Method and system for uniquely identifying a user computer in real time using a plurality of processing parameters and servers

US 10,116,677 B2
Filed: 08/15/2016
Issued: 10/30/2018
Est. Priority Date: 10/17/2006
Status: Active Grant

First Claim

Patent Images

1. A method for distinguishing a compromised client device from a masquerading device, the method comprising:

capturing, by a hardware processor of one or more servers, a plurality of attributes from a network device connecting to a web service, each of the attributes representing a parameter, the plurality of parameters uniquely identifying the network device from a plurality of other networks devices;

maintaining the network device free from any software programs associated with the capturing of the plurality of attributes;

determining, by the hardware processor, a device identifier based on a programmatic transformation of the plurality of attributes captured from the network device;

comparing, by the hardware processor, the device identifier against at least one existing device identifier determined by the hardware processor, wherein the at least one existing device identifier is generated based on a programmatic transformation of a plurality of attributes captured from a respective device; and

determining, by the hardware processor, if the network device is compromised based at least in part the comparison between the device identifier and an existing device identifier.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided for identifying a compromised client device from a masquerading device. The method includes capturing a plurality of attributes from a network device connecting to a web service. In a specific embodiment, each of the attributes represents a parameter, and the plurality of parameters uniquely identifying the network device from a plurality of other networks devices. The method maintains the network device substantially free from any software programs associated with the capturing of the plurality of attributes. That is, in a specific embodiment, the method does not rely on installing executable code in the network device to capture the attributes. Based on information associated with the attributes, the method can determine if the network device is compromised.

Citations

53 Claims

1. A method for distinguishing a compromised client device from a masquerading device, the method comprising:
- capturing, by a hardware processor of one or more servers, a plurality of attributes from a network device connecting to a web service, each of the attributes representing a parameter, the plurality of parameters uniquely identifying the network device from a plurality of other networks devices;
  
  maintaining the network device free from any software programs associated with the capturing of the plurality of attributes;
  
  determining, by the hardware processor, a device identifier based on a programmatic transformation of the plurality of attributes captured from the network device;
  
  comparing, by the hardware processor, the device identifier against at least one existing device identifier determined by the hardware processor, wherein the at least one existing device identifier is generated based on a programmatic transformation of a plurality of attributes captured from a respective device; and
  
  determining, by the hardware processor, if the network device is compromised based at least in part the comparison between the device identifier and an existing device identifier.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1 further comprising using fuzzy logic to process the attributes.
  - 3. The method of claim 1 further comprising determining existence and classification of a masquerading device.
  - 4. The method of claim 1 further comprising determining an identifier for a malicious device.
  - 5. The method of claim 1 further comprising testing with a known network device.
  - 6. The method of claim 1 wherein at least some of the attributes are related to one or more of ID information, network information, location information, device information, browser information, site information, or time information associated with the network device.
  - 7. The method of claim 1 wherein the ID information comprises one or more of Flash Cookie, first Party Browser Cookie, and third Party Browser Cookie.
  - 8. The method of claim 1 wherein the network information comprises one or more of IP Address, ISP, MTU, Connection Type, Connection Speed, Bogon Hijack Address, Static/ Dynamic Address, Proxy Address, TCP Sequence Number, and other TCP header code.
  - 9. The method of claim 1 wherein the location information comprises one or more of country, city, latitude, and longitude.
  - 10. The method of claim 1 wherein the device information comprises one or more of OS, Screen Resolution, Screen DPI, Start Time, Local Time, Clock-Offset, Clock-Dift, and Time Zone.
  - 11. The method of claim 1 wherein the browser information comprises one or more of Language, Browser version, Browser string, Javascript major and minor versions, Flash major and minor versions, Browser plug-ins or extensions, and Supported MIME types.
  - 12. The method of claim 1 wherein the site information comprises one or more of domain, domain owner, session id, merchant id, URL, referrer, advertisement, ID, and campaign ID.
  - 13. The method of claim 1 wherein the time information comprises one or more of seconds, hour, day, week, and month.

14. A method for identifying a network device, the method comprising:
- capturing, by a hardware processor of one or more servers, a plurality of attributes from the network device, each of the attributes representing a parameter;
  
  maintaining the network device free from any executable software programs associated with the capturing of the plurality of attributes;
  
  forming, by the hardware processor, a device identifier for the network device based on information related to the plurality of parameters, the identifier uniquely identifying the network device from a plurality of other networks devices;
  
  capturing, by the hardware processor, a second plurality of attributes from the network device; and
  
  evolving, by the hardware processor, the device identifier based on information related to the second plurality of parameters.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 52, 53)
- - 15. The method of claim 14 wherein measurement is triggered by software tags, including HTML, javascript, flash and java applets or ActiveX, that are embedded in a webpage to which the device is connecting.
  - 16. The method of claim 14 wherein measurement is performed by one or more servers that are located within the same logical networking domain as the website, or via servers hosted on an external domain.
  - 17. The method of claim 14 wherein measurement is done with reference to a local handle identifier for the purposes of retrieving the persistent and global device identifier through a web service.
  - 18. The method of claim 14 wherein at least some of the attributes are related to one or more of the ID information, network information, location information, device information, browser information, site information, or time information associated with the network device.
  - 19. The method of claim 15 wherein the ID information comprises one or more of Flash Cookie, first Party Browser Cookie, and third Party Browser Cookie.
  - 20. The method of claim 15 wherein the network information comprises one or more of IP Address, ISP, MTU, Connection Type, Connection Speed, Bogon Hijack Address, Static/ Dynamic Address, Proxy Address, TCP Sequence Number, and other TCP header code.
  - 21. The method of claim 15 wherein the location information comprises one or more of country, city, latitude, and longitude.
  - 22. The method of claim 15 wherein the device information comprises one or more of OS, Screen Res, Screen DPI, Start Time, Local Time, Clock-Dift, and Time Zone.
  - 23. The method of claim 15 wherein the browser information comprises one or more of Language, Browser version, Browser string, Javascript major and minor versions, Flash major and minor versions, Browser plug-ins or extensions, and Supported MIME types.
  - 24. The method of claim 15 wherein the site information comprises one or more of domain, domain owner, session id, merchant id, URL, referrer, advertisement, ID, and campaign ID.
  - 25. The method of claim 15 wherein the time information comprises one or more of seconds, hour, day, week, and month.
  - 26. The method of claim 14 wherein the device identifier is based on an associated set of measured attributes.
  - 27. The method of claim 14 wherein the measured attributes are free from personably identifiable information.
  - 28. The method of claim 14 wherein forming the device identifier is independent of a quality associated with the measured attributes, the quality being related to persistence, uniqueness, accuracy, coverage, speed, or integrity of the measured attributes.
  - 29. The method of claim 14 wherein the device identifier is formed based on information related to a subset of the plurality of parameters.
  - 30. The method of claim 14 wherein forming the device identifier over repeat measurements is independent with respect to variations in the quality of attributes measured, variations in the number of attributes able to be measured, and variations in the accuracy of attributes measured, variation in the device'"'"'s attribute values due to changing device characteristics.
  - 31. The method of claim 14 further comprising determining one or more of the following, based on information associated with the attributes:
    - a. if a device is connecting through an intermediate server,b. if a connection has been hijacked,c. if a device has a profile inconsistent with a normal internet browser,d. if a device demonstrates anomalous on-site behavior,e. if a device profile is consistent with that of a machine attempting to evade identification or detection,f. if a device is potentially infected, andg. if a device is attempting an action that may be construed as an attack on the visited website.
  - 32. The method of claim 14 wherein the time-period required to measure the necessary device attributes is sufficiently small to enable it to be completed prior or during a transaction performed online.
  - 33. The method of claim 14 wherein the device identifier can be shared globally within a network of organizations without sharing private information.
  - 34. The method of claim 14 wherein the device identifier is capable of being used to accumulate aggregated and correlated information about the device'"'"'s reputation, where reputation includes behavior or activity of both a positive or negative nature.
  - 35. The method of claim 14 wherein the device identifier or its associated attributes and reputation is used to cause an action to be triggered based on a match with a pre-defined rule.
  - 36. The method of claim 14 wherein the forming of the identifier is based on a matching logic.
  - 37. The method of claim 33 wherein the matching logic is implemented on one or more servers.
  - 38. The method of claim 33 wherein the matching logic is executed on local or remote servers.
  - 39. The method of claim 33 wherein additional transactions per second can be supported by adding more servers.
  - 40. The method of claim 33 wherein the matching logic is executed in parallel or in series.
  - 41. The method of claim 33 wherein the matching logic is added and removed without compromising previously generated device identifiers.
  - 42. The method of claim 33 wherein execution of matching logic is avoided if it is redundant.
  - 43. The method of claim 33 wherein changes to matching logic do not require changes to hardware or software code.
  - 44. The method of claim 33 wherein the matching logic comprising self-learning for optimizing performance and accuracy over time.
  - 45. The method of claim 33 wherein the matching logic is based on one or more of priority, equality, score, weighting, classification, or range associated with a rule.
  - 46. The method of claim 33 wherein the matching logic includes matching rules that are based on a combination of measured device attributes.
  - 47. The method of claim 33 wherein the matching logic includes matching rules that are grouped by priority, matching logic, or attributes.
  - 48. The method of claim 33 further comprising updating attributes associated with the device, wherein if an existing attribute set for a device identifier is compared against a returning device'"'"'s attribute and a match is found, then the existing attribute set is updated with the more recent attribute set.
  - 49. The method of claim 33 wherein the attributes and match identifier are provided by a web-service.
  - 50. The method of claim 46 wherein device identifiers provided by two separate web-services for the network device are identical.
  - 52. The system of claim 48 wherein the fingerprint server comprises a rule engine which uses a rule group based strategy.
  - 53. The system of claim 48 wherein the fingerprint server comprises a rule engine distributed fingerprint repository, and a reputation engine.

51. A system for uniquely identifying a network device associated with a web service, the system comprising:
- a measurement server comprising at least one hardware processor for measuring, collating, and classifying a plurality of attributes associated with the network device connecting to the web service, the plurality of attributes uniquely identifying the network device from a plurality of other networks devices;
  
  a fingerprint server comprising at least one hardware processor for receiving the plurality of attributes from the measurement server and generating an unique identifier for the network device based on a programmatic transformation of the measured plurality of attributes associated with the network device; and
  
  an application server comprising at least one hardware processor for receiving a verification request from the web service, the request being associated with the network device, the application server processing the request in communication with the matching server to compare the unique identifier against one or more existing unique identifiers stored in association with the matching server and receiving a matching unique identifier from the matching server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Threatmetrix Incorporated (RELX PLC)
Original Assignee
Threatmetrix Incorporated (RELX PLC)
Inventors
Faulkner, Alisdair, Goldie, Colin, Jones, David
Primary Examiner(s)
Rahim, Monjur

Application Number

US15/237,385
Publication Number

US 20170230390A1
Time in Patent Office

806 Days
Field of Search

726 23
US Class Current
CPC Class Codes

H04L 41/0853   by actively collecting conf...

H04L 43/08   Monitoring or testing based...

H04L 63/0876   based on the identity of th...

H04L 63/102   Entity profiles

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1466   Active attacks involving in...

H04L 63/168   above the transport layer

H04L 67/02   based on web technology, e....

H04L 67/146   Markers for unambiguous ide...

Method and system for uniquely identifying a user computer in real time using a plurality of processing parameters and servers

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

53 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for uniquely identifying a user computer in real time using a plurality of processing parameters and servers

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

53 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links