Method and system for tracking machines on a network using fuzzy GUID technology

US 8,141,148 B2
Filed: 10/17/2006
Issued: 03/20/2012
Est. Priority Date: 11/28/2005
Status: Active Grant

First Claim

Patent Images

1. A method for tracking machines on a network of computers, the method comprising:

identifying a malicious host coupled to the network of computers;

determining a first IP (Internet Protocol) address and attributes associated with the malicious host during a first time period, the attributes being associated with two or more network layers;

determining an attribute fuzzy GUID for the first IP address and each of the attributes, the attribute fuzzy GUID being a globally unique identifier associated with the first IP address and each of the attributes;

forming a fuzzy GUID (Globally Unique Identifier) of the malicious host by processing the attribute fuzzy GUID associated with the first IP address and each of the attributes, wherein the host fuzzy GUID is a globally unique identifier for each host and includes behavior information;

classifying the malicious host to be in a determined state;

during a second time period, classifying the malicious host to be in a latent state;

identifying an unknown host during the second time period, the unknown host being associated with a second IP address and one or more attributes;

processing the second IP address and the one or more attributes of the unknown host in conjunction with the first IP address and the one or more attributes of the malicious host; and

determining if the malicious host has moved from the first IP address to the second IP address, thereby identifying if the unknown host is the malicious host.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for querying a knowledgebase of malicious hosts numbered from 1 through N. The method includes providing a network of computers, which has a plurality of unknown malicious host machines. In a specific embodiment, the malicious host machines are disposed throughout the network of computers, which includes a world wide network of computers, e.g., Internet. The method includes querying a knowledge base including a plurality of known malicious hosts, which are numbered from 1 through N, where N is an integer greater than 1. In a preferred embodiment, the knowledge base is coupled to the network of computers. The method includes receiving first information associated with an unknown host from the network; identifying an unknown host and querying the knowledge base to determine if the unknown host is one of the known malicious hosts in the knowledge base. The method also includes outputting second information associated with the unknown host based upon the querying process.

68 Citations

View as Search Results

20 Claims

1. A method for tracking machines on a network of computers, the method comprising:
- identifying a malicious host coupled to the network of computers;
  
  determining a first IP (Internet Protocol) address and attributes associated with the malicious host during a first time period, the attributes being associated with two or more network layers;
  
  determining an attribute fuzzy GUID for the first IP address and each of the attributes, the attribute fuzzy GUID being a globally unique identifier associated with the first IP address and each of the attributes;
  
  forming a fuzzy GUID (Globally Unique Identifier) of the malicious host by processing the attribute fuzzy GUID associated with the first IP address and each of the attributes, wherein the host fuzzy GUID is a globally unique identifier for each host and includes behavior information;
  
  classifying the malicious host to be in a determined state;
  
  during a second time period, classifying the malicious host to be in a latent state;
  
  identifying an unknown host during the second time period, the unknown host being associated with a second IP address and one or more attributes;
  
  processing the second IP address and the one or more attributes of the unknown host in conjunction with the first IP address and the one or more attributes of the malicious host; and
  
  determining if the malicious host has moved from the first IP address to the second IP address, thereby identifying if the unknown host is the malicious host.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1 wherein the one or more attributes comprises an IP range, ISP (Internet Service Provider), country, ISP practice, or range class within the ISP.
  - 3. The method of claim 1 wherein the network of computers includes a world wide network of computers.
  - 4. The method of claim 1 further comprising determining if the unknown host is a different machine than the malicious host.

5. A method for querying a knowledgebase of malicious hosts, the method comprising:
- providing a network of computers, the network of computers including a plurality of unknown malicious host machines, the plurality of unknown malicious host machines being disposed throughout the network of computers, the network of computers including a world wide network of computers;
  
  querying a knowledge base including a plurality of known malicious hosts, the knowledge base being coupled to the network of computers;
  
  receiving first information and attributes associated with an unknown host from the network, the information being associated with two or more network layers;
  
  determining an attribute fuzzy GUID for the first information and each of the attributes, the attribute fuzzy GUID being a globally unique identifier associated with the first information and each of the attributes;
  
  forming a fuzzy GUID (Globally Unique Identifier) of the unknown host by processing the attribute fuzzy GUID associated with the first information and each of the attributes, wherein the host fuzzy GUID is a globally unique identifier for each host and includes behavior information;
  
  querying the knowledge base to determine if the unknown host is one of the known malicious hosts in the knowledge base; and
  
  outputting second information associated with the unknown host based upon the querying process.
- View Dependent Claims (6, 7, 8, 9, 10)
- - 6. The method of claim 5 further comprising, if the unknown host is one of the known malicious hosts, updating a filter to block access of the malicious host to one or more segments of the network of computers.
  - 7. The method of claim 5 further comprising outputting an alert to signify the malicious host, if the unknown host is determined to be one of the malicious hosts.
  - 8. The method of claim 5 wherein the identifying of the unknown host further comprising:
    - determining a plurality of identity attributes;
      
      assigning a quality measure to each of the plurality the identity attributes;
      
      collecting one or more evidences from the unknown host;
      
      determining an attribute fuzzy GUID (Globally Unique Identifier) for each of the plurality of identity attributes for the unknown host, the attribute fuzzy GUID being a globally unique identifier associated with the evidences;
      
      processing the attribute fuzzy GUID for each of the plurality of attributes to form a host fuzzy GUID for the unknown host.
  - 9. The method of claim 8 wherein the attributes comprises an IP (Internet Protocol) range, ISP (Internet Service Provider), country, ISP practice, or range class within the ISP.
  - 10. The method of claim 8 further comprising selecting a second plurality of identity attributes characterized by quality measures higher than a predetermined value.

11. A computer based method for populating a database to form a knowledge base of malicious host entities, the method comprising:
- collecting one or more evidences from an unknown host;
  
  determining a plurality of identity attributes from the one or more evidences, the plurality of identity attributes being associated with a plurality of network layers of the unknown host;
  
  assigning a quality measure to each of the plurality of the identity attributes;
  
  forming an attribute fuzzy GUID (Globally Unique Identifier) for each of the plurality of identity attributes for the unknown host, the attribute fuzzy GUID being a globally unique identifier associated with the plurality of identity attributes;
  
  processing the attribute fuzzy GUID for each of the plurality of identity attributes according to a quality measure to form a host fuzzy GUID for the unknown host, wherein the host fuzzy GUID is a globally unique identifier for each host and includes behavior information; and
  
  storing the host fuzzy GUID for the unknown host in one or more memories of a database to form a knowledge base.
- View Dependent Claims (12, 13, 19)
- - 12. The method of claim 11 wherein the plurality of attributes comprises an IP range, ISP, country, ISP practice, or range class within the ISP.
  - 13. The method of claim 11 further comprising selecting a second plurality of identity attributes characterized by quality measures higher than a predetermined value.
  - 19. The system of claim 11 wherein each of the plurality of identity attributes is characterized by an attribute quality that is a function of time and accuracy.

14. A computer based system for populating a database to form a knowledge base of malicious host entities, the system comprising one or more processors and a machine readable memory or memories, the one or more processors configured to execute computer codes in the machines readable memory or memories, the machine readable memory or memories comprising:
- one or more codes directed to collecting one or more evidences from an unknown host;
  
  one or more codes directed to determining a plurality of identity attributes from the one or more evidences, the plurality of identity attributes being associated with a plurality of network layers of the unknown host;
  
  one or more codes directed to assigning a quality measure to each of the plurality the identity attributes;
  
  one or more codes directed to forming an attribute fuzzy GUID (Globally Unique Identifier) for each of the plurality of identity attributes for the unknown host, the attribute fuzzy GUID being a globally unique identifier associated with the plurality of identity attributes;
  
  one or more codes directed to processing the attribute fuzzy GUID for each of the plurality of identity attributes, in order from a highest quality measure to a lowest quality measure, to form a host fuzzy GUID for the unknown host, wherein the host fuzzy GUID is a globally unique identifier for each host and includes behavior information; and
  
  one or more codes directed to storing the host fuzzy GUID for the unknown host in one or more memories of a database to form a knowledge base.
- View Dependent Claims (15, 16, 17, 18, 20)
- - 15. The system of claim 14 wherein the unknown host is one of a plurality of computing devices in a world wide network of computers.
  - 16. The system of claim 14 wherein the one or more codes directed to storing is an executable code.
  - 17. The system of claim 14 wherein the knowledge base comprises a plurality of malicious host information.
  - 18. The system of claim 14 wherein the host fuzzy GUID comprises an identifier.
  - 20. The system of claim 14 wherein of the plurality of identity attributes is characterized by an attribute quality that is a function of one or more of time, generic, accuracy, and subversion.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Threatmetrix Incorporated (RELX PLC)
Original Assignee
Threatmetrix Incorporated (RELX PLC)
Inventors
Thomas, Scott, Jones, David G.
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
HERZOG, MADHURI R

Application Number

US11/550,395
Publication Number

US 20070124801A1
Time in Patent Office

1,981 Days
Field of Search

726/4, 726 22- 25, 713/188, 706/45, 709223-229
US Class Current

726/22
CPC Class Codes

G06F 16/951   Indexing; Web crawling tech...

G06F 21/00   Security arrangements for p...

G06F 21/50   Monitoring users, programs ...

G06F 21/55   Detecting local intrusion o...

G06F 21/57   Certifying or maintaining t...

G06F 2201/86   Event-based monitoring

G06F 2221/2127   Bluffing

H04L 2463/146   Tracing the source of attacks

H04L 63/0236   Filtering by address, proto...

H04L 63/0876   based on the identity of th...

H04L 63/10   for controlling access to d...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

Method and system for tracking machines on a network using fuzzy GUID technology

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

68 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for tracking machines on a network using fuzzy GUID technology

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links