This invention relates generally to computer security, and more particularly to providing users with a measure of assessed risks presented by computer files, websites, and/or other entities that can potentially compromise a computer.
There is a wide variety of malicious software (malware) that can attack modern computers. Malware threats include computer viruses, worms, Trojan horse programs, spyware, adware, crimeware, and phishing websites. Modern malware is often designed to provide financial gain to the attacker. For example, malware can surreptitiously capture important information such as logins, passwords, bank account identifiers, and credit card numbers. Similarly, the malware can provide hidden interfaces that allow the attacker to access and control the compromised computer.
While classical malware was usually mass-distributed to many computers, modern malware is often targeted and delivered to only a relative handful of computers. A Trojan horse program can be designed to target computers in a particular department of a particular enterprise. Likewise, a false email can include a phishing attack that is directed to only customers of a certain bank or other electronic commerce site.
Mass-distributed malware can often be detected and disabled by conventional security software. The security software uses techniques such as signature scanning and behavior monitoring heuristics to detect the malware. However, these techniques are less effective for detecting targeted threats since there are fewer instances of the same malware, and the security software might not be configured to recognize it.
Moreover, even mass-distributed malware is becoming harder to detect. A malicious website might automatically generate new malicious code for every few visitors. As a result, the malware is widely-distributed but only a small number of users have the exact same code, and it becomes impractical to generate signatures (and use signature scanning-based techniques) to detect it. Sometimes, the different versions of the malware perform different functions, which also makes the malware difficult to detect through heuristics and other techniques. Therefore, there is a need in the art for new ways to detect malware.
Further, security companies that analyze malware in order to develop signatures, heuristics, and other techniques for detecting it receive a large number of malware submissions. The security companies sometimes have no way to effectively measure the threat posed by submitted malware. For example, the security companies might not know whether submitted software is truly malicious or how widely a particular piece of malware is distributed. As a consequence, the security companies have a difficult time ranking or triaging the malware submissions to focus on analyzing the submissions that constitute the greatest threats.
There is a need in the art for ways to evaluate the threats posed by potential malware, and to communicate those threats effectively to users. With reputation-based systems, like those described in U.S. application Ser. No. 11/618,215, filed Dec. 29, 2006, a reputation for a software application or other entity is derived based on usage patterns of a community of users. An entity's reputation can then be used by another to make a decision (manually by the user or automatically by the user's client system) about whether to use that entity. If not communicated effectively, however, reputation scores may confuse the users that they are intended to help. There is a need therefore to present the reputation of an application or other entity to a user in a way that the user can clearly understand.