Reputation-based Security

Reputation-based security is one component of a blended protection approach, which imposes multiple layers of security on the network. As a supplement to traditional signature-based protection, reputation-based security addresses the increasing need to spot zero-day attacks and other types of blended threats that may not be picked up by a signature-driven antivirus engine. This component instead gathers large quantities of data on senders and IP addresses throughout the entire Internet, and determines the reputation of each sender on a relative scale.

A reputation-based system is not designed to replace signature-based protection, but rather, to supplement it. The system works by accumulating data from a network of thousands of endpoints, creating profiles of all sender activity, and then watching for deviations in expected behavior. As a result, it would be possible to detect the presence of a newly-infected “zombie” computer, which would normally have a high reputation score. The system creates a reputation score for each sender or IP address, based on behavior.

The use of systems such as reputation-based security as a supplement to signature-based protection is part of the recent wisdom of implementing multiple layers of enforcement, where email security is enforced simultaneously at several locations, including desktop, mail server, mail gateway, firewall, and at the service provider level.

One of the earliest proponents of reputation-based security was CipherTrust, which implemented the concept through its TrustedSource technology. CipherTrust and the TrustedSource technology was acquired by Secure Computing in 2006, and the reputation-based technology incorporated into Secure Computing’s offerings.