Method and system for tracking machines on a network using fuzzy GUID technology

US 10,505,932 B2
Filed: 07/13/2018
Issued: 12/10/2019
Est. Priority Date: 11/28/2005
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for tracking machines on a network of computers, the method comprising:

identifying a malicious host coupled to the network of computers;

determining a first IP (Internet Protocol) address and a first set of one or more attributes associated with the malicious host during a first time period, wherein the first set of one or more attributes comprises behavioral information, wherein the behavioral information includes one or more of;

hours of usage and one or more sites visited;

calculating a first attribute fuzzy GUID (Globally Unique Identifier) based on the first IP address and the first set of one or more attributes;

identifying an unknown host during a second time period when the malicious host is in a latent state, the unknown host being associated with a second IP address and a second set of one or more attributes during the second time period;

calculating a second attribute fuzzy GUID based on the second IP address and the second set of one or more attributes;

determining, based on the first attribute fuzzy GUID and the second attribute fuzzy GUID, if the malicious host has moved from the first IP address to the second IP address; and

responsive to determining that the malicious host has moved from the first IP address to the second IP address, blocking access to one or more segments of the network of computers to one or more hosts associated with one or more of the first IP address and the second IP address.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for querying a knowledge base of malicious hosts numbered from 1 through N. The method includes providing a network of computers, which has a plurality of unknown malicious host machines. In a specific embodiment, the malicious host machines are disposed throughout the network of computers, which includes a worldwide network of computers. The method includes querying a knowledge base including a plurality of known malicious hosts, which are numbered from 1 through N, where N is an integer greater than 1. In a preferred embodiment, the knowledge base is coupled to the network of computers. The method includes receiving first information associated with an unknown host from the network; identifying an unknown host and querying the knowledge base to determine if the unknown host is one of the known malicious hosts in the knowledge base, and outputting second information associated with the unknown host based upon the querying process.

Citations

20 Claims

1. A computer-implemented method for tracking machines on a network of computers, the method comprising:
- identifying a malicious host coupled to the network of computers;
  
  determining a first IP (Internet Protocol) address and a first set of one or more attributes associated with the malicious host during a first time period, wherein the first set of one or more attributes comprises behavioral information, wherein the behavioral information includes one or more of;
  
  hours of usage and one or more sites visited;
  
  calculating a first attribute fuzzy GUID (Globally Unique Identifier) based on the first IP address and the first set of one or more attributes;
  
  identifying an unknown host during a second time period when the malicious host is in a latent state, the unknown host being associated with a second IP address and a second set of one or more attributes during the second time period;
  
  calculating a second attribute fuzzy GUID based on the second IP address and the second set of one or more attributes;
  
  determining, based on the first attribute fuzzy GUID and the second attribute fuzzy GUID, if the malicious host has moved from the first IP address to the second IP address; and
  
  responsive to determining that the malicious host has moved from the first IP address to the second IP address, blocking access to one or more segments of the network of computers to one or more hosts associated with one or more of the first IP address and the second IP address.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising storing in one or more memories of a knowledge database, one or more of the first attribute fuzzy GUID and the second attribute fuzzy GUID.
  - 3. The method of claim 1, further comprising determining if the unknown host is a different machine than the malicious host.
  - 4. The method of claim 1, wherein the second set of one or more attributes comprises behavioral information.
  - 5. The method of claim 1, wherein one or more of the first attribute fuzzy GUID and the second attribute fuzzy GUID comprises identifier information.
  - 6. The method of claim 1, wherein calculating one or more of the first attribute fuzzy GUID and the second attribute fuzzy GUID comprises utilizing one or more pivot-points.
  - 7. The method of claim 1, wherein calculating one or more of the first attribute fuzzy GUID and the second attribute fuzzy GUID comprises retrieving a previously stored GUID from a knowledge database.

8. A system, comprising:
- a server comprising one or more processors, the server configured for communication with a network of computers;
  
  at least one memory in communication with the one or more processors, the at least one memory storing instructions that, when executed by the one or more processors, cause the system to;
  
  identify a malicious host coupled to the network of computers;
  
  determine a first IP (Internet Protocol) address and a first set of one or more attributes associated with the malicious host during a first time period, wherein the first set of one or more attributes comprises behavioral information, wherein the behavioral information includes one or more of;
  
  hours of usage and one or more sites visited;
  
  calculate a first attribute fuzzy GUID (Globally Unique Identifier) based on the first IP address and the first set of one or more attributes;
  
  identify an unknown host during a second time period when the malicious host is in a latent state, the unknown host being associated with a second IP address and a second set of one or more attributes during the second time period;
  
  calculate a second attribute fuzzy GUID based on the second IP address and the second set of one or more attributes;
  
  determine, based on the first attribute fuzzy GUID and the second attribute fuzzy GUID, if the malicious host has moved from the first IP address to the second IP address; and
  
  responsive to determining that the malicious host has moved from the first IP address to the second IP address, block access to one or more segments of the network of computers to one or more hosts associated with one or more of the first IP address and the second IP address.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the instructions further cause the system to store, in a knowledge database, one or more of the first attribute fuzzy GUID and the second attribute fuzzy GUID.
  - 10. The system of claim 8, wherein the instructions further cause the system to determine if the unknown host is a different machine than the malicious host.
  - 11. The system of claim 8, wherein the second set of one or more attributes comprises behavioral information.
  - 12. The system of claim 8, wherein one or more of the first attribute fuzzy GUID and the second attribute fuzzy GUID comprises identifier information.
  - 13. The system of claim 8, wherein calculating one or more of the first attribute fuzzy GUID and the second attribute fuzzy GUID comprises utilizing one or more pivot-points.
  - 14. The system of claim 8, wherein calculating one or more of the first attribute fuzzy GUID and the second attribute fuzzy GUID comprises retrieving a previously stored GUID from a knowledge database.

15. A non-transitory computer readable storage medium storing instructions for use with a server in communication with a network of computers, wherein the instructions are configured to cause the server to perform a method comprising:
- identifying a malicious host coupled to the network of computers;
  
  determining a first IP (Internet Protocol) address and a first set of one or more attributes associated with the malicious host during a first time period, wherein the first set of one or more attributes comprises behavioral information, wherein the behavioral information includes one or more of;
  
  hours of usage and one or more sites visited;
  
  calculating a first attribute fuzzy GUID (Globally Unique Identifier) based on the first IP address and the first set of one or more attributes;
  
  identifying an unknown host during a second time period when the malicious host is in a latent state, the unknown host being associated with a second IP address and a second set of one or more attributes during the second time period;
  
  calculating a second attribute fuzzy GUID based on the second IP address and the second set of one or more attributes;
  
  determining, based on the first attribute fuzzy GUID and the second attribute fuzzy GUID, if the malicious host has moved from the first IP address to the second IP address; and
  
  responsive to determining that the malicious host has moved from the first IP address to the second IP address, blocking access to one or more segments of the network of computers to one or more hosts associated with one or more of the first IP address and the second IP address.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer readable storage medium of claim 15, further comprising storing in one or more memories of a knowledge database, one or more of the first attribute fuzzy GUID and the second attribute fuzzy GUID.
  - 17. The non-transitory computer readable storage medium of claim 15, further comprising determining if the unknown host is a different machine than the malicious host.
  - 18. The non-transitory computer readable storage medium of claim 15, wherein the second set of one or more attributes comprises one or more of behavioral and identifier information.
  - 19. The non-transitory computer readable storage medium of claim 15, wherein calculating one or more of the first attribute fuzzy GUID and the second attribute fuzzy GUID comprises utilizing one or more pivot-points.
  - 20. The non-transitory computer readable storage medium of claim 15, wherein calculating one or more of the first attribute fuzzy GUID and the second attribute fuzzy GUID comprises retrieving a previously stored GUID from a knowledge database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Threatmetrix Incorporated (RELX PLC)
Original Assignee
Threatmetrix Incorporated (RELX PLC)
Inventors
Thomas, Scott, Jones, David G.
Primary Examiner(s)
Herzog, Madhuri R

Application Number

US16/035,124
Publication Number

US 20180343254A1
Time in Patent Office

515 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/951   Indexing; Web crawling tech...

G06F 21/00   Security arrangements for p...

G06F 21/50   Monitoring users, programs ...

G06F 21/55   Detecting local intrusion o...

G06F 21/57   Certifying or maintaining t...

G06F 2201/86   Event-based monitoring

G06F 2221/2127   Bluffing

H04L 2463/146   Tracing the source of attacks

H04L 63/0236   Filtering by address, proto...

H04L 63/0876   based on the identity of th...

H04L 63/10   for controlling access to d...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

Method and system for tracking machines on a network using fuzzy GUID technology

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for tracking machines on a network using fuzzy GUID technology

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links