Method and System for Processing a Stream of Information From a Computer Network Using Node Based Reputation Characteristics

US 20070214151A1
Filed: 10/17/2006
Published: 09/13/2007
Est. Priority Date: 11/28/2005
Status: Active Grant

First Claim

Patent Images

1. A method for processing information from a variety of submitters, the method comprising:

receiving information about one or more nodes from a submitter from a plurality of submitters numbered from 1 through N, the one or more nodes being associated respectively with one or more IP addresses on a world wide network of computers;

identifying a submitter reputation of the submitter from a knowledge base;

associating a node reputation of the node based upon at least the reputation of the submitter and submitted information from the submitter; and

transferring the node reputation.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for processing information from a variety of submitters, e.g., forensic sources. The method includes receiving information about one or more nodes from a submitter from a plurality of submitters numbered from 1 through N. In a specific embodiment, the one or more nodes are associated respectively with one or more IP addresses on a world wide network of computers. The method includes identifying a submitter reputation of the submitter from a knowledge base and associating a node reputation of the node based upon at least the reputation of the submitter and submitted information from the submitter. The method also transfers the node reputation.

170 Citations

35 Claims

1. A method for processing information from a variety of submitters, the method comprising:
- receiving information about one or more nodes from a submitter from a plurality of submitters numbered from 1 through N, the one or more nodes being associated respectively with one or more IP addresses on a world wide network of computers;
  
  identifying a submitter reputation of the submitter from a knowledge base;
  
  associating a node reputation of the node based upon at least the reputation of the submitter and submitted information from the submitter; and
  
  transferring the node reputation.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 wherein the submitter is selected from a firewall log, a client, a spam trap, another spam or virus filter server, or other source.
  - 3. The method of claim 1 further comprising assigning a policy to the node based upon at least the node reputation.
  - 4. The method of claim 1 further comprising storing the submitter reputation in the knowledge base as legal evidence.
  - 5. The method of claim 1 further comprising receiving information about one or more nodes from another submitter.

6. A system for processing information from a variety of submitters, the system comprising one or more computer readable memories, the one or more computer readable memories including:
- one or more codes directed to receiving information about one or more nodes from a submitter from a plurality of submitters numbered from 1 through N, the one or more nodes being associated respectively with one or more IP addresses on a world wide network of computers;
  
  one or more codes directed to identifying a submitter reputation of the submitter from a knowledge base;
  
  one or more codes directed to associating a node reputation of the node based upon at least the reputation of the submitter and submitted information from the submitter; and
  
  one or more codes directed to transferring the node reputation.

7. A method for processing a stream of information to determine a security level, the method comprising:
- providing a knowledge base, the knowledge base having information about a plurality of nodes, each of the nodes numbered from 1 through N, each of the nodes being assigned a reputation characteristic numbered respectively from 1 through N, each of the reputation characteristics comprising one or more of a plurality of properties;
  
  identifying a selected node from the plurality of nodes, the selected node being coupled to a network of computers;
  
  requesting reputation information associated with the selected node through the network of computers;
  
  deriving at least one of the reputation characteristics numbered from 1 through N of the selected node from the knowledge base;
  
  transferring the reputation characteristic through the network of computers; and
  
  processing information from a stream of data associated with the selected node within the plurality of nodes using a selection of at least one of a plurality of processes, the selected process being associated with the reputation characteristic of the selected node.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
- - 8. The method of claim 7 wherein the one or more properties comprises one or more evidence elements.
  - 9. The method of claim 7 wherein the one or more properties comprises one or more assertions.
  - 10. The method of claim 7 wherein the one or more plurality of properties is selected from a country of origin, an attribute, a use characteristic or an action.
  - 11. The method of claim 7 wherein the one or more plurality of properties is selected from an ISP name, host operating system, host behavior when contacting another host, host association with another malicious host, volume of traffic from a host or a result of a scan of a host.
  - 12. The method of claim 7 wherein the one of the plurality of processes is selected from do nothing, drop connect, redirect information, delay information or tar pit information.
  - 13. The method of claim 7 wherein the processing is provided by a firewall process, an intrusion detection process or a filtering process.
  - 14. The method of claim 7 wherein the knowledge base comprises a data base.
  - 15. The method of claim 7 wherein the knowledge base is coupled to the network of computers.

16. A system for characterizing reputations of one or more nodes in a computer network environment, the system comprising a knowledge base, the knowledge base having information about a plurality of nodes, each of the nodes numbered from 1 through N, each of the nodes being assigned a reputation characteristic numbered respectively from 1 through N, each of the reputation characteristics comprising one or more of a plurality of properties, one or more of the properties being associated with a submitter, the submitter having a submitter reputation characteristic.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24)
- - 17. The system of claim 16 wherein the submitter reputation characteristic is a history of the submitter.
  - 18. The system of claim 16 wherein the submitter reputation characteristic is a history of the submitter, the history comprising a score, the history comprising a plurality of submitter components.
  - 19. The system of claim 18 wherein one of the submitter components is a correlation between the submitter and one or more other submitters.
  - 20. The system of claim 18 wherein one of the submitter components is a frequency of activity of the submitter.
  - 21. The system of claim 18 wherein one of the submitter components is a volume of activity of the submitter.
  - 22. The system of claim 18 wherein one of the submitter components is a type of different information being provided by the submitter.
  - 23. The system of claim 16 wherein N is four billion.
  - 24. The system of claim 16 wherein N is 1 percent or less of a total number of active nodes.

25. A method for creating a real time knowledge base of a plurality of nodes from a variety of submitters, the method comprising:
- receiving first information about one or more nodes from a first submitter from a plurality of submitters numbered from 1 through N, the one or more nodes being associated respectively with one or more IP addresses on a world wide network of computers;
  
  identifying a submitter reputation of the first submitter from a knowledge base, the submitter being one of the plurality of submitters numbered from 1 through N;
  
  associating a node reputation of the node based upon at least the reputation of the first submitter and first submitted information from the first submitter;
  
  storing the first submitted information in a first portion of the knowledge base; and
  
  repeating the receiving, identifying, associating, and storing for second information from a second submitter.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 26. The method of claim 25 wherein the repeating occurs automatically to update the knowledge base.
  - 27. The method of claim 25 further comprising repeating the receiving, identifying, associating, and storing for other submitters.
  - 28. The method of claim 25 further comprising receiving a request for submitter reputation information and transferring the submitter reputation information through the world wide network of computers.
  - 29. The method of claim 25 wherein the receiving comprises a push process or a pull process.
  - 30. The method of claim 25 wherein N is four billion.
  - 31. The method of claim 30 wherein N is 1 percent or less of a total number of active nodes.
  - 32. The method of claim 25 wherein the node reputation comprises at least a score, the score being a measure of historic behavior.
  - 33. The method of claim 25 wherein the knowledge base comprises at least 30 Gigabytes of disk space.
  - 34. The method of claim 25 wherein the knowledge base comprises a database.
  - 35. The method of claim 25 further comprising determining one or more zones numbered from 1 through M, each of the zones representing one of more of the nodes, each of the zones being associated with a unique set of reputations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Threatmetrix Incorporated (RELX PLC)
Original Assignee
Threatmetrix Incorporated (RELX PLC)
Inventors
Thomas, Scott, Jones, David G.

Granted Patent

US 8,763,113 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/3331   Query processing

G06F 16/3334   Selection or weighting of t...

G06F 2216/03   Data mining

H04L 63/14   for detecting or protecting...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Method and System for Processing a Stream of Information From a Computer Network Using Node Based Reputation Characteristics

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

170 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Method and System for Processing a Stream of Information From a Computer Network Using Node Based Reputation Characteristics

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

170 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links