Method and system for tracking machines on a network using fuzzy guid technology

US 10,027,665 B2
Filed: 09/12/2016
Issued: 07/17/2018
Est. Priority Date: 11/28/2005
Status: Active Grant

First Claim

Patent Images

1. An apparatus for tracking machines on a network of computers, the apparatus comprising at least one processor and at least one memory storing computer code that, when executed by the at least one processor, causes the apparatus to:

identify a malicious host coupled to the network of computers;

determine a first IP address and a first set of one or more attributes associated with the malicious host during a first time period, wherein the first set of one or more attributes comprises information about activities performed by the malicious host during the first time period;

classify the malicious host to be in a determined state;

during a second time period, classify the malicious host to be in a latent state;

identify an unknown host during the second time period, the unknown host being associated with a second IP address and a second set of one or more attributes, wherein the second set of one or more attributes comprises information about activities performed by the unknown host during the second time period;

process the second IP address and the second set of one or more attributes of the unknown host with the first IP address and the first set of one or more attributes of the malicious host; and

determine, based on the processing of the second IP address and the second set of one or more attributes of the unknown host with the first IP address and the first set of one or more attributes of the malicious host, if the malicious host has moved from the first IP address to the second IP address, thereby identifying if the unknown host is the malicious host.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for querying a knowledgebase of malicious hosts numbered from 1 through N. The method includes providing a network of computers, which has a plurality of unknown malicious host machines. In a specific embodiment, the malicious host machines are disposed throughout the network of computers, which includes a worldwide network of computers, e.g., Internet. The method includes querying a knowledge base including a plurality of known malicious hosts, which are numbered from 1 through N, where N is an integer greater than 1. In a preferred embodiment, the knowledge base is coupled to the network of computers. The method includes receiving first information associated with an unknown host from the network; identifying an unknown host and querying the knowledge base to determine if the unknown host is one of the known malicious hosts in the knowledge base. The method also includes outputting second information associated with the unknown host based upon the querying process.

Citations

19 Claims

1. An apparatus for tracking machines on a network of computers, the apparatus comprising at least one processor and at least one memory storing computer code that, when executed by the at least one processor, causes the apparatus to:
- identify a malicious host coupled to the network of computers;
  
  determine a first IP address and a first set of one or more attributes associated with the malicious host during a first time period, wherein the first set of one or more attributes comprises information about activities performed by the malicious host during the first time period;
  
  classify the malicious host to be in a determined state;
  
  during a second time period, classify the malicious host to be in a latent state;
  
  identify an unknown host during the second time period, the unknown host being associated with a second IP address and a second set of one or more attributes, wherein the second set of one or more attributes comprises information about activities performed by the unknown host during the second time period;
  
  process the second IP address and the second set of one or more attributes of the unknown host with the first IP address and the first set of one or more attributes of the malicious host; and
  
  determine, based on the processing of the second IP address and the second set of one or more attributes of the unknown host with the first IP address and the first set of one or more attributes of the malicious host, if the malicious host has moved from the first IP address to the second IP address, thereby identifying if the unknown host is the malicious host.
- View Dependent Claims (2, 3, 4)
- - 2. The apparatus of claim 1 wherein the one or more attributes comprises an IP range, ISP, country, ISP practice, or range class within the ISP.
  - 3. The apparatus of claim 1 wherein the network of computers includes a world-wide network of computers.
  - 4. The method apparatus of claim 1 further caused to determine if the unknown host is a different machine than the malicious host.

5. An apparatus for querying a knowledgebase of malicious hosts numbered from 1 through N, the apparatus comprising at least one processor and at least one memory storing computer code that, when executed by the at least one processor, causes the apparatus to:
- communicably couple to a network of computers, the network of computers including a plurality of unknown malicious host machines, the malicious host machines being disposed throughout the network of computers, the network of computers including a world-wide network of computers;
  
  query a knowledge base including information about a plurality of known malicious hosts, the plurality of known malicious hosts being numbered from 1 through N, where N is an integer greater than 1, the knowledge base being a database communicably coupled to the network of computers;
  
  receive first information associated with an unknown host from the network of computers, wherein the first information comprises information about activities performed by the unknown host;
  
  identify a fuzzy GUID of the unknown host based on the received first information;
  
  query the knowledge base, using the first information, to determine if the unknown host is one of the known malicious hosts in the knowledge base; and
  
  output second information associated with the unknown host based upon the querying process.
- View Dependent Claims (6, 7, 8, 9, 10, 11)
- - 6. The apparatus of claim 5 wherein N is an integer three million or more.
  - 7. The apparatus of claim 5 further caused to, if the unknown host is one of the known malicious hosts, update a filter to block access by the malicious host to one or more segments of the network of computers.
  - 8. The apparatus of claim 5 further comprising outputting an alert to signify the malicious host, if the unknown host is determined to be one of the malicious hosts.
  - 9. The apparatus of claim 5 wherein the identifying of the unknown host further comprises:
    - determining a plurality of identity attributes for the unknown host;
      
      assigning a quality measure to each of the plurality of identity attributes;
      
      collecting one or more evidences from the unknown host, the one or more evidences comprising information about activities performed by the unknown host;
      
      determining, based on the one or more evidences, an attribute fuzzy GUID for each of the plurality of identity attributes for the unknown host;
      
      processing the attribute fuzzy GUID for each of the plurality of attributes, in an order from a highest quality measure to a lowest quality measure, to determine a host fuzzy GUID for the unknown host.
  - 10. The apparatus of claim 9 wherein the one or more attributes comprises an IP range, ISP, country, ISP practice, or range class within the ISP.
  - 11. The apparatus of claim 9 further comprising selecting a second plurality of identity attributes characterized by quality measures higher than a predetermined value.

12. An apparatus for populating a database to form a knowledge base of malicious host entities, the apparatus comprising at least one processor and at least one memory storing computer code that, when executed by the at least one processor, cause the apparatus to:
- determine a plurality of identity attributes for an unknown host;
  
  assign a quality measure to each of the plurality the identity attributes;
  
  collect one or more evidences from the unknown host, wherein the one or more evidences comprises information about activities performed by the unknown host;
  
  determine, based on the one or more evidences, an attribute fuzzy GUID for each of the plurality of identity attributes for the unknown host;
  
  process the attribute fuzzy GUID for each of the plurality of attributes, in an order from a highest quality measure to a lowest quality measure, to determine a host fuzzy GUID for the unknown host; and
  
  store the host fuzzy GUID for the unknown host in one or more memories of a database to form a knowledge base.
- View Dependent Claims (13, 14)
- - 13. The apparatus of claim 12 wherein the one or more attributes comprises an IP range, ISP, country, ISP practice, or range class within the ISP.
  - 14. The apparatus of claim 12 further caused to select a second plurality of identity attributes characterized by quality measures higher than a predetermined value.

15. A computer based system for populating a database to form a knowledge base of malicious host entities, the system comprising at least one server and at least one machine readable memory or memories, the memory or memories storing instructions that, when executed by the at least one server, cause the system to:
- determine a plurality of identity attributes for an unknown host;
  
  assign a quality measure to each of the plurality the identity attributes;
  
  collect one or more evidences from the unknown host, wherein the one or more evidences comprises information about activities performed by the unknown host;
  
  determine, based on the one or more evidences, an attribute fuzzy GUID for each of the plurality of identity attributes for the unknown host;
  
  process the attribute fuzzy GUID for each of the plurality of identity attributes, in an order from a highest quality measure to a lowest quality measure, to determine a host fuzzy GUID for the unknown host; and
  
  store the host fuzzy GUID for the unknown host in one or more memories of a database to form a knowledge base.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The system of claim 15 wherein the unknown host is one of a plurality of computing devices in a world-wide network of computers.
  - 17. The system of claim 15 wherein the knowledge base comprises information about a plurality of malicious hosts.
  - 18. The system of claim 15 wherein the host fuzzy GUID comprises an identifier.
  - 19. The system of claim 18 wherein the identifier is an IP address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Threatmetrix Incorporated (RELX PLC)
Original Assignee
Threatmetrix Incorporated (RELX PLC)
Inventors
Thomas, Scott, Jones, David G.
Primary Examiner(s)
HERZOG, MADHURI R

Application Number

US15/263,113
Publication Number

US 20170250983A1
Time in Patent Office

673 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 16/951   Indexing; Web crawling tech...

G06F 21/00   Security arrangements for p...

G06F 21/50   Monitoring users, programs ...

G06F 21/55   Detecting local intrusion o...

G06F 21/57   Certifying or maintaining t...

G06F 2201/86   Event-based monitoring

G06F 2221/2127   Bluffing

H04L 2463/146   Tracing the source of attacks

H04L 63/0236   Filtering by address, proto...

H04L 63/0876   based on the identity of th...

H04L 63/10   for controlling access to d...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

Method and system for tracking machines on a network using fuzzy guid technology

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for tracking machines on a network using fuzzy guid technology

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links