Skip to content

Smart Protection Network – Data Mining Framework

When it comes to threat intelligence, size matters

Find out why managing big data is a big deal for your security

Read AimPoint Group white paper

< >

The Trend Micro Smart Protection Network cloud data mining framework rapidly and accurately identifies new threats, delivering global threat intelligence to all our products and services. Ongoing advances in the depth and breadth of the Smart Protection Network allow us to look in more places for threat data, and respond to new threats more effectively, to secure data wherever it resides. Read datasheet

Handling the 3 Vs: Volume, Variety, Velocity

Today’s threat environment means vendors have to deal with the 3 Vs of big data: volume, variety, and velocity. Each of these is growing at an astounding rate and has required a shift in how security vendors data mine and manage today’s threats.

We collect massive amounts of threat-specific data, then use big data analytics to identify, correlate, and analyze new threats. This produces actionable threat intelligence we use to deliver immediate protection through our proven cloud infrastructure.

Trend Micro’s ability to collect, identify and protect through the Smart Protection Network data mining framework ensures the volume, velocity and variety of threat data is managed efficiently and effectively.

To understand more, see how CTO Raimund Genes, in his latest CTO Insights video blog, explains the use of big data within the Smart Protection Network framework to deliver improved protection against today’s threats.

Smart Protection Network’s global threat intelligence

  • Collects more threat data from a broader, more robust global sensor network to ensure customers are protected from the volume and variety of threats today, including mobile and targeted attacks
  • Identifies new threats faster using finely tuned custom data mining tools to root out new threats within the large data streams
  • Protects through a proven cloud-based infrastructure that provides the fastest possible protection against new threats and minimizes the risk associated with an attack
Smart Protection Network at a Glance(01:39)

White paper: Big Data for Advanced Threat Protection: Key Criteria for Cutting Through the Clamor (PDF)
"Leveraging Big Data for information security purposes not only makes sense but is necessary."
Mark Bouchard, Aimpoint Group

White paper: Addressing Big Data Security Challenges: The Right Tools for Smart Protection (PDF)
Understand how Big Data is analyzed in the context of cyber security to ultimately benefit the end user.

The Smart Protection Network framework works in three distinct areas: data collection, identification, and protection.

Collecting data in volume

Thirty million new attacks emerge every year. Smart Protection Network is designed to seek out the massive volume of data that can uncover these attacks.

  • Collects and mines more than 6 terabytes of threat data each day from across the globe for greater visibility into the nature of attacks
  • Continuously taps a worldwide network of sandnets, submissions, feedback loops, web crawling technologies, customers and partners, and TrendLabs researchers
  • Seeks out extensive variety of potential threat sources including IP, domain, file, vulnerabilities and exploits, mobile apps, command and control communications, network communications, and threat actors


Identifying global threats through big data analytics

We pioneered the use of big data analytics for threat intelligence when we started building the Smart Protection Network some seven years ago. We host thousands of event feeds and stream billions of events in our data centers, and have become experts in the data mining tools and techniques required to make sense of the variety of threats and attacks being perpetrated.

  • Correlates critical relationships among all components of an attack
  • Models cybercriminal behavior and the environments they work in to quickly determine whether something is good or bad
  • Proactively identifies new threats from the data streams using behavioral-based identification methods


Protecting customers wherever their data resides

It’s critical to match the velocity of attacks with an equally fast response. We consistently demonstrate faster time to protect in independent tests.

  • Proven cloud infrastructure rapidly delivers threat intelligence across physical, virtual, cloud, and mobile environments
  • Processing threat information in the cloud reduces demand on system resources and eliminates time-consuming signature downloads
  • Higher performance and lower maintenance reduce operating cost


open all

Mobile App Reputation

An industry first, Trend Micro Mobile App Reputation dynamically collects and rates mobile applications for malicious activity, resource usage and privacy violations.

Mobile App Reputation technology can be easily integrated by service providers and application developers to provide apps of higher quality and better security to app stores, while users avoid privacy risks and high resource consumption.

Correlation with other reputation technologies ensures Trend Micro customers are protected from malicious mobile apps and web pages where these apps are located.

  • Provides users critical information about apps they are using
  • Prevents malicious apps from being downloaded
  • Identifies apps that may abuse privacy or device resource


Trend Micro has been using an in-the-cloud whitelist (GRID – Goodware Resource and Information Database) for many years to protect against false positives.

Our endpoint products query the whitelist whenever a suspicious file is identified to check if the file is a known good file. The database is also used by threat researchers to quickly eliminate known good files from being analyzed during our processes for identifying malicious content.

  • Leverages one of the largest whitelisting databases in the world for fast, accurate identification of known good events
  • In-the-cloud database developed over several years reduces false positives
  • Allows threat researchers to focus on suspicious or malicious content, thereby speeding up identification of new threats

Vulnerabilities and Exploits

Cybercriminals exploit vulnerabilities in software programs to steal data and perform other malicious acts.

Trend Micro researchers are constantly monitoring and working with 3rd party vendors whose applications may be exploited by criminals. We also monitor exploits at various sources and monitor criminal communications and sites for active code.

This allows us to quickly identify and correlate the threat intelligence needed to block exploits from taking advantage of software vulnerabilities, known or unknown. This enables us to protect our customers against software vulnerabilities.

  • Quickly discovers and adds protection from known and zero-day exploits
  • Shields known and unknown vulnerabilities from unlimited exploits until they can be patched
  • Correlates exploit intelligence to other threats used by cybercriminals in attacks

Network Traffic Intelligence

Trend Micro operates large sandnets that are constantly fed from various global sources of malware samples.

This provides our researchers with gigabytes of malicious network traffic that is filtered, processed, and analyzed to create and test intelligent rules to detect malicious communications and behaviors. Additionally, threat researchers perform penetration testing in simulated enterprise network environments providing them with rich network traffic for further rule development and testing.

Key Benefits

  • Quickly identifies botnet or targeted attack behaviors
  • Correlates threat intelligence and blocks all aspects of an attack
  • Adds another layer of protection for customers using network-based solutions

Threat Actor Intelligence

Trend Micro threat researchers actively investigate and research the cybercriminal underground.

Analyzing the tools and techniques used by threat actors allows us to develop models of behavior and tools that help us identify new threats. Applying these tools and models to the data we receive from our global sensornet lets us quickly identify any new threats that may be propagating.

This research also allows us to develop proactive detection of new threats before they are used by the cybercriminals.

  • Proactively protects against new threats developed within the cybercriminal underground community
  • Identifies new attack methods early, minimizing the attack window
  • Collaborates with law enforcement to identify and apprehend known cybercriminals

Enhanced Web Reputation

With one of the largest domain-reputation databases in the world, Trend Micro’s web reputation technology tracks the credibility of web domains.

We assign a reputation score based on factors such as a website’s age, historical location changes and indications of suspicious activities discovered through malware behavior analysis. We’ve advanced how we apply web reputation to keep pace with new types of criminal attacks that can come and go very quickly, or try to stay hidden.

1st Generation Web Reputation

  • Centralized downloading
  • Download content and test it


2nd Generation Web Reputation

  • Requires multiple components to work in collaboration; one is not enough
  • Smart Feedback (feedback from real-world sensors)
  • Sandboxing /emulation (threat intelligence coming from live analysis of web pages)
  • Cybercriminal monitoring/detective work (TrendLabs threat researchers investigate tools and techniques of cybercriminals)



  • Blocks users from accessing compromised or infected sites
  • Blocks users from communicating with Communication & Control servers (C&C) used by criminals
  • Blocks access to malicious domains registered by criminals for perpetrating cybercrime

Email Reputation

Trend Micro’s multilayer email reputation technology combines IP reputation, content analysis, and backend correlation to respond to email threats in real time.

The first layer of defense validates IP addresses by checking them against a reputation database of known spam sources; the second layer uses machine learning to identify malicious or spam-like content; the third layer correlates email with our other threat data so that, for example, it can immediately block a link to a malicious URL identified by our web reputation technology.

  • Blocks malicious emails and threats such as zombies, in the cloud, before they reach you
  • Blocks users from social engineering and phishing attacks
  • Includes language-independent rules to identify threats such as phishing links, as well as language-dependent modules to identify spam indicators in multiple languages

Enhanced File Reputation

File reputation decouples the pattern file from the local scan engine and conducts pattern file lookups over the network to a Smart Protection Server, which may reside in a public or private cloud.

This in-the-cloud approach eliminates the need to deploy a large number of pattern files to hundreds or thousands of endpoints. As soon as the pattern is updated on the Smart Protection Server, protection is immediately available to all clients.

We continually enhance file reputation to improve malware detection. Smart Feedback allows Trend Micro to use community feedback of files from millions of users to identify pertinent information such as the prevalence of a file, geo-location, age, first seen, last seen and other data that helps determine the likelihood that a file is malicious.

Used in conjunction with our in-the-cloud whitelisting ensures few false positives occur. This new technology is used today in our backend infrastructure and is making its way into our solutions in the future.

  • Checks the reputation of each file against an extensive database before permitting user access
  • Uses high performance content delivery networks and local caching servers to ensure minimum latency during the validation process
  • Leverages cloud-client architecture to decrease the size of the local pattern file, thus minimizing demand on network resources

Big Data Analytics and Data Mining Correlation

Using customized tools for analyzing the massive amount of threat data received daily, and correlating the different components of an attack, allows us to continuously update our global threat intelligence.

Trend Micro has the distinct advantage of being able to respond in real time, providing immediate and automatic protection from the multitude of threats.

  • Applying behavior analysis, analyzes combinations of activities and the components of threats to determine if they are malicious
  • Continuously updates and correlates global threat intelligence to ensure real-time threat response, be it from a malicious website, mobile app, spam sender or infected file
  • Provides visibility into the relationships within targeted attack campaigns, such as geo-location, targeted organizations, and attack methods

Smart Protection Server

For those organizations that have limited bandwidth or are concerned with privacy, Smart Protection Server keeps communications and queries within the local network.

  • Performs web and file reputation queries directly to local servers, without the need to go to the public cloud
  • Saves network bandwidth and improves efficiency of endpoint security updates
  • Ensures privacy of your data

Smart Feedback

Attackers carefully select their targets, moving away from launching large-scale attacks to focus on more specific and somewhat more “personal” targets.

As such, it is more important than ever to obtain feedback from customers to identify new sources of attacks. This collaboration between Trend Micro and our customers allows us to improve the protection for everyone—“a neighborhood watch” system of community protection via 24x7 communication between Trend Micro products, research centers and technologies for "better together" security.

  • Automatically updates Trend Micro’s global threat intelligence each time a new threat is identified on a single customer’s routine reputation check
  • Improves the speed with which we can identify new threats

If the tools and technologies that comprise the Smart Protection Network took on a life of their own you wouldn’t see a squad of super heroes with magical powers, but a diligent investigative team with the brains and brawn of a special forces squad that tackles cyber crime wherever it lurks.