USING HOST SYMPTOMS, HOST ROLES, AND/OR HOST REPUTATION FOR DETECTION OF HOST INFECTION

US 20100235915A1
Filed: 03/12/2010
Published: 09/16/2010
Est. Priority Date: 03/12/2009
Status: Abandoned Application

First Claim

Patent Images

1. A computer-implemented method for determining an infection risk of a host computer on a network, the computer-implemented method comprising:

a) determining at least two of(1) host-centric symptom information for the host computer,(2) host-centric role information for the host computer, and(3) host-centric reputation information for the host computer,from the stored network data; and

b) determining the infection risk of the host computer using at least two of (1) the determined host-centric symptom information, (2) the determined host-centric role information, and (3) the determined host-centric reputation information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Detecting and mitigating threats to a computer network is important to the health of the network. Currently firewalls, intrusion detection systems, and intrusion prevention systems are used to detect and mitigate attacks. As the attackers get smarter and attack sophistication increases, it becomes difficult to detect attacks in real-time at the perimeter. Failure of perimeter defenses leaves networks with infected hosts. At least two of symptoms, roles, and reputations of hosts in (and even outside) a network are used to identify infected hosts. Virus or malware signatures are not required.

Citations

14 Claims

1. A computer-implemented method for determining an infection risk of a host computer on a network, the computer-implemented method comprising:
- a) determining at least two of(1) host-centric symptom information for the host computer,(2) host-centric role information for the host computer, and(3) host-centric reputation information for the host computer,from the stored network data; and
  
  b) determining the infection risk of the host computer using at least two of (1) the determined host-centric symptom information, (2) the determined host-centric role information, and (3) the determined host-centric reputation information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method of claim 1 wherein the determined host-centric symptom information is signature-free information.
  - 3. The computer-implemented method of claim 1 wherein the determined host-centric symptom information does not include baseline information of the host.
  - 4. The computer-implemented method of claim 1 wherein determining the infection risk of the host computer uses the determined host-centric role information, andwherein the determined host-centric role information includes one of (A) a consumer with respect to at least one other system on the network, (B) a producer with respect to at least one other system on the network, and (C) a relay with respect to at least two other systems on the network.
  - 5. The computer-implemented method of claim 1 wherein determining the infection risk of the host computer uses the determined host-centric reputation information, andwherein the determined host-centric reputation information is determined using a reputation of at least one other system on the network with which the host has sent or received information.
  - 6. The computer-implemented method of claim 5 wherein the determined host-centric reputation information is determined further using a characterization of traffic the host has received or sent.
  - 7. The computer-implemented method of claim 1 wherein determining the infection risk of the host computer uses the determined host-centric symptom information, andwherein the determined host-centric symptom information includes at least one of (A) protocol semantic violations by the host, (B) access to dark space by the host, (C) slowdown of the host, (D) change of role of the host, (E) unusual reboot statistics of the host, (F) contact with typo squatter domains by the host, (G) command channels used by the host, (H) control channel used by the host, and (I) rate of advertisement selections by the host exceeding a threshold.
  - 8. The computer-implemented method of claim 1 wherein determining the infection risk of the host computer uses the determined host-centric role information, andwherein the determined host-centric role information is a service level role determined using tuples of network information forwarded by the host.
  - 9. The computer-implemented method of claim 1 further comprising refining the role of the host using information from special purpose network appliances that monitor traffic on the network for applications in at least one of security, billing and traffic engineering,wherein determining the infection risk of the host computer uses the determined host-centric role information.

10. A computer-implemented method for assigning a reputation to a host, the computer-implemented method comprising:
- a) receiving assigned reputation information of a set of other hosts;
  
  b) determining, from the set of other hosts, hosts associated with the host using at least one of (i) communications between the host and each of the other hosts, (ii) a bit-wise difference in IP addresses of the host and of each of the other hosts, (iii) domains of the host and of each of the other hosts, (iv) autonomous systems of the host and of each of the other hosts, and (v) countries of the host and each of the other hosts; and
  
  c) inferring a reputation value of the host using assigned reputation information of hosts from the set of other hosts, that were determined to be related to the host.

11. A computer-implemented method for determining whether a host is a spam bot mail-server, the computer-implemented method comprising:
- a) determining whether or not a host has a mail-server role using at least one of (i) connection fan out of the host, and (ii) entropy of the fan out edges of the host;
  
  b) responsive to a determination that the host is a mail-server, further determining whether the host is a spam bot mail-server using at least one of (i) a determination of whether or not the host has been whitelisted, (ii) a determination of whether or not the host is a designated mail-server for a domain to which the host belongs, and (iii) an entropy of the host; and
  
  c) responsive to a determination that the host is a spam bot mail-server, identifying the host as a spam bot mail-server.

12. A computer-implemented method for determining whether a host is a peer-to-peer node, the computer-implemented method comprising:
- a) tracking abnormal dynamic name to IP address resolutions by the host;
  
  b) determining whether or not the host is a peer-to-peer node using a number of abnormal dynamic name to IP address resolutions; and
  
  c) responsive to a determination that the host is a peer-to-peer node, identifying the host as a peer-to-peer node.
- View Dependent Claims (13, 14)
- - 13. The computer-implemented method of claim 12 further comprising:
    - d) determining a more specific role of the host using content communicated by the host.
  - 14. The computer-implemented method of claim 12 further comprising:
    - d) determining a more specific role of the host using reputation information of other hosts that have been connected with the host.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Polytechnic Institute Of New York University (New York University)
Original Assignee
Polytechnic Institute Of New York University (New York University)
Inventors
Shanmugasundaram, Kulesh, Memon, Nasir

Application Number

US12/723,272
Publication Number

US 20100235915A1
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 2463/144   Detection or countermeasure...

H04L 63/02   for separating internal fro...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

USING HOST SYMPTOMS, HOST ROLES, AND/OR HOST REPUTATION FOR DETECTION OF HOST INFECTION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

USING HOST SYMPTOMS, HOST ROLES, AND/OR HOST REPUTATION FOR DETECTION OF HOST INFECTION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links