Method for tracking machines on a network using multivariable fingerprinting of passively available information

US 8,176,178 B2
Filed: 01/29/2008
Issued: 05/08/2012
Est. Priority Date: 01/29/2007
Status: Expired due to Fees

First Claim

Patent Images

1. A method for fingerprinting a connecting host machine on a network, the method comprising:

forcing the connecting host into a TCP connection, wherein timestamps are transmitted with each packet associated with the connection;

assigning a session handle to the connection, some or all of subsequent connections that are associated with the session handle being able to exchange data with one another;

extending a longevity of the connection, the longevity allowing extended sampling of the host for the purposes of fingerprinting;

sampling attributes associated with the connection;

queuing the sampled attributes, IP address, and session handle to a correlator process, the correlator process including one or more algorithms for processing the sampled attributes;

processing the sampled attributes, IP address, and session handle; and

forming a fingerprint for the connecting host.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for tracking machines on a network of computers. The method includes determining one or more assertions to be monitored by a first web site which is coupled to a network of computers. The method monitors traffic flowing to the web site through the network of computers and identifies the one or more assertions from the traffic coupled to the network of computers to determine a malicious host coupled to the network of computers. The method includes associating a first IP address and first hardware finger print to the assertions of the malicious host and storing information associated with the malicious host in one or more memories of a database. The method also includes identifying an unknown host from a second web site, determining a second IP address and second hardware finger print with the unknown host, and determining if the unknown host is the malicious host.

Citations

32 Claims

1. A method for fingerprinting a connecting host machine on a network, the method comprising:
- forcing the connecting host into a TCP connection, wherein timestamps are transmitted with each packet associated with the connection;
  
  assigning a session handle to the connection, some or all of subsequent connections that are associated with the session handle being able to exchange data with one another;
  
  extending a longevity of the connection, the longevity allowing extended sampling of the host for the purposes of fingerprinting;
  
  sampling attributes associated with the connection;
  
  queuing the sampled attributes, IP address, and session handle to a correlator process, the correlator process including one or more algorithms for processing the sampled attributes;
  
  processing the sampled attributes, IP address, and session handle; and
  
  forming a fingerprint for the connecting host.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 2. The method of claim 1 wherein the sampled attributes are associated with one or more of ‘
    - stack ticks’
      
      , ‘
      
      time-skew’
      
      , TCP Window size, and IP address.
  - 3. The method of claim 1 wherein the sampled attributes further include remote determination of one or more of ISP, Local Storage Object, first Party Browser Cookie, third Party Browser Cookie., TCP IP Address, HTTP IP Address, HTTPS IP Address, RTSP IP Address, RTP IP Address, FTP IP Address, DNS name server, Maximum Transmission Unit, Connection Type, Connection Speed, Bogon Hijack Address, Static/ Dynamic Address, Proxy Address, TCP Sequence Number, Browser string, Screen Resolution, Screen DPI, PC Start Time, HTTP Header information, Local Time, Clock-Offset, TCP-Time Stamp, TCP stack-tick, Clock-Drift, Time Zone, Browser Plugins, Enabled and Disabled Browser functions, Browser Document Object Model, Operating System, and Listening, Open and Closed Sockets or other available or derivable information.
  - 4. The method of claim 1 wherein the extending of the longevity of the connection includes a tar-pitting process.
  - 5. The method of claim 4 wherein the extending of the longevity of the connection includes:
    - delivering requested payload data in a delayed or retarded manner; and
      
      requesting repeated transmission of data and/or requests by simulating TCP data loss.
  - 6. The method of claim 1 wherein the correlator may be local or remote.
  - 7. The method of claim 1 wherein the one or more algorithms include linear regression, auto-correlation and, vector machines.
  - 8. The method of claim 1 wherein one or more algorithms may include a rule-matching strategy.
  - 9. The method of claim 1 wherein the sampling of the communication includes sampling previous host reputation on IP address.
  - 10. The method of claim 1 wherein the correlator process includes sampling data from external sensors, using an infrastructure that aggregates and shares reputation, and fingerprint data across multiple users of reputation and fingerprinting services.
  - 11. The method of claim 1 wherein correlator process incorporates the sampled measurements to normalize localized jitter, load, or latency transients.
  - 12. The method of claim 1 wherein the correlator process includes correlating host fingerprints with an identical IP address to determine specific individual hosts.
  - 13. The method of claim 1 wherein the connecting host is an anonymizing proxy or intermediate device, forcing a connection to bypass the proxy or intermediate device.
  - 14. The method of claim 13, further comprising replacing an HTTP delivered pixel with an HTTPS delivered pixel with a suitability generated SSL certificate to force the browser to bypass the HTTP proxy.
  - 15. The method of claim 13, further comprising forcing communication via a random port to retrieve data to by-pass a HTTP proxy.
  - 16. The method of claim 13 wherein the connecting host is an anonymizing proxy or intermediate device, the method further including using FTP to bypass a HTTP proxy.
  - 17. The method of claim 13 wherein the connecting host is an anonymizing proxy or intermediate device, the method further including forcing a connection via the Real Time Streaming Protocol (RTSP) connection to retrieve data to by-pass the HTTP proxy.
  - 18. The method of claim 13 wherein an object in the browser, including but not limited to java or flash object is configured to bypass default proxy settings of a browser when performing a connect back to the fingerprinting device.
  - 19. The method of claim 13 wherein the connecting host is made to perform a connection on any protocol or embedded object that does not make use of default proxy settings of a browser.
  - 20. The method of claim 1 wherein the connecting host is an anonymizing proxy or intermediate device, detecting inconsistencies between attributes in the TCP protocol from the connecting host and attributes measured from the client.
  - 21. The method of claim 20 one such embodiment being determining inconsistencies in operating systems based on the known increment in the connecting host'"'"'s TCP time-stamp for that operating system and comparing it to the operating system as declared in the browser agent string measured from the client.
  - 22. The method of claim 20 one such embodiment comprising deriving valid time zones based on the geolocation of the connecting host IP Address and comparing the time-zones to the time-zone as measured using javascript or flash active script on the client.
  - 23. The method of claim 1 wherein the connecting host is an anonymizing proxy or intermediate device, detecting distortion or loss of information as it is transmitted through that device.
  - 24. The method of claim 23 one such embodiment including detecting that a served “
    - x”
      
      by “
      
      y”
      
      pixels image was not downloaded by the connecting host and determining that the connecting host is capable of rendering image files by serving an obfuscated image in a Content Style Sheet (CSS) element, where x and y are integer numbers.
  - 25. The method of claim 1 wherein the connecting host is an anonymizing proxy or intermediate device, measuring inconsistencies in Geolocation of the connecting host IP Address and the IP Address of the DNS name server accessed by the client.
  - 26. The method of claim 25 wherein the connecting host is caused to request a resource on a unique domain name meaning the domain name is different for each visit which will force the client'"'"'s DNS server to connect to the domain owner'"'"'s DNS server which the fingerprinting device has access to.
  - 27. The method of claim 25, further comparing the geolocation of the IP Address of the client'"'"'s DNS name server with the geolocation of IP Address of the connecting host.
  - 28. The method of claim 1 wherein the fingerprint is formed by a fingerprinting device that resides on a data path between the connecting host and a protected host.
  - 29. The method of claim 1 wherein the network of computers includes a world wide network of computers.
  - 30. The method of claim 1 wherein the fingerprint is formed by a fingerprinting device associated with a protected host.
  - 31. The method of claim 1 wherein the connecting host is protected by a proxy.
  - 32. The method of claim 1 wherein the fingerprint comprises device fingerprint.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Threatmetrix Incorporated (RELX PLC)
Original Assignee
Threatmetrix Incorporated (RELX PLC)
Inventors
Jones, David G., Faulkner, Alisdair, Thomas, Scott
Primary Examiner(s)
WASEL, MOHAMED A

Application Number

US12/022,022
Publication Number

US 20080244744A1
Time in Patent Office

1,561 Days
Field of Search

709223-225
US Class Current

709/225
CPC Class Codes

H04L 2463/121   Timestamp

H04L 2463/144   Detection or countermeasure...

H04L 43/10   Active monitoring, e.g. hea...

H04L 63/0281   Proxies

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

Method for tracking machines on a network using multivariable fingerprinting of passively available information

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Method for tracking machines on a network using multivariable fingerprinting of passively available information

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links