Honey Monkey Network Exploration

US 20100257592A1
Filed: 06/17/2010
Published: 10/07/2010
Est. Priority Date: 03/01/2006
Status: Active Grant

First Claim

Patent Images

1. One or more processor-accessible storage media comprising processor-executable instructions that, when executed, direct a device to perform actions comprising:

visiting a uniform resource locator (URL) of a parent list of redirection URLs;

producing a child list of redirection URLs based on visiting the URL of the parent list of redirection URLs, the child list of redirection URLs including a plurality of child URLs;

recursively visiting the child URLs of the child list of redirection URLs to discover redirection relationships between the child URLs that are visited; and

creating a graph that includes the child URLs that are visited and that indicates the redirection relationships between the child URLs.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network can be explored to investigate exploitive behavior. For example, network sites may be actively explored by a honey monkey system to detect if they are capable of accomplishing exploits, including browser-based exploits, on a machine Also, the accomplishment of exploits may be detected by tracing events occurring on a machine after visiting a network site and analyzing the traced events for illicit behavior. Alternatively, site redirections between and among uniform resource locators (URLs) may be explored to discover relationships between sites that are visited.

43 Citations

View as Search Results

20 Claims

1. One or more processor-accessible storage media comprising processor-executable instructions that, when executed, direct a device to perform actions comprising:
- visiting a uniform resource locator (URL) of a parent list of redirection URLs;
  
  producing a child list of redirection URLs based on visiting the URL of the parent list of redirection URLs, the child list of redirection URLs including a plurality of child URLs;
  
  recursively visiting the child URLs of the child list of redirection URLs to discover redirection relationships between the child URLs that are visited; and
  
  creating a graph that includes the child URLs that are visited and that indicates the redirection relationships between the child URLs.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The one or more processor-accessible storage media as recited in claim 1, comprising the processor-executable instructions that, when executed, direct the device to perform further actions comprising:
    - visiting a given URL;
      
      monitoring URL redirections resulting from visiting the given URL; and
      
      tracing the URL redirections to produce the parent list of redirection URLs.
  - 3. The one or more processor-accessible storage media as recited in claim 1, wherein site nodes and page nodes of the graph are visually differentiated.
  - 4. The one or more processor-accessible storage media as recited in claim 1, wherein creating the graph comprises:
    - representing URLs with corresponding symbols; and
      
      visually indicating a number of redirections that are associated with each of the URLs by changing the corresponding symbols.
  - 5. The one or more processor-accessible storage media as recited in claim 1, wherein creating the graph comprises visually differentiating between connections that represent relationships between site nodes and page nodes hosted by the site nodes and connections that represent redirection relationships.
  - 6. The one or more processor-accessible storage media as recited in claim 1, comprising the processor-executable instructions that, when executed, direct the device to perform further actions comprising:
    - visiting each respective URL of the parent list of redirection URLs;
      
      producing respective child lists of redirection URLs from visiting each respective URL of the parent list of redirection URLs; and
      
      recursively visiting child URLs of the respective child lists of redirection URLs to discover redirection relationships between the child URLs that are visited.
  - 7. The one or more processor-accessible storage media as recited in claim 1, wherein the topology graph identifies content provider URLs and exploit provider URLs.

8. An apparatus comprising:
- a processor; and
  
  one or more processor-accessible storage media storing;
  
  a trace file;
  
  a browser; and
  
  a strider tracer module including instructions executable by the processor to;
  
  determine a given uniform resource locator (URL) visited by the browser;
  
  trace visits to a number of redirection URLs in response to the browser visiting the given URL;
  
  log the visit to the given URL and the visits to the redirection URLs in the trace file; and
  
  generate a topology graph that indicates redirection relationships between the number of redirection URLs.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus of claim 8, wherein the trace file indicates directly visited URLs and indirectly visited URLs.
  - 10. The apparatus of claim 8, wherein the one or more processor-accessible storage media store a dynamic link library (DLL) that loads into the browser and implements a URL tracer as a proxy, wherein requests to visit URLs from the browser are routed through the proxy.
  - 11. The apparatus of claim 8, wherein the strider tracer module includes instructions executable by the processor to record one or more pages hosted by the given URL and one or more pages hosted by the number of redirection URLs.
  - 12. The apparatus of claim 8, wherein the number of redirection URLs are visited with a redirection blocking feature enabled.
  - 13. The apparatus of claim 8, wherein the strider tracer module includes instructions executable by the processor to trace registry writes, file writes, process creations, or combinations thereof.
  - 14. The apparatus of claim 8, wherein the one or more processor-accessible storage media store a honey monkey controller executable by the processor to analyze the trace file to determine whether an exploit has been detected with respect to the visit to the given URL, with respect to the visits to the number of redirection URLs, or a combination thereof.

15. A method comprising:
- generating a topology graph by a device including a processor executing a honey monkey system, the topology graph indicating redirection relationships between a plurality of uniform resource locators (URLs), a plurality of websites, and web pages hosted by the plurality of websites;
  
  determining, by the device, a ranking of a particular website of the plurality of websites based on a number of redirection relationships between the particular website and additional websites of the plurality of websites; and
  
  monitoring, by the device, the particular website based on the ranking.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, wherein the number of redirection relationships include websites that redirect traffic to the particular website, websites receiving redirection traffic from the particular website, websites having a two-way traffic redirection relationship with the particular website, or a combination thereof.
  - 17. The method of claim 15, further comprising producing a visual representation including a plurality of bars, each of the plurality of bars indicating a corresponding ranking of a respective website of the plurality of websites.
  - 18. The method of claim 17, wherein a height of a particular bar associated with the particular website indicates the number of redirection relationships between the particular website and the additional websites.
  - 19. The method of claim 15, further comprising blocking access to the particular website.
  - 20. The method of claim 15, further comprising determining an additional ranking of the particular website based on a number of exploit URLs hosted by the particular website.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Beck, Douglas R., Wang, Yi-Min

Granted Patent

US 8,812,652 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/3
CPC Class Codes

G06F 16/9566   URL specific, e.g. using al...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 67/02   based on web technology, e....

H04L 67/125   involving control of end-de...

H04L 67/535   Tracking the activity of th...

Honey Monkey Network Exploration

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

43 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Honey Monkey Network Exploration

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links