Field
Embodiments of the present invention generally relate to detection of malicious resources. In particular, embodiments of the present invention relate to active unified threat management (UTM) profiling and monitoring of client reputation scores by analyzing communication between a plurality of resources coupled to the network.
Description of the Related Art
In a network, such as a computing network or a telecommunication network, coupled to resources, such as, computers, laptops, mobiles, Personal Digital Assistants (PDAs), virtual server, virtual machines, widgets, and the like, the resources are susceptible to hostile attacks arising as a result of malicious objects such as malware, web robots or BOTS, phishing, modified virus codes, and other viruses. The malicious objects may contaminate resources and initiate risky activities in the network, such as, bad connection attempts, file sharing applications, session initiation for incoming connections, and so forth. Therefore, a resource contaminated with one or more malicious objects may be considered as a malicious resource for the network.
Such malicious resources may further contaminate other resources in the network. Hence, detection of the malicious resources is essential for security and efficient performance of the resources coupled to the network.
A known technique to detect potential malicious resources involves identification of a signature or a representative code pattern within a file or process on the resource being scanned. In this technique, a signature of a file or process at issue is compared with a list of signatures corresponding to malicious objects. If the signature being checked is present in the list of signatures, the resource is or has the potential of becoming a malicious resource. In this technique, the list of signatures must be frequently updated otherwise a lag period between new threats and anticipated signatures may develop. Moreover, this technique is less effective for modified virus codes and targeted attacks like spear phishing.
Another existing technique involves scanning for potential intrusions based on behavior of the resources (e.g., requests involving file sharing or any acts of communication to or from the resources). Such scanning involves dynamic monitoring of internal and external functioning of the resources receiving/sending the requests, and accordingly observing the behavior of the resources. This technique involves heavy processing and like pattern matching can produce false positives and can miss newly developed threats.
In view of the foregoing, there exists a need for new and more effective techniques for detection of malicious resources in the network.