CONFIDENCE SCORING OF DEVICE REPUTATION BASED ON CHARACTERISTIC NETWORK BEHAVIOR

US 20140379902A1
Filed: 08/12/2013
Published: 12/25/2014
Est. Priority Date: 06/19/2013
Status: Active Grant

First Claim

Patent Images

1. A method of evaluating reputation of a requestor device that makes a request to a cloud-based resource, including:

providing an initial response to the requestor device that includes an instrumented web page or instructions to be processed by an application running on the requestor device, wherein the initial response includes code adapted to;

collect data regarding at least network round trip latency between the requestor device and four or more target addresses andreport the network round trip latency for the target addresses;

compiling a characteristic vector for the requestor device including at least the reported network round trip latency for the target addresses;

scoring the characteristic vector for similarity to expected characteristics of a first reference device at a first reference IP address expected to share network round trip latency characteristics with the requestor device; and

producing at least one reputation score.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The technology disclosed relates to detection of anonymous proxies and bots making requests to a cloud based resource on the Internet, such as a web server or an App server. The technology can leverage one or more of: instrumentation of web pages that samples response times and other characteristics of communications by a requestor device over multiple network segments; lack of prior appearance of the requestor device across multiple, independently operated commercial web sites; and resolver usage by the requestor. These signals can be analyzed to score a requesting device'"'"'s reputation. A location reported by a user device can be compared to a network characteristic determined location.

Citations

20 Claims

1. A method of evaluating reputation of a requestor device that makes a request to a cloud-based resource, including:
- providing an initial response to the requestor device that includes an instrumented web page or instructions to be processed by an application running on the requestor device, wherein the initial response includes code adapted to;
  
  collect data regarding at least network round trip latency between the requestor device and four or more target addresses andreport the network round trip latency for the target addresses;
  
  compiling a characteristic vector for the requestor device including at least the reported network round trip latency for the target addresses;
  
  scoring the characteristic vector for similarity to expected characteristics of a first reference device at a first reference IP address expected to share network round trip latency characteristics with the requestor device; and
  
  producing at least one reputation score.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, further including:
    - scoring the characteristic vector using a median of estimated probability measures of characteristics in the characteristic vector taken individually.
  - 3. The method of claim 1, further including:
    - scoring the characteristic vector by combining estimated variance from the expected round trip latency characteristics for the target addresses in the characteristic vector.
  - 4. The method of claim 1, further including:
    - scoring the characteristic vector using an estimated joint probability distribution that combines at least one characteristic from each of at least four target addresses, wherein the joint probability distribution is estimated from at least 1000 samples that combine the least one characteristic from the at least four target addresses.
  - 5. The method of claim 1, further including:
    - providing the code further adapted to;
      
      collect data regarding at least availability of target addresses from the requestor device andreport the availability of the target addresses; and
      
      compiling in the characteristic vector a reported availability of the target addresses to the requestor device; and
      
      scoring the characteristic vector by determining whether the availability of targets in the characteristic vector is different than expected availability of the targets to a second reference device at a second reference IP address expected to share availability status with the requestor device.
  - 6. The method of claim 5, further including:
    - scoring the characteristic vector by requiring the same availability status as expected for all targets in the characteristic vector.
  - 7. The method of claim 1, further including:
    - providing the code further adapted to;
      
      collect data regarding at least throughput rates between the requestor device and the target addresses andreport the throughput rates for the target addresses; and
      
      compiling in the characteristic vector a reported throughput rates between the requestor device and the requestor device; and
      
      scoring the characteristic vector for similarity to expected characteristics of a third reference requestor device at a third reference IP address expected to share throughput rate characteristics with the requestor device.
  - 8. The method of claim 1, further including:
    - scoring the characteristic vector by combining estimated variances between throughput in the characteristic vector and the expected throughput rate characteristics for the target addresses.
  - 9. The method of claim 1, further including:
    - providing the code further adapted to;
      
      collect data regarding at least connection establishment times for connections between the requestor device and the target addresses andreport the connection establishment times for the target addresses; and
      
      compiling in the characteristic vector a reported connection establishment times between the requestor device and the requestor device; and
      
      scoring the characteristic vector for similarity to expected characteristics of a fourth reference requestor device at a fourth reference IP address expected to share connection establishment time characteristics with the requestor device.
  - 10. The method of claim 1, further including:
    - scoring the characteristic vector by combining estimated variances between throughput in the characteristic vector and the expected throughput rate characteristics for the target addresses.
  - 11. The method of claim 1, further including:
    - receiving requestor device characteristics including at least an IP address, browser type and version identifiers, and operating system type and version identifiers with a request from the requestor device;
      
      looking up in a requestor history database, that reflects requests compiled from more than 100 independently operating servers, a frequency of requests made by devices sharing the requestor device characteristics; and
      
      scoring the requestor device characteristics for frequency and/or diversity of requests made to the independently operating servers within a predetermined recent time.
  - 12. The method of claim 1, further including:
    - scoring the requestor device characteristics using logarithmic scaling of the frequency and/or diversity of the requests made by devices sharing the requestor device characteristics.
  - 13. The method of claim 1, further including:
    - providing the code further adapted to;
      
      collect data regarding a resolver used by the requestor device to find IP addresses corresponding to fully qualified domain names andreport the resolver used by the requestor device; and
      
      scoring the characteristic vector for matching expected resolver usage of a reference requestor device at a reference IP address expected to share resolver usage characteristics with the requestor device and producing at least one reputation score.
  - 14. The method of claim 1, further including:
    - scoring the characteristic vector by combining estimated variance from the resolver usage characteristics of the requestor device.

15. A method of evaluating reputation of a requestor device that makes a request to a web site, including:
- receiving requestor device characteristics including at least an IP address, browser type and version identifiers, and operating system type and version identifiers with a request from the requestor device;
  
  looking up in a requestor history database, that reflects requests compiled from more than 100 independently operating servers, a frequency of requests made by devices sharing the requestor device characteristics; and
  
  scoring the requestor device characteristics for frequency and/or diversity of requests made to the independently operating servers within a predetermined recent time.
- View Dependent Claims (16, 17)
- - 16. The method of claim 15, further including:
    - scoring the requestor device characteristics using logarithmic scaling of the frequency and/or diversity of the requests made by devices sharing the requestor device characteristics.
  - 17. The method of claim 15, further comprising:
    - providing an initial response to a requestor device that includes an instrumented web page or instructions to be processed by an application running on the requestor device, wherein the initial response includes code adapted to;
      
      collect data regarding at least availability of target addresses from the requestor device andreport the availability of the target addresses; and
      
      compiling in the characteristic vector a reported availability of the target addresses to the requestor device; and
      
      scoring the characteristic vector by determining whether the availability of targets in the characteristic vector is different than expected availability of a reference device at a reference IP address expected to share availability status with the requestor device.

18. A method of evaluating reputation of a requestor device that makes a request to a web site, including:
- providing an initial response to a requestor device that includes an instrumented web page or instructions to be processed by an application running on the requestor device, wherein the initial response includes code adapted to;
  
  collect and compile in a characteristic vector data regarding a resolver used by the requestor device to find IP addresses corresponding to fully qualified domain names andreport the resolver used by the requestor device; and
  
  scoring the characteristic vector for matching expected resolver usage of a reference requestor device at a reference IP address expected to share resolver usage characteristics with the requestor device and producing at least one reputation score.
- View Dependent Claims (19, 20)
- - 19. The method of claim 18, further including:
    - scoring the characteristic vector by combining estimated variance from the resolver usage characteristics of the requestor device.
  - 20. The method of claim 18, further comprising:
    - providing the code further adapted to;
      
      collect data regarding at least availability of target addresses from the requestor device andreport the availability of the target addresses; and
      
      compiling in the characteristic vector a reported availability of the target addresses to the requestor device; and
      
      scoring the characteristic vector by determining whether the availability of targets in the characteristic vector is different than expected availability of a reference device at a reference IP address expected to share availability status with the requestor device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Cedexis Incorporated (Cloud Software Group)
Inventors
Kagan, Martin, Wan, Jacob, Unrein, Greg

Granted Patent

US 10,320,628 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

H04L 41/142   using statistical or mathem...

H04L 43/04   Processing captured monitor...

H04L 43/0864   Round trip delays

H04L 61/4511   using domain name system [DNS]

H04L 63/1441   Countermeasures against mal...

H04L 67/02   based on web technology, e....

H04L 67/10   in which an application is ...

H04L 67/535   Tracking the activity of th...

CONFIDENCE SCORING OF DEVICE REPUTATION BASED ON CHARACTERISTIC NETWORK BEHAVIOR

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

CONFIDENCE SCORING OF DEVICE REPUTATION BASED ON CHARACTERISTIC NETWORK BEHAVIOR

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links