Apparatus method and medium for tracing the origin of network transmissions using n-gram distribution of data
First Claim
1. A method of tracing the location of an origin computer system that initially transmits a suspect data payload across a computer network to an end target computer system, the computer network having a plurality of computer systems, where each of the computer systems maintains connection records of transmitted data it receives, the transmitted data and connection records including a previous computer system address, a data payload, and a next computer system address, the method comprising the steps of:
- (1) creating, at each of the computer systems, a connection record for each transmission received from another computer system through the computer network;
(2) generating and storing a statistical distribution for the data payload in each connection record;
(3) identifying the suspect data payload at the end target computer system and generating a statistical distribution of said suspect data payload;
(4) setting the end target computer system as the suspect computer system;
(5) comparing the suspect data payload statistical distribution to the data payload statistical distributions associated with connection records of the suspect computer system;
(6) upon finding a data payload statistical distribution that is similar to the suspect data payload statistical distribution in said step (5), determining the previous computer system address associated with the similar data payload statistical distribution;
(7) setting the computer system associated with the previous computer system address as the suspect computer system; and
(8) repeating said steps (5)-(7) until the origin computer system is determined.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, apparatus, and medium are provided for tracing the origin of network transmissions. Connection records are maintained at computer system for storing source and destination addresses. The connection records also maintain a statistical distribution of data corresponding to the data payload being transmitted. The statistical distribution can be compared to that of the connection records in order to identify the sender. The location of the sender can subsequently be determined from the source address stored in the connection record. The process can be repeated multiple times until the location of the original sender has been traced.
414 Citations
17 Claims
-
1. A method of tracing the location of an origin computer system that initially transmits a suspect data payload across a computer network to an end target computer system, the computer network having a plurality of computer systems, where each of the computer systems maintains connection records of transmitted data it receives, the transmitted data and connection records including a previous computer system address, a data payload, and a next computer system address, the method comprising the steps of:
-
(1) creating, at each of the computer systems, a connection record for each transmission received from another computer system through the computer network;
(2) generating and storing a statistical distribution for the data payload in each connection record;
(3) identifying the suspect data payload at the end target computer system and generating a statistical distribution of said suspect data payload;
(4) setting the end target computer system as the suspect computer system;
(5) comparing the suspect data payload statistical distribution to the data payload statistical distributions associated with connection records of the suspect computer system;
(6) upon finding a data payload statistical distribution that is similar to the suspect data payload statistical distribution in said step (5), determining the previous computer system address associated with the similar data payload statistical distribution;
(7) setting the computer system associated with the previous computer system address as the suspect computer system; and
(8) repeating said steps (5)-(7) until the origin computer system is determined. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A system for tracing the location of an origin computer system that initially transmits a suspect data payload across a computer network to an end target computer system, comprising:
-
at least one computer system connected to said computer network for providing network service to one or more users, each said at least one computer systems maintaining connection records of transmitted data it receives, whereby the connection records include a previous computer system address, a data payload, and a next computer system address;
said at least one computer system being configured to;
(1) create a connection record for each transmission received from another computer system through said computer network;
(2) generate and store a statistical distribution for the data payload in each connection record;
(3) identify the suspect data payload at the end target computer system and generate a statistical distribution of said suspect data payload;
(4) set the end target computer system as the suspect computer system;
(5) compare the suspect data payload statistical distribution to the data payload statistical distributions associated with connection records of the suspect computer system;
(6) upon finding a data payload statistical distribution that is similar to the suspect data payload statistical distribution in said step (5), determine the previous computer system address associated with the similar data payload statistical distribution;
(7) set the computer system associated with the previous computer system address as the suspect computer system; and
(8) repeat said steps (5)-(7) until the origin computer system is determined.
-
-
16. A system for tracing the location of an origin computer system that initially transmits a suspect data payload across a computer network to an end target computer system, comprising:
-
at least one computer system connected to said computer network for providing network service to one or more users, each said at least one computer systems maintaining connection records of transmitted data it receives, whereby the connection records include a previous computer system address, a data payload, and a next computer system address;
(1) means for creating, at each of the computer systems, a connection record for each transmission received from another computer system through the computer network;
(2) means for generating and storing a statistical distribution for the data payload in each connection record;
(3) means for identifying the suspect data payload at the end target computer system and generating a statistical distribution of said suspect data payload;
(4) means for setting the end target computer system as the suspect computer system;
(5) means for comparing the suspect data payload statistical distribution to the data payload statistical distributions associated with connection records of the suspect computer system;
(6) means for determining the previous computer system address associated with the similar data payload statistical distribution, upon finding a data payload statistical distribution that is similar to the suspect data payload statistical distribution in said step (5);
(7) means for setting the computer system associated with the previous computer system address as the suspect computer system; and
(8) means for repeating said steps (5)-(7) until the origin computer system is determined.
-
-
17. A computer readable medium carrying instructions executable by a computer for tracing the location of an origin computer system that initially transmits a suspect data payload across a computer network to an end target computer system, said instructions causing said computer to perform the acts of:
-
(1) creating, at each of a plurality of computer systems within said computer network, a connection record for each transmission received from another computer system through the computer network, wherein each connection records including a previous computer system address, a data payload, and a next computer system address;
(2) generating and storing a statistical distribution for the data payload in each connection record;
(3) identifying the suspect data payload at the end target computer system and generating a statistical distribution of said suspect data payload;
(4) setting the end target computer system as the suspect computer system;
(5) comparing the suspect data payload statistical distribution to the data payload statistical distributions associated with connection records of the suspect computer system;
(6) upon finding a data payload statistical distribution that is similar to the suspect data payload statistical distribution in said step (5), determining the previous computer system address associated with the similar data payload statistical distribution;
(7) setting the computer system associated with the previous computer system address as the suspect computer system; and
(8) repeating said steps (5)-(7) until the origin computer system is determined.
-
Specification