Method for tracking machines on a network using multivariable fingerprinting of passively available information
First Claim
1. A method for fingerprinting a connecting host machine on a network, the method comprising:
- forcing the connecting host into a TCP connection, wherein timestamps are transmitted with each packet associated with the connection;
assigning a session handle to the connection, some or all of subsequent connections that are associated with the session handle being able to exchange data with one another;
extending a longevity of the connection, the longevity allowing extended sampling of the host for the purposes of fingerprinting;
sampling attributes associated with the connection;
queuing the sampled attributes, IP address, and session handle to a correlator process, the correlator process including one or more algorithms for processing the sampled attributes;
processing the sampled attributes, IP address, and session handle; and
forming a fingerprint for the connecting host.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for tracking machines on a network of computers. The method includes determining one or more assertions to be monitored by a first web site which is coupled to a network of computers. The method monitors traffic flowing to the web site through the network of computers and identifies the one or more assertions from the traffic coupled to the network of computers to determine a malicious host coupled to the network of computers. The method includes associating a first IP address and first hardware finger print to the assertions of the malicious host and storing information associated with the malicious host in one or more memories of a database. The method also includes identifying an unknown host from a second web site, determining a second IP address and second hardware finger print with the unknown host, and determining if the unknown host is the malicious host.
-
Citations
32 Claims
-
1. A method for fingerprinting a connecting host machine on a network, the method comprising:
-
forcing the connecting host into a TCP connection, wherein timestamps are transmitted with each packet associated with the connection; assigning a session handle to the connection, some or all of subsequent connections that are associated with the session handle being able to exchange data with one another; extending a longevity of the connection, the longevity allowing extended sampling of the host for the purposes of fingerprinting; sampling attributes associated with the connection; queuing the sampled attributes, IP address, and session handle to a correlator process, the correlator process including one or more algorithms for processing the sampled attributes; processing the sampled attributes, IP address, and session handle; and forming a fingerprint for the connecting host. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
-
Specification