US Patent 9065826 Identifying application reputation based on resource accesses

Malware detection is often based on monitoring a local application binary and/or process, such as detecting patterns of malicious code, unusual local resource utilization, or suspicious application behavior. However, the volume of available software, variety of malware, and sophistication of evasion techniques may reduce the effectiveness of detection based on monitoring local resources. Presented herein are techniques for identifying malware based on the reputations of remote resources (e.g., web content, files, databases, IP addresses, services, and users) accessed by an application. Remote resource accesses may be reported to a reputation service, which may identify reputations of remote resources, and application reputations of applications that utilize such remote resources. These application reputations may be used to adjust the application policies of the applications executed by devices and servers. These techniques thereby achieve rapid detection and mitigation of newly identified malware through application telemetry in a predominantly automated manner.