Confidence scoring of device reputation based on characteristic network behavior
First Claim
1. A method of evaluating reputation of a requestor device that makes a request to a cloud-based resource on the internet, including:
- providing an initial response to the requestor device making a request to a cloud-based resource on the internet, the initial response including an instrumented web page or instructions to be processed by an application running on the requestor device, wherein the initial response includes code adapted to;
collect data regarding at least internet round trip latency between the requestor device and four or more target addresses, each target address being different from one another, andreport the internet round trip latency for the target addresses;
compiling a characteristic vector for the requestor device including at least the reported internet round trip latency for the target addresses;
scoring the characteristic vector for similarity to expected characteristics of a first reference device at a first reference IP address expected to share internet round trip latency characteristics with the requestor device; and
storing, on a non-transitory computer-readable medium, at least one reputation score, wherein the reputation score is based at least in part on the scoring the characteristic vector and correlates with a likelihood that the requestor device is a bot or is operating through an anonymous proxy server.
9 Assignments
0 Petitions
Accused Products
Abstract
The technology disclosed relates to detection of anonymous proxies and bots making requests to a cloud based resource on the Internet, such as a web server or an App server. The technology can leverage one or more of: instrumentation of web pages that samples response times and other characteristics of communications by a requestor device over multiple network segments; lack of prior appearance of the requestor device across multiple, independently operated commercial web sites; and resolver usage by the requestor. These signals can be analyzed to score a requesting device'"'"'s reputation. A location reported by a user device can be compared to a network characteristic determined location.
-
Citations
19 Claims
-
1. A method of evaluating reputation of a requestor device that makes a request to a cloud-based resource on the internet, including:
-
providing an initial response to the requestor device making a request to a cloud-based resource on the internet, the initial response including an instrumented web page or instructions to be processed by an application running on the requestor device, wherein the initial response includes code adapted to; collect data regarding at least internet round trip latency between the requestor device and four or more target addresses, each target address being different from one another, and report the internet round trip latency for the target addresses; compiling a characteristic vector for the requestor device including at least the reported internet round trip latency for the target addresses; scoring the characteristic vector for similarity to expected characteristics of a first reference device at a first reference IP address expected to share internet round trip latency characteristics with the requestor device; and storing, on a non-transitory computer-readable medium, at least one reputation score, wherein the reputation score is based at least in part on the scoring the characteristic vector and correlates with a likelihood that the requestor device is a bot or is operating through an anonymous proxy server. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method of evaluating reputation of a requestor device that makes a request to a web site over the internet, including:
-
receiving requestor device characteristics including at least an internet protocol address, browser type and version identifiers, and operating system type and version identifiers with a request from the requestor device making the request to the web site; looking up in a requestor history database, that reflects requests compiled from more than 100 independently operating servers, a frequency of requests made by devices sharing the requestor device characteristics; scoring the requestor device characteristics for frequency and/or diversity of requests made to the independently operating servers within a predetermined recent time; and storing, on a non-transitory computer-readable medium, the scored requestor device characteristics, wherein the scored requestor device characteristics indicate whether the requestor device is a bot or is operating through an anonymous proxy server. - View Dependent Claims (15, 16)
-
-
17. A method of evaluating reputation of a requestor device that makes a request to a web site, including:
-
responsive to a request from the requestor device making a request to the web site, providing an initial response to a requestor device that includes an instrumented web page or instructions to be processed by an application running on the requestor device, wherein the initial response includes code adapted to; collect and compile in a characteristic vector data regarding a resolver used by the requestor device to find IP addresses corresponding to fully qualified domain names and report the resolver used by the requestor device; and scoring the characteristic vector for matching expected resolver usage of a reference requestor device at a reference internet protocol address expected to share resolver usage characteristics with the requestor device; and storing, on a non-transitory computer-readable medium, at least one reputation score wherein the at least one reputation score correlates with a likelihood that the requestor device is a bot or is operating through an anonymous proxy server. - View Dependent Claims (18, 19)
-
Specification