reputation according to described local reputation biasing, reduces the another kind of standard of reputation simultaneously.

47. system as claimed in claim 35, wherein local reputation engine can be operated described overall reputation applications had been applied to described overall reputation with local reputation biasing before the communication that receives from the described entity of being inquired about.

48. system as claimed in claim 35, protected enterprise network wherein about being associated with described local reputation engine, described local reputation engine is initiated reputation and is inquired about in response to receiving the communication that is associated with external entity.

49. system as claimed in claim 48, wherein said local reputation engine is initiated described reputation inquiry in response to the local reputation that is associated with uncertain described external entity.

50. system as claimed in claim 35, wherein said centralized reputation engine further can operate converge with described a plurality of entities in the reputation of one or more a plurality of identity that are associated.

51. system as claimed in claim 50, wherein said centralized reputation engine further can be operated related attribute is associated with different identity, to discern the relation between the described identity, and the part of the reputation that will be associated with an entity distributes to the reputation of another entity, wherein identification relation between entity.

52. a method that produces overall reputation may further comprise the steps:

Receive the reputation inquiry from the local reputation engine of request;

Fetch a plurality of local reputations, described local reputation is associated with a plurality of local reputation engines respectively;

Converge described a plurality of local reputation;

Obtain overall reputation from converging of described local reputation; And

Respond described reputation inquiry with described overall reputation.

53. method as claimed in claim 52 comprises further and fetches the value of the confidence that is associated with described local reputation engine that the described step of fetching uses described the value of the confidence to draw described overall reputation.

54. method as claimed in claim 53, the wherein said step that draws comprises that further other the value of the confidence of branch of using described overall reputation comes described overall reputation weighting, and merges the reputation that is weighted to produce described overall reputation.

55. method as claimed in claim 54 further comprises according to regulating described the value of the confidence from the feedback of described a plurality of local reputation engines.

56. method as claimed in claim 52, wherein said local reputation and overall reputation are the vectors of the feature of identification other entity of branch that it was associated.

57. method as claimed in claim 56, wherein said feature comprise in following one or more: spam feature, phishing feature, group mail feature, spyware feature, or legitimate mail feature.

58. method as claimed in claim 52, wherein said local reputation are based on the converging of standard of reputable standard and reputation difference.

59. method as claimed in claim 52 further comprises the biasing of local reputation is applied to converging producing overall reputation vector of described local reputation, described local reputation biasing is based on the local reputation engine of described request.

60. method as claimed in claim 59, wherein said local reputation biasing are based on the input that receives from the local reputation engine of described request.

61. method as claimed in claim 59, wherein said local reputation biasing are based on the feedback that receives from the local reputation engine of described request.

62. method as claimed in claim 59 further comprises certain standard that strengthens reputation according to described local reputation biasing, and reduces the another kind of standard of reputation according to described local reputation biasing.

63. method as claimed in claim 52, protected enterprise network wherein about being associated with the local reputation engine of described request, the local reputation engine of described request is initiated described reputation and is inquired about in response to receiving the communication that is associated with external entity.

64. as the described method of claim 63, the local reputation engine of wherein said request is initiated described reputation inquiry in response to the local reputation that is associated with uncertain described external entity.

65. method as claimed in claim 52, the described step that wherein obtains described overall reputation is further based on any one public information that all can not obtain and specific information in described a plurality of local reputation engines.

66. have one or more computer-readable medium of software program code, described software program code can be operated to carry out and converge a plurality of local reputation vectors to produce the step of overall reputation vector, described step comprises:

Receive the reputation inquiry from the local reputation engine of request;

Fetch a plurality of local reputations, described local reputation is associated with a plurality of local reputation engines respectively;

Converge described a plurality of local reputation;

Obtain overall reputation from converging of described local reputation; And

With the inquiry of described overall reputation response reputation.

67. a reputation system, described system comprises:

Communication interface, it can be operated from central server and receive overall reputation information, described central server can be operated according to the feedback that receives from one or more local reputation engine and determine overall reputation, and described overall reputation is associated with one or more entity respectively;

The reputation engine, it can operate the described overall reputation of setovering and receiving from described central server according to defined local preference; And

Wherein said centralized reputation engine can operate the overall reputation that the entity of being inquired about is provided to described communication interface in response to receiving the reputation inquiry from described communication interface.

68. a reputation system, described system comprises:

Communication interface, it can be operated from one or more distributed reputation engine and receive the reputation information that distributes, and described distributed reputation engine can be operated and check communication and draw the reputation that is associated with one or more entity of initiating described communication;

The reputation module, it can be operated the reputation information that converges described distribution and draw overall reputation according to the converging of reputation information of described distribution, and the communication that described reputation module further can operate to be received according to described reputation module draws local reputation information; And

The portfolio control module, it can be operated according to described overall reputation and determine and the processing of communicating by letter and being associated with described local reputation.

69. the network safety system based on reputation, described system comprises:

Communication interface, it can be operated and receive communication that enters that is associated with network and communicating by letter of spreading out of;

Communication analyzer, it can be operated and obtain and the external entity of communicating by letter and being associated;

The reputation engine, it can be operated and obtain the reputation vector that is associated with described external entity, and described reputation vector comprises the converging of standard of the reputable and reputation difference of carrying out with a plurality of classifications, and described a plurality of classifications comprise dissimilar communication;

Security engine, it can be operated and receive described reputation vector and in a plurality of inquiry engines one or more sends described communication, and wherein said security engine can be operated according to described reputation vector and determine that in described a plurality of inquiry engines which sends described communication.

70. as the described system of claim 69, wherein said security engine can be operated and avoid sending described communication to unwarranted useless inquiry engine, and wherein said reputation vector does not indicate described external entity to have to participate in the reputation of the activity that described unwarranted inquiry engine discerned.

71. as the described system of claim 69, each in wherein said one or more inquiry engine comprises a plurality of examples of described inquiry engine.

72. as the described system of claim 71, wherein when selecting the inquiry engine, described security engine can be selected the selected example of described inquiry engine, and the described selected example of wherein said inquiry engine is according to the ability of the described selected example of described inquiry engine and selecteed.

73. as the described system of claim 69, wherein said security engine can operate that to come in described external entity be the communication of under the situation of reputable entity high priority being distributed in the inquiry formation that is associated with described a plurality of inquiry engines, and is the communication of under the situation of entity of reputation difference low priority being distributed in the described inquiry formation in described external entity.

74. as the described system of claim 73, wherein to reputable entity maximization service quality, and to the entity minimizing service quality of reputation difference.

75. as the described system of claim 69, each in wherein said one or more inquiry engine comprises a plurality of examples of described inquiry engine, the described example of described inquiry engine can be operated and reside on edge-protected equipment or the corporate client machine equipment.

76. as the described system of claim 69, wherein said reputation engine is to operate the reputation server that reputation information is provided to a plurality of edge-protected equipment or client devices.

77. the network safety system based on reputation, described system comprises:

Communication interface, its can operate receive entering of being associated with network with communicating by letter of spreading out of;

Communication analyzer, it can be operated and obtain and the external entity of communicating by letter and being associated;

The reputation engine, it can be operated and obtain the reputation that is associated with described external entity, and described reputation comprises the converging of standard of the reputable and reputation difference that is associated with described external entity;

Security engine, it can operate to the allocation of communications priority information, wherein said security engine can be operated and receive described reputation and be to give the allocation of communications high priority under the situation of reputable entity in described external entity, and be to give the allocation of communications low priority under the situation of entity of reputation difference in described external entity, described thus priority information is made the service quality that is used for improving reputable entity by one or more inquiry engine.

78. a computer implemented method, it can be operated according to the reputation that is associated with external entity and handle communication effectively, said method comprising the steps of:

According to rising of being associated with described communication or destination information receives the communication that is associated with external entity;

The described external entity that identification is associated with the described communication that is received;

Draw the reputation that is associated with described external entity according to the reputable and standard reputation difference that is associated with described external entity;

According to the reputation that is drawn that is associated with described external entity to described allocation of communications right of priority;

According to the described right of priority of distributing to described communication one or more test is carried out in described communication.

79., further comprise for the message maximization service quality that has been assigned with high priority as the described method of claim 78.

80. as the described method of claim 78, wherein resulting described reputation is the reputation vector, described reputation vector transmits the reputation that described external entity is associated with a plurality of classifications.

81. as the described method of claim 80, further comprise if the standard that the described reputation vector that is associated with described communication indicates described external entity to test about the test that is bypassed is reputable entity, then walk around any one in described one or more test.

82. as the described method of claim 78, each in wherein said one or more test comprises can operate a plurality of engines of carrying out described one or more test.

83. as the described method of claim 82, wherein said security engine can be operated and come according to the ability of described engine and the test of allocate communications on a plurality of engines equably, described communication comprises the communication that is received.

84. as the described method of claim 78, wherein said one or more test is carried out by operating a plurality of engines of carrying out described test, described engine can be operated and reside on edge-protected equipment or the corporate client equipment.

85. as the described method of claim 78, wherein said reputation is from the reputation server retrieves, described reputation server can be operated to provide reputation information to a plurality of edge-protected equipment and customer equipment.

86. as the described method of claim 78, wherein said reputation is fetched from local reputation engine.

87. a computer implemented method, it can be operated according to the reputation that is associated with external entity and handle communication effectively, and described method comprises:

According to rising of being associated with described communication or destination information receives the communication that is associated with external entity;

Discern the described external entity of communicating by letter and being associated with the HTML (Hypertext Markup Language) that is received;

Draw the reputation that is associated with described external entity according to the reputable and standard reputation difference that is associated with described external entity;

Give one or more inquiry engine select with described allocation of communications from a plurality of inquiry engines, the selection of described one or more inquiry engine is based on the ability of the reputation that is drawn that is associated with described external entity and described inquiry engine; And

Described one or more inquiry engine is carried out in described communication.

88. have one or more computer-readable medium of software program code, described software program code can be operated according to the reputation of the external entity that is associated with communication and handle described communication effectively, described software program code comprises:

According to rising of being associated with described communication or destination information receives the communication that is associated with external entity;

Discern the described external entity of communicating by letter and being associated with the HTML (Hypertext Markup Language) that is received;

Obtain the reputation that is associated with described external entity according to the reputable and standard reputation difference that is associated with described external entity;

Give described communication according to the resulting reputation that is associated with described external entity with priority allocation;

According to the described right of priority of distributing to described communication one or more test is carried out in described communication.

89. a computer implemented method, it can be operated according to the reputation that is associated with external entity and handle communication, and described method comprises:

According to rising of being associated with described communication or destination information receives the communication that is associated with external entity;

The described external entity that identification is associated with the described communication that is received;

Draw the reputation that is associated with described external entity according to the reputable and standard reputation difference that is associated with described external entity;

Handle the path according to the reputation that is drawn that is associated with described external entity to described allocation of communications.

90. the connection based on reputation that is used for Internet protocol voice call communication suppresses system, described system comprises:

Communication interface, its can operate entity externally and with protected network that described communication interface is associated between connect before, receive the Internet protocol voice call connection request that is associated with described external entity;

The reputation engine, it can be operated and draw the reputation that is associated with described external entity; And

Connect Control Engine, it can operate the described Internet protocol voice call connection request that is denied to described protected network according to the reputation that is drawn of the described external entity that is associated with described Internet protocol voice call connection request.

91. as the described system of claim 90, wherein said reputation engine is according to the reputation that draws described external entity that converges of the standard of reputable standard that is associated with described external entity and reputation difference.

92. as the described system of claim 90, wherein said connection Control Engine prevents the entity generation of reputation difference and being connected of described protected network.

93. as the described system of claim 92; the entity of wherein said reputation difference can be operated and attempt Internet protocol voice call communication is sent to described protected network, tries hard to illegal movable the generation is connected with the preceding text Internet protocol voice call of described protected network and utilizes described preceding text Internet protocol voice call connection.

94. as the described system of claim 90, wherein said communication interface further can be operated and be received the Short Message Service connection request, and described connection Control Engine can operate the reputation that is associated according to the Short Message Service entity with the described Short Message Service connection request of initiation to refuse described Short Message Service connection request.

95. as the described system of claim 90, further comprise the message asks engine, described message asks engine can be operated the content of checking from the communication of described external entity initiation, to determine whether internet usage protocol voice phone connects described external entity.

96. as the described system of claim 90, wherein said reputation engine is the reputation server, described reputation server can be operated from described connection Control Engine and receive the reputation inquiry and resulting reputation is provided for described connection Control Engine.

97. as the described system of claim 96, wherein said reputation server obtains the described reputation of described external entity by converging a plurality of local reputation that is associated with described external entity, described a plurality of local reputations are provided by a plurality of local reputation engines.

98. as the described system of claim 90, described connection Control Engine comprises strategy, described reputation and described strategy are relatively to determine whether to allow described Internet protocol voice call connection request.

99. as the described system of claim 98, one or more classification of described policy definition external entity is allowed to the Internet protocol voice call request of described external entity.

100. as the described system of claim 90, described connection Control Engine can operate any connection that receives for the external entity from the reputation difference to reduce service quality, and for any connection maximization service quality that receives from reputable external entity.

101. as the described method of claim 90, further comprise: the connection request that receives a plurality of whiles; The connection request of related described while is to determine that described request comprises attack; And upgrade the reputation that is associated with one or more entity of the connection request that is associated with the described while, so that cause the inhibition of described a plurality of connection requests.

102. as the described method of claim 90, further comprise and obtain the reputation that is associated with described outside, described reputation is indicated the reputation of the participation Denial of Service attack of described external entity, and the reputation that wherein participates in Denial of Service attack triggers described connection Control Engine to suppress connection immediately according to input or strategy from telephone receiver.

103. as the described method of claim 90, wherein ask the connection of the equipment on the described protected network, described equipment comprises mobile location aware devices.

104. the connection based on reputation that is used for short message communication suppresses system, described system comprises:

Communication interface, its can operate come described external entity and with protected network that described communication interface is associated between connect before, receive the Short Message Service connection request that is associated with external entity;

The reputation engine, it can be operated and obtain the reputation that is associated with described external entity; And

Connect Control Engine, it can operate next reputation according to the described external entity that obtains that is associated with described Short Message Service connection request, is denied to the described Short Message Service connection request of described protected network.

105. as the described system of claim 104, converging of the reputable standard that wherein said reputation engine basis is associated with described external entity and the standard of reputation difference obtains the described reputation of described external entity.

106. as the described system of claim 105, wherein said connection Control Engine prevents the entity generation of reputation difference and being connected of described protected network.

107. as the described system of claim 106; the entity of wherein said reputation difference can be operated and attempt short message service communication is sent to described protected network, tries hard to be connected with the preceding text Short Message Service of described protected network and utilize described preceding text Short Message Service connection for illegal movable the generation.

108. whether as the described system of claim 104, further comprise the message asks engine, described message asks engine can be operated the content of checking from the communication of described external entity initiation, use Short Message Service to connect to determine described external entity.

109. as the described system of claim 104, wherein said reputation engine is the reputation server, described reputation server can be operated from described connection Control Engine and receive the reputation inquiry and resulting reputation is provided for described connection Control Engine.

110. as the described system of claim 109, wherein said reputation server obtains the reputation of described external entity by converging a plurality of local reputation that is associated with described external entity, described a plurality of local reputations are provided by a plurality of local reputation engines.

111. as the described system of claim 104, wherein said connection Control Engine comprises strategy, described reputation and described strategy are relatively to determine whether to allow described Internet protocol voice call connection request.

112. as the described system of claim 111, one or individual a plurality of classification of wherein said policy definition external entity are allowed to the Internet protocol voice call request of described external entity.

113. a method that suppresses based on the connection of reputation may further comprise the steps:

Received internet protocol voice call connection request, described Internet protocol voice call connection request is relevant with external entity;

The reputation of inquiry reputation engine to obtain being associated with described external entity;

Described reputation and the strategy that is associated in protected enterprise network are compared;

Observe described strategy according to the described reputation of determining the described external entity relevant, allow described connection request with described Internet protocol voice call connection request.

Do not observe described strategy according to the described reputation of determining the described external entity relevant, suppress described connection request with described Internet protocol voice call connection request.

114. a method that suppresses based on the connection of reputation may further comprise the steps:

Receive connection request, the connection between described connection request request external entity and the protected enterprise network;

The inquiry reputation of reputation engine to obtain being associated with described external entity, described reputation comprise the converging of standard of the reputable and reputation difference that is associated with described external entity;

Described reputation and the strategy that is associated in described protected enterprise network are compared;

Observe described strategy according to the described reputation of determining the described external entity relevant, allow described connection request with described Internet protocol voice call connection request.

Do not observe described strategy according to the described reputation of determining the described external entity relevant, suppress described connection request with described Internet protocol voice call connection request.

115. the fire wall based on reputation comprises:

Fire wall, it can be operated and receive described packet is also determined in the packet that is sent to protected network according to the security strategy that is associated with described protected network processing, and described security strategy comprises at least one rule based on the reputation of the external entity that is associated with described packet;

The reputation engine, it can operate definite described external entity that is associated with described packet, and provides reputation according to the directed really described fire wall of described external entity; And

Wherein treatment step comprises that allowing described packet to enter into described protected network or refuse described packet enters into described protected network.

116. a system comprises:

The security control interface, it can be operated and produce a plurality of security controls and represent that each during described a plurality of security controls are represented can be operated and be controlled a plurality of security set that are associated with protected entity; And

The policy control interface, it can be operated and produce a plurality of policy control and represent, and each during described a plurality of policy control are represented can be operated and be controlled a plurality of strategies that are associated with protected entity and be provided with;

Filtering module, it can operate to filter one or more communication stream according to described a plurality of security set and according to described a plurality of strategy settings.

117. as the described system of claim 116, a plurality of safety slides that wherein said security control is represented to be included in a plurality of security classes represent, described safety slide is represented to operate and is controlled the described security set that is associated with described protected network.

118. as the described system of claim 117, wherein said a plurality of security classes comprise two or more in viral classification, phishing classification, worm classification or the Trojan Horse classification.

119. as the described system of claim 118, wherein said a plurality of security controls represent that each all can operate a security set of coming for being associated in the described security set and regulate threshold sensitivity.

120. as the described system of claim 119, wherein said threshold sensitivity comprise the communication stream feature and with feature that described security class is associated between similarity level.

121. as the described system of claim 117, wherein said policy control represents that a plurality of tactful slide block that is included in a plurality of tactful classifications represents, described tactful slide block is represented to operate and is controlled the described strategy that is associated with described protected network and be provided with.

122. as the described system of claim 121, wherein said a plurality of tactful classifications comprise two or more in spam classification, content type, spyware classification or the group mail classification.

123. as the described system of claim 122, wherein said a plurality of policy control represent that each all can operate a strategy that is associated in coming to be provided with for described strategy the adjusting threshold sensitivity is set.

124. as the described system of claim 123, wherein said threshold sensitivity comprise the communication stream feature and with feature that described tactful classification is associated between similarity level.

One of 125. as the described system of claim 116, wherein said protected entity is computing equipment, communication facilities, mobile device, or in the network.

126. as the described system of claim 116, wherein said security control interface and described policy control interface are controlled by the keeper.

127. system as claimed in claim 41, wherein said security control interface and described policy control interface are controlled by the terminal user.

128. as the described system of claim 127, wherein said security control interface comprises with described a plurality of security controls represents that a plurality of scopes of being associated, described security control setting can operate to be conditioned in described scope.

129. a computer implemented method comprises:

Receive a plurality of scopes from the keeper;

Provide the security control interface to the user, described security control interface comprises that a plurality of security controls that are associated with security control represent, each controling mechanism comprises that from the scope that is associated in described a plurality of scopes the described scope that is associated limits and minimum setting that divides other security control to be associated and maximum the setting;

Receive a plurality of security control settings by described security control interface from described user;

Regulate and relevant a plurality of threshold values of a plurality of control setting from described user's reception, described a plurality of threshold values are associated with the tolerance of the classification of the possible breach of security; And

According to the communication stream of described a plurality of threshold filtering from the protected entity that is associated with described user.

130. as the described system of claim 129, a plurality of safety slides that wherein said security control is represented to be included in a plurality of security classes represent, described safety slide is represented to operate and is controlled the described security set that is associated with described protected network.

131. as the described system of claim 130, wherein said a plurality of security classes comprise two or more in viral classification, phishing classification, worm classification, Trojan Horse classification, spam classification, content type, spyware classification or the group mail classification.

132. as the described system of claim 131, wherein said a plurality of security controls represent that each all can operate a security set of coming for being associated in the described security set and regulate threshold sensitivity.

133. as the described system of claim 132, wherein said threshold sensitivity comprise the communication stream feature and with feature that described security class is associated between similarity level.

134. as the described system of claim 129, wherein said protected entity is one of in computing equipment, communication facilities, mobile device or the network.

135. have one or more computer-readable medium of software program code, described software program code can be operated the filtration adjusting that realizes the communication stream that enters and spread out of, described software program code comprises:

Receive a plurality of scopes from the keeper;

Provide the security control interface to the user, described security control interface comprises that a plurality of security controls that are associated with a plurality of security control settings represent, each controling mechanism comprises that from the scope that is associated in described a plurality of scopes the described scope that is associated limits and minimum setting that divides other security control to be associated and maximum the setting;

Receive input by described security control interface from described user, the adjusting that described input requires described a plurality of security control to be provided with;

Regulate and relevant a plurality of threshold values of a plurality of control setting from described user's reception, described a plurality of threshold values are associated with the tolerance of the classification of the possible breach of security; And

According to the communication stream of described a plurality of threshold filtering from the protected entity that is associated with described user.

Images