1. Field of the Invention
This invention relates generally to computer security and particularly to detecting attempts to manipulate a reputation system for detecting malicious objects.
2. Description of the Related Art
A wide variety of malicious software (malware) can attack modem computers. Malware threats include computer viruses, worms, Trojan horse programs, spyware, adware, crimeware, and phishing websites. Malicious entities sometimes attack servers that store sensitive or confidential data that can be used to the malicious entity's own advantage. Similarly, other computers, including home computers, must be constantly protected from malicious software that can be transmitted when a user communicates with others via electronic mail, when a user downloads new programs or program updates, and in many other situations. The different options and methods available to malicious entities for attack on a computer are numerous.
Conventional techniques for detecting malware, such as signature string scanning, are becoming less effective. Modem malware is often targeted and delivered to only a relative handful of computers. For example, a Trojan horse program can be designed to target computers in a particular department of a particular enterprise. Such malware might never be encountered by security analysts, and thus the security software might never be configured with signatures for detecting such malware. Mass-distributed malware, in turn, can contain polymorphisms that make every instance of the malware unique. As a result, it is difficult to develop signature strings that reliably detect all instances of the malware.
Newer techniques for detecting malware involve the use of reputation systems. A reputation system can determine the reputation of a file or other object encountered on a computer in order to assess the likelihood that the object is malware. One way to develop the reputation for an object is to collect reports from networked computers on which the object is found and base the reputation on information within the reports.
However, because such a reputation system relies on reports from what are essentially unknown parties, it is susceptible to subversion by malicious actors. For example, an entity distributing malware could attempt to “game” the reputation system by submitting false reports indicating that the malware is legitimate. Thus, there is a need for a reputation system that is able to withstand such attempts to subvert its operation.