System and method for prosecuting dangerous IP addresses on the internet

US 8,561,187 B1
Filed: 09/29/2011
Issued: 10/15/2013
Est. Priority Date: 09/30/2010
Status: Active Grant

First Claim

Patent Images

1. A method for identifying and prosecuting a threatening Internet Protocol (IP) address on the Internet, the method comprising:

transmitting information to a server, the information comprising one or more events emanating from an IP address;

analyzing the one or more events at a server;

determining that the one or more events have violated a predetermined policy for conduct on the Internet;

publishing the IP address on a list of threatening IP addresses to be blocked by users adhering to the predetermined policy for conduct on the Internet; and

performing a threat aging algorithm for the IP address published on the list of threatening IP addresses to determine if the IP address should be removed from the list of threatening IP addresses, the threat aging algorithm comprising one or more of (i) determining a reoccurring behavior associated with the IP address and (ii) determining a volume of events performed by the IP address.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for prosecuting threatening IP addresses on the Internet and publishing a list of these threatening IP addresses for users to block is disclosed herein. If the IP address behaves properly according to a policy adhered to by the users, then the IP address may be paroled and removed from the list.

Citations

21 Claims

1. A method for identifying and prosecuting a threatening Internet Protocol (IP) address on the Internet, the method comprising:
- transmitting information to a server, the information comprising one or more events emanating from an IP address;
  
  analyzing the one or more events at a server;
  
  determining that the one or more events have violated a predetermined policy for conduct on the Internet;
  
  publishing the IP address on a list of threatening IP addresses to be blocked by users adhering to the predetermined policy for conduct on the Internet; and
  
  performing a threat aging algorithm for the IP address published on the list of threatening IP addresses to determine if the IP address should be removed from the list of threatening IP addresses, the threat aging algorithm comprising one or more of (i) determining a reoccurring behavior associated with the IP address and (ii) determining a volume of events performed by the IP address.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method according to claim 1, further comprising collecting the information at a plurality of slave proxies controlled by a proxy master.
  - 3. The method according to claim 1 further, comprising collecting the information at a plurality of client computers directed by a URL server.
  - 4. The method according to claim 1, further comprising collecting the information at a plurality of honeypot computers.
  - 5. The method according to claim 1, wherein the one or more events comprises an event associated with at least one of the following:
    - (i) click fraud, (ii) malware, (iii) Trojans, (iv) Botnets, (v) one or more operating system exploit, (vi) SQL injection attacks, (vii) local file inclusion attacks, (viii) DDoS attacks, and (ix) dictionary attacks.
  - 6. The method according to claim 1, further comprising determining that the IP address should be removed from the list.
  - 7. The method according to claim 1, further comprising generating a reputation value for the IP address.
  - 8. The method according to claim 1, further comprising:
    - transmitting event data from a plurality of sensors to a database; and
      
      processing the event data at a Map/Reduce engine to generate a result for transmitting to a prosecution server.
  - 9. The method according to claim 1, wherein analyzing the one or more events at the server comprises:
    - comparing the IP address to a list of known non-threatening IP addresses; and
      
      determining a sub-domain count for a host name associated with the IP address, wherein the host name is obtained using reverse domain name system (DNS) of the IP address; and
      
      determining a reputation value for the IP address.

10. A system for prosecuting threatening Internet Protocol (IP) addresses on the Internet, the system comprising:
- a plurality of sensors for detecting incidents associated with one or more IP addresses and generating event data associated with the one or more IP addresses;
  
  a database for storing the event data generated by the plurality of sensors; and
  
  a server configured to receive the event data, determine if an Internet policy code has been violated by the incidents associated with the one or more IP addresses, publish the one or more IP addresses on a list of threatening IP addresses, and perform a threat aging algorithm for the one or more IP addresses published on the list of threatening IP addresses to determine if the one or more IP addresses should be removed from the list of threatening IP addresses, the threat aging algorithm comprising one or more of (i) determining a reoccurring behavior associated with the one or more IP addresses and (ii) determining a volume of events performed by the one or more IP addresses.
- View Dependent Claims (11, 12, 13)
- - 11. The system according to claim 10, wherein the plurality of sensors comprises at least one of a plurality of slave proxy computers controlled by a master proxy server, a plurality of client computers and a plurality of sensor computers positioned globally.
  - 12. The system according to claim 10, further comprising an application server for receiving event data generated by the plurality of sensors prior to transmitting the event data to the database.
  - 13. The system according to claim 10, further comprising a Map/Reduce engine for processing the event data to generate information on threatening events emanating from threatening IP addresses.

14. A method for identifying and prosecuting a threatening IP address on the Internet, the method comprising:
- detecting, at a sensor, an event associated with one or more IP addresses;
  
  generating event data for the event associated with the one or more IP addresses;
  
  transmitting the event data to an application server;
  
  transmitting the event data from the application server to a database;
  
  processing the event data at a Map/Reduce engine to generate threatening events information for one or more IP addresses;
  
  transmitting the threatening events information to a prosecution server;
  
  analyzing the threatening events information at the prosecution server;
  
  determining that the threatening events associated with the one or more IP addresses has violated a predetermined policy for conduct on the Internet;
  
  publishing the one or more IP addresses on a list of threatening IP addresses to be blocked by users adhering to the predetermined policy for conduct on the Internet; and
  
  performing a threat aging algorithm for the one or more IP addresses published on the list of threatening IP addresses to determine if the one or more IP addresses should be removed from the list of threatening IP addresses, the threat aging algorithm comprising at least one of (i) determining a reoccurring behavior associated with the one or more IP addresses and (ii) determining a volume of events performed by the one or more IP addresses.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The method according to claim 14, wherein the event comprises an event associated with at least one of the following:
    - (i) click fraud, (ii) malware, (iii) Trojans, (iv) Botnets, (v) one or more operating system exploits, (vi) SQL injection attacks, (vii) local file inclusion attacks, (viii) DDoS attacks, and (ix) dictionary attacks.
  - 16. The method according to claim 14, further comprising determining that the one or more IP addresses should be removed from the list.
  - 17. The method according to claim 14, further comprising:
    - using domain name system (DNS) to identify host names associated with the one more IP addresses; and
      
      leveraging a URL Reputation database to look up a reputation value representing a security risk assessment for the one or more IP addresses.
  - 18. The method according to claim 14, further comprising comparing the one or more IP addresses to a list of known non-threatening IP addresses at the prosecution server.
  - 19. The method according to claim 14, further comprising determining a sub-domain count for a host name for the one or more IP addresses, wherein the host name is obtained using reverse DNS of the IP address for each of the plurality of threatening IP addresses.
  - 20. The method according to claim 14, further comprising using a reputation value, a sub-domain count, and a whitelist to determine if the one or more IP addresses should be published on the list of threatening IP addresses.
  - 21. The method according to claim 14, wherein the Map/Reduce engine forms a prosecution cluster designed to scale to very high volumes of event data to perform prosecution of the events information for each of the one or more IP addresses.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbonite LLC (Open Text Corporation)
Original Assignee
Webroot Inc. (Open Text Corporation)
Inventors
Hegli, Ron
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
Okeke, Izunna

Application Number

US13/249,173
Time in Patent Office

747 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

H04L 63/1491 using deception as counterm...

System and method for prosecuting dangerous IP addresses on the internet

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for prosecuting dangerous IP addresses on the internet

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links