Method and system for processing a stream of information from a computer network using node based reputation characteristics

US 10,142,369 B2
Filed: 05/19/2014
Issued: 11/27/2018
Est. Priority Date: 11/28/2005
Status: Active Grant

First Claim

Patent Images

1. A method, implemented in a computer system that includes at least one processor and at least one storage device, for determining a reputation of a node in a context using information received electronically from a plurality of submitters, the method comprising:

receiving, using the at least one processor, first information about one or more nodes from a first submitter of the plurality of submitters and second information about one or more nodes from a second submitter of the plurality of submitters, the one or more nodes being associated with a network;

identifying, using the at least one processor, a first reputation of the first submitter in the context and a second reputation of the second submitter in the context from a knowledge base,wherein a reputation of a submitter in a given context is based at least on assertions associated with past behavior of the submitter in the given context and attributes from each of the other submitters of the plurality of submitters, each assertion from each submitter of the other submitters of the plurality of submitters weighted by a reputation of the submitter in the given context;

calculating, using the at least one processor, a node reputation of the node in the context based upon at least the first reputation of the first submitter in the context and the first information received from the first submitter and the second reputation of the second submitter in the context and the second information received from the second submitter,wherein the node reputation of the node in a context is determined by calculating a sum of assertions from the submitter with respect to the context weighted by each submitter'"'"'s reputation in the context, wherein the node reputation is expressed as a rational number based on normalized assertions, wherein a normalized assertion is expressed as;

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for processing information from a variety of submitters, e.g., forensic sources. The method includes receiving information about one or more nodes from a submitter from a plurality of submitters numbered from 1 through N. In a specific embodiment, the one or more nodes are associated respectively with one or more IP addresses on a world-wide network of computers. The method includes identifying a submitter reputation of the submitter from a knowledge base and associating a node reputation of the node based upon at least the reputation of the submitter and submitted information from the submitter. The method also transfers the node reputation.

71 Citations

View as Search Results

20 Claims

1. A method, implemented in a computer system that includes at least one processor and at least one storage device, for determining a reputation of a node in a context using information received electronically from a plurality of submitters, the method comprising:
- receiving, using the at least one processor, first information about one or more nodes from a first submitter of the plurality of submitters and second information about one or more nodes from a second submitter of the plurality of submitters, the one or more nodes being associated with a network;
  
  identifying, using the at least one processor, a first reputation of the first submitter in the context and a second reputation of the second submitter in the context from a knowledge base,wherein a reputation of a submitter in a given context is based at least on assertions associated with past behavior of the submitter in the given context and attributes from each of the other submitters of the plurality of submitters, each assertion from each submitter of the other submitters of the plurality of submitters weighted by a reputation of the submitter in the given context;
  
  calculating, using the at least one processor, a node reputation of the node in the context based upon at least the first reputation of the first submitter in the context and the first information received from the first submitter and the second reputation of the second submitter in the context and the second information received from the second submitter,wherein the node reputation of the node in a context is determined by calculating a sum of assertions from the submitter with respect to the context weighted by each submitter'"'"'s reputation in the context, wherein the node reputation is expressed as a rational number based on normalized assertions, wherein a normalized assertion is expressed as;
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 wherein the first submitter and the second submitter are each one of a firewall log, a client device, a spam trap, a spam filter server, or a virus filter server.
  - 3. The method of claim 1 further comprising assigning a policy to the node based upon at least the node reputation.
  - 4. The method of claim 1 further comprising storing a reputation of a submitter in the knowledge base as legal evidence.
  - 5. The method of claim 1 further comprising receiving information about the one or more nodes from another submitter of the plurality of submitters, the another submitter being distinct from the first submitter and the second submitter, and wherein the first submitter and second submitters are distinct from the one or more nodes.
  - 6. The method of claim 1, wherein each of the context and the given context is one of Internet email, website content, reporting of Internet Protocol (IP) address, or voting of web content.

7. A system for determining a reputation of an actor associated with a network using information received electronically from a plurality of submitters, the system comprising:
- a processor;
  
  a non-transitory storage medium; and
  
  computer code stored in said non-transitory storage medium, wherein said computer code, when retrieved from said storage medium and executed by said processor, results in;
  
  receiving information about the actor from a submitter of the plurality of submitters;
  
  identifying a reputation of the submitter in the context from a knowledge base,wherein the reputation of the submitter is associated with past behavior of the submitter and is determined at least by assertions from one or more submitters from a second plurality of submitters weighted by reputations of the one or more submitters;
  
  calculating a reputation of the actor in the context by based upon at least the reputation of the submitter in the context and the information received from the submitter in the context, wherein the reputation of the actor in the context is determined at least by assertions regarding past behaviors of the actor in the context from the submitter weighted by the reputation of the submitter in the context;
  
  transferring to a user of the system the reputation of the actor in the context,wherein the reputation of the submitter in a context is determined by calculating a sum of assertions from the one or more submitters with respect to the context weighted by each submitter'"'"'s reputation in the context, wherein the reputation of the actor is expressed as a rational number based on normalized assertions, wherein a normalized assertion is expressed as;
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
- - 8. The system of claim 7 wherein the actor comprises one of an internet node or an entity controlling the behavior of a network node.
  - 9. The system of claim 8 wherein the entity comprises a human user or an automated computer program.
  - 10. The system of claim 7 wherein the actor comprises one of:
    - a combination of an internet node and an entity controlling the internet node either directly or remotely, ora combination of an internet node and an entity controlling the internet node, the actor being configured to operate through a proxy.
  - 11. The system of claim 7 wherein the actor is associated with one or more of the following identifiers:
    - an email address of a user, an attribute, a device identifier (ID) of a network node, an Internet service provider (ISP) name, a country of origin, an Internet protocol address, a host operating system, and a host identification number.
  - 12. The system of claim 7 wherein the information about the actor comprises information about fraudulent behaviors performed by the actor.
  - 13. The system of claim 7 further comprising one or more codes directed to processing at least the reputation of the submitter and information received from the submitter by a firewall process, an intrusion detection process, or a filtering process, wherein the reputation of the actor associates the actor with fraudulent behaviors.
  - 14. The method of claim 7, wherein the context is one of Internet email, website content, reporting of Internet Protocol (IP) address, or voting of web content.

15. A non-transitory computer-readable medium storing instructions that, when executed by one or more processors of a system, cause the one or more processors to perform a set of steps comprising:
- receiving information about one or more nodes from a plurality of submitters, the one or more nodes being associated with a network;
  
  identifying, using the at least one processor, a reputation of each submitter of the plurality of submitters from a knowledge base, wherein the reputation of the submitter is associated with past behavior of the submitter;
  
  calculating, using the at least one processor, a node reputation of a node of the one or more nodes,wherein the node reputation of the node in a context is determined according to the equations;
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer-readable medium of claim 15, further comprising receiving a request for submitter reputation information and transferring the submitter reputation information over a network.
  - 17. The non-transitory computer-readable medium of claim 15, wherein the information is received via one of a push process or a pull process.
  - 18. The non-transitory computer-readable medium of claim 15, wherein the node reputation comprises at least a score, the score being a measure of historic behavior.
  - 19. The non-transitory computer-readable medium of claim 15 further comprising determining one or more zones, each of the zones representing one or more of the nodes, each of the zones being associated with a unique set of reputations.
  - 20. The non-transitory computer-readable medium of claim 15, wherein each context of the plurality of contexts is one of Internet email, website content, reporting of Internet Protocol (IP) address, or voting of web content.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Threatmetrix Incorporated (RELX PLC)
Original Assignee
Threatmetrix Incorporated (RELX PLC)
Inventors
Thomas, Scott, Jones, David G.
Primary Examiner(s)
Kabir, Jahangir

Application Number

US14/281,887
Publication Number

US 20150007253A1
Time in Patent Office

1,653 Days
Field of Search

726 11, 726 22, 726 25, 713150, 713153-155, 713189, 713190
US Class Current
CPC Class Codes

G06F 16/3331   Query processing

G06F 16/3334   Selection or weighting of t...

G06F 2216/03   Data mining

H04L 63/14   for detecting or protecting...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Method and system for processing a stream of information from a computer network using node based reputation characteristics

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

71 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for processing a stream of information from a computer network using node based reputation characteristics

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

71 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links