System, method and computer program product for behavioral partitioning of a network to detect undesirable nodes

US 8,370,928 B1
Filed: 01/26/2006
Issued: 02/05/2013
Est. Priority Date: 01/26/2006
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

monitoring votes from a plurality of nodes for node categorization;

identifying a pattern associated with the votes;

identifying undesirable nodes based on the pattern associated with the votes, wherein the node categorization includes identifying at least some of the undesirable nodes as malicious nodes being associated with propagation of malware, and wherein the malicious nodes are provided on a black list; and

implementing a policy at a firewall that precludes communication with the malicious nodes provided on the black list and that withdrawals data access rights for the malicious nodes provided on the black list, wherein a network is partitioned for the malicious nodes based on the pattern, and wherein partitions that include the malicious nodes are refined over iterations of subsequent voting sessions involving the plurality of nodes.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and computer program product are provided. In use, votes from a plurality of nodes for node categorization are monitored. Further, a pattern associated with the votes is identified. Thus, malicious nodes may be identified based on the pattern.

Citations

18 Claims

1. A method, comprising:
- monitoring votes from a plurality of nodes for node categorization;
  
  identifying a pattern associated with the votes;
  
  identifying undesirable nodes based on the pattern associated with the votes, wherein the node categorization includes identifying at least some of the undesirable nodes as malicious nodes being associated with propagation of malware, and wherein the malicious nodes are provided on a black list; and
  
  implementing a policy at a firewall that precludes communication with the malicious nodes provided on the black list and that withdrawals data access rights for the malicious nodes provided on the black list, wherein a network is partitioned for the malicious nodes based on the pattern, and wherein partitions that include the malicious nodes are refined over iterations of subsequent voting sessions involving the plurality of nodes.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein the votes categorize at least some of the plurality of nodes as white listed nodes.
  - 3. The method of claim 1, wherein monitoring includes monitoring the votes during multiple voting sessions.
  - 4. The method of claim 3, wherein each voting session involves votes submitted by a plurality of the nodes relating to a newly added node, or to interactions between existing nodes.
  - 5. The method of claim 1, wherein the undesirable nodes are identified by grouping at least some of the plurality of nodes into groups based on the pattern associated with the votes.
  - 6. The method of claim 5, wherein at least some of the plurality of nodes with similar votes are grouped together.
  - 7. The method of claim 6, wherein at least some of the plurality of nodes with a predetermined threshold of similar votes are grouped together.
  - 8. The method of claim 5, whereupon one of nodes in one of the groups being black listed, all of the nodes of the group are black listed.
  - 9. The method of claim 5, whereupon one of nodes in one of the groups being white listed, all of the nodes of the group are white listed.
  - 10. The method of claim 1, wherein at least some of the plurality of nodes includes at least one of users, accounts, and computers.
  - 11. The method of claim 1, wherein the votes are submitted by at least some of the plurality of nodes utilizing a network.
  - 12. The method of claim 1, wherein at least some of the plurality of nodes are members of a peer-to-peer network.
  - 13. The method of claim 1, wherein, for each possible pair of nodes in the plurality of nodes, the pattern associated with the votes is identified by comparing votes between the pair of nodes to identify the similarities amongst the votes and the differences amongst the votes.
  - 14. The method of claim 13, wherein the comparing includes summing the similarities amongst the votes and the differences amongst the votes to calculate a net result.
  - 15. The method of claim 1, wherein a pair of nodes in the plurality of nodes are grouped together where the pair of nodes both include a threshold number of differences with respect to a common node during a plurality of voting sessions, when, during the voting sessions, remaining nodes in the plurality of nodes include similarities with respect to the common node.
  - 16. The method of claim 1, wherein network communication is allowed to nodes categorized as white listed nodes.

17. A computer program product embodied on a non-transitory computer readable medium for performing operations, comprising:
- monitoring votes from a plurality of nodes for node categorization;
  
  identifying a pattern associated with the votes;
  
  identifying undesirable nodes based on the pattern associated with the votes, wherein the node categorization includes identifying at least some of the undesirable nodes as malicious nodes being associated with propagation of malware, and wherein the malicious nodes are provided on a black list; and
  
  implementing a policy at a firewall that precludes communication with the malicious nodes provided on the black list and that withdrawals data access rights for the malicious nodes provided on the black list, wherein a network is partitioned for the malicious nodes based on the pattern, and wherein partitions that include the malicious nodes are refined over iterations of subsequent voting sessions involving the plurality of nodes.

18. A system, comprising:
- a processor, wherein the system is configured for;
  
  monitoring votes from a plurality of nodes for node categorization;
  
  identifying a pattern associated with the votes;
  
  identifying undesirable nodes based on the pattern associated with the votes, wherein the node categorization includes identifying at least some of the undesirable nodes as malicious nodes being associated with propagation of malware, and wherein the malicious nodes are provided on a black list; and
  
  implementing a policy at a firewall that precludes communication with the malicious nodes provided on the black list and that withdrawals data access rights for the malicious nodes provided on the black list, wherein a network is partitioned for the malicious nodes based on the pattern, and wherein partitions that include the malicious nodes are refined over iterations of subsequent voting sessions involving the plurality of nodes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Motwani, Rajiv, Painkras, Gerald S.
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
LAKHIA, VIRAL S

Application Number

US11/341,929
Time in Patent Office

2,567 Days
Field of Search

713/168, 713/181, 713/182, 713/156, 713163-164, 726/22, 726 23- 25, 709/206, 709223-225
US Class Current

726/22
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

H04L 41/30   Decision processes by auton...

H04L 63/0227   Filtering policies mail mes...

H04L 63/101   Access control lists [ACL]

H04L 63/1441   Countermeasures against mal...

System, method and computer program product for behavioral partitioning of a network to detect undesirable nodes

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System, method and computer program product for behavioral partitioning of a network to detect undesirable nodes

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links