Recording internet visitor threat information through an internet-based proxy service

US 8,751,633 B2
Filed: 11/04/2010
Issued: 06/10/2014
Est. Priority Date: 04/01/2010
Status: Active Grant

First Claim

Patent Images

1. A method in an Internet-based proxy service server to record Internet visitor threat information, the method comprising:

accessing a set of one or more visitor characteristics for a plurality of visitors to a set of one or more domains owned or operated by a first customer, the set of visitor characteristics being reported from a set of one or more proxy servers that are situated between client devices and a set of one or more origin servers for the set of domains;

causing the set of visitor characteristics to be displayed through a threat reporting interface of the Internet-based proxy service server that allows the first customer to report visitors as posing an Internet security threat;

receiving input from the first customer through the threat reporting interface that at least one of the visitors poses an Internet security threat; and

recording the at least one of the visitors poses an Internet security threat in one or more threat databases that are used by the set of proxy servers when determining whether to allow visitors to access network resources hosted at a set of one or more origin servers.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An Internet-based proxy service server accesses a set of visitor characteristics for multiple visitors to a set of one or more domains operated by a customer. The set of visitor characteristics are reported from a set of one or more proxy servers that are situated between client devices and a set of one or more origin servers for the set of domains. The service server causes the set of visitor characteristics to be displayed through a threat reporting interface that allows the customer to report visitors as posing an Internet security threat. The service server receives input from the customer through the threat reporting interface that at least one of the visitors poses an Internet security threat, and records that visitor as an Internet security threat in one or more threat databases that are used by the proxy servers when determining whether to allow visitors to access network resources hosted at a set of one or more origin servers.

94 Citations

View as Search Results

21 Claims

1. A method in an Internet-based proxy service server to record Internet visitor threat information, the method comprising:
- accessing a set of one or more visitor characteristics for a plurality of visitors to a set of one or more domains owned or operated by a first customer, the set of visitor characteristics being reported from a set of one or more proxy servers that are situated between client devices and a set of one or more origin servers for the set of domains;
  
  causing the set of visitor characteristics to be displayed through a threat reporting interface of the Internet-based proxy service server that allows the first customer to report visitors as posing an Internet security threat;
  
  receiving input from the first customer through the threat reporting interface that at least one of the visitors poses an Internet security threat; and
  
  recording the at least one of the visitors poses an Internet security threat in one or more threat databases that are used by the set of proxy servers when determining whether to allow visitors to access network resources hosted at a set of one or more origin servers.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the set of visitor characteristics include one or more of:
    - IP address, User-Agent, country of the visitor, number of previous visited, identification of pages visited, and information posted.
  - 3. The method of claim 1, wherein the at least one of the visitors that poses an Internet security threat is recorded on a local restricted IP address list in the one or more threat databases that identifies IP addresses that are not allowed access to content hosted by a first set of one or more origin servers belonging to the set of domains owned or operated by the first customer.
  - 4. The method of claim 1, wherein recording the at least one of the visitors that poses an Internet security threat in one or more threat databases includes performing the following for each of the at least one visitors:
    - recording in an event log database a record for that visitor that includes an indication that the first customer has indicated that the visitor poses an Internet security threat, wherein the record also includes at least one other rating originating from a set of one or more second customers that each indicate whether that visitor poses an Internet security threat;
      
      responsive to determining that there has been a sufficient number of ratings of the visitor from the customers, assigning that visitor a threat score based on each of the ratings of the visitor from each customer;
      
      responsive to determining that the threat score is sufficient to record the visitor as a global Internet security threat, recording the visitor on a global restricted IP address list in the one or more threat databases that identifies IP addresses that are not allowed access to content hosted by a plurality of origin servers including a first set of one or more origin servers belonging to the set of domains owned or operated by the first customer and a second set of one or more origin servers belonging to one or more domains owned or operated by the set of second customers.
  - 5. The method of claim 4, wherein each customer that has rated the visitor is associated with a customer reputation score that indicates a relative trustworthiness of that customer, and wherein determining that there has been a sufficient number of ratings of the visitor from the customers includes:
    - adding the customer reputation scores of those customers together; and
      
      determining that the sum of those customer reputation scores is above a customer reputations threshold that indicates that there is a sufficient amount of data to make a global rating for the visitor.
  - 6. The method of claim 5, wherein each customer reputation score is based at least in part on whether the rating for the visitor aligns with other ratings from different customers.
  - 7. The method of claim 1, further comprising:
    - receiving input from the first customer through the threat reporting interface that indicates a type of Internet security threat that the at least one visitor poses.

8. An Internet-based proxy service server, comprising:
- a memory to store instructions;
  
  a processor coupled with the memory to process the stored instructions to;
  
  access a set of one or more visitor characteristics for a plurality of visitors to a set of one or more domains owned or operated by a first customer, the set of visitor characteristics being reported from a set of one or more proxy servers that are situated between client devices and a set of one or more origin servers for the set of domains;
  
  cause the set of visitor characteristics to be displayed through a threat reporting interface of the Internet-based proxy service server that allows the first customer to report visitors as posing an Internet security threat;
  
  receive input from the first customer through the threat reporting interface that at least one of the visitors poses an Internet security threat; and
  
  record the at least one of the visitors poses an Internet security threat in one or more threat databases that are used by the set of proxy servers when determining whether to allow visitors to access network resources hosted at a set of one or more origin servers.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The Internet-based proxy service server of claim 8, wherein the set of visitor characteristics include one or more of:
    - IP address, User-Agent, country of the visitor, number of previous visited, identification of pages visited, and information posted.
  - 10. The Internet-based proxy service server of claim 8, wherein the at least one of the visitors that poses an Internet security threat is recorded on a local restricted IP address list in the one or more threat databases that identifies IP addresses that are not allowed access to content hosted by a first set of one or more origin servers belonging to the set of domains owned or operated by the first customer.
  - 11. The Internet-based proxy service server of claim 8, wherein recordation of the at least one of the visitors that poses an Internet security threat in one or more threat databases includes the processor to process the stored instructions to perform the following for each of the at least one visitors:
    - record in an event log database a record for that visitor that includes an indication that the first customer has indicated that the visitor poses an Internet security threat, wherein the record also includes at least one other rating originating from a set of one or more second customers that each indicate whether that visitor poses an Internet security threat;
      
      responsive to a determination that there has been a sufficient number of ratings of the visitor from the customers, assign that visitor a threat score based on each of the ratings of the visitor from each customer;
      
      responsive to a determination that the threat score is sufficient to record the visitor as a global Internet security threat, record the visitor on a global restricted IP address list in the one or more threat databases that identifies IP addresses that are not allowed access to content hosted by a plurality of origin servers including a first set of one or more origin servers belonging to the set of domains owned or operated by the first customer and a second set of one or more origin servers belonging to one or more domains owned or operated by the set of second customers.
  - 12. The Internet-based proxy service server of claim 11, wherein each customer that has rated the visitor is associated with a customer reputation score that indicates a relative trustworthiness of that customer, and wherein the determination that there has been a sufficient number of ratings of the visitor from the customers includes the processor to process the stored instructions to:
    - add the customer reputation scores of those customers together; and
      
      determine that the sum of those customer reputation scores is above a customer reputations threshold that indicates that there is a sufficient amount of data to make a global rating for the visitor.
  - 13. The Internet-based proxy service server of claim 12, wherein each customer reputation score is based at least in part on whether the rating for the visitor aligns with other ratings from different customers.
  - 14. The Internet-based proxy service server of claim 8, wherein the processor is further to process the stored instructions to:
    - receive input from the first customer through the threat reporting interface that indicates a type of Internet security threat that the at least one visitor poses.

15. A non-transitory machine-readable storage medium that provides instructions that, when executed by a processor of an Internet-based proxy service server, cause said processor to perform operations comprising:
- accessing a set of one or more visitor characteristics for a plurality of visitors to a set of one or more domains owned or operated by a first customer, the set of visitor characteristics being reported from a set of one or more proxy servers that are situated between client devices and a set of one or more origin servers for the set of domains;
  
  causing the set of visitor characteristics to be displayed through a threat reporting interface of the Internet-based proxy service server that allows the first customer to report visitors as posing an Internet security threat;
  
  receiving input from the first customer through the threat reporting interface that at least one of the visitors poses an Internet security threat; and
  
  recording the at least one of the visitors poses an Internet security threat in one or more threat databases that are used by the set of proxy servers when determining whether to allow visitors to access network resources hosted at a set of one or more origin servers.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The non-transitory machine-readable storage medium of claim 15, wherein the set of visitor characteristics include one or more of:
    - IP address, User-Agent, country of the visitor, number of previous visited, identification of pages visited, and information posted.
  - 17. The non-transitory machine-readable storage medium of claim 15, wherein the at least one of the visitors that poses an Internet security threat is recorded on a local restricted IP address list in the one or more threat databases that identifies IP addresses that are not allowed access to content hosted by a first set of one or more origin servers belonging to the set of domains owned or operated by the first customer.
  - 18. The non-transitory machine-readable storage medium of claim 15, wherein recording the at least one of the visitors that poses an Internet security threat in one or more threat databases includes performing the following for each of the at least one visitors:
    - recording in an event log database a record for that visitor that includes an indication that the first customer has indicated that the visitor poses an Internet security threat, wherein the record also includes at least one other rating originating from a set of one or more second customers that each indicate whether that visitor poses an Internet security threat;
      
      responsive to determining that there has been a sufficient number of ratings of the visitor from the customers, assigning that visitor a threat score based on each of the ratings of the visitor from each customer;
      
      responsive to determining that the threat score is sufficient to record the visitor as a global Internet security threat, recording the visitor on a global restricted IP address list in the one or more threat databases that identifies IP addresses that are not allowed access to content hosted by a plurality of origin servers including a first set of one or more origin servers belonging to the set of domains owned or operated by the first customer and a second set of one or more origin servers belonging to one or more domains owned or operated by the set of second customers.
  - 19. The non-transitory machine-readable storage medium of claim 18, wherein each customer that has rated the visitor is associated with a customer reputation score that indicates a relative trustworthiness of that customer, and wherein determining that there has been a sufficient number of ratings of the visitor from the customers includes:
    - adding the customer reputation scores of those customers together; and
      
      determining that the sum of those customer reputation scores is above a customer reputations threshold that indicates that there is a sufficient amount of data to make a global rating for the visitor.
  - 20. The non-transitory machine-readable storage medium of claim 19, wherein each customer reputation score is based at least in part on whether the rating for the visitor aligns with other ratings from different customers.
  - 21. The non-transitory machine-readable storage medium of claim 15, further comprising:
    - receiving input from the first customer through the threat reporting interface that indicates a type of Internet security threat that the at least one visitor poses.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CloudFlare Incorporated
Original Assignee
CloudFlare Incorporated
Inventors
Holloway, Lee Hahn, Prince, Matthew Browning, Pye, Ian Gerald
Primary Examiner(s)
Whipple, Brian P

Application Number

US12/939,935
Publication Number

US 20120117222A1
Time in Patent Office

1,314 Days
Field of Search

709/224
US Class Current

709/224
CPC Class Codes

G06F 15/16   Combinations of two or more...

G06F 16/95   Retrieval from the web

G06F 16/958   Organisation or management ...

G06F 21/00   Security arrangements for p...

G06F 21/552   involving long-term monitor...

G06F 40/14   Tree-structured documents p...

G06F 40/143   Markup, e.g. Standard Gener...

G06Q 10/107   Computer-aided management o...

G06Q 30/0241   Advertisements

G06Q 30/0251   Targeted advertisements

G06Q 30/0277   Online advertisement

H04L 47/745   Reaction in network

H04L 51/42   Mailbox-related aspects, e....

H04L 61/4511   using domain name system [DNS]

H04L 61/5007   Internet protocol [IP] addr...

H04L 61/59   using proxies for addressing

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/0254   Stateful filtering

H04L 63/0281   Proxies

H04L 63/083 : using passwords cryptograph...

H04L 63/0861 : using biometrical features,...

H04L 63/102 : Entity profiles

H04L 63/126 : the source of the received ...

H04L 63/1416 : Event detection, e.g. attac...

H04L 63/1433 : Vulnerability analysis

H04L 63/1441 : Countermeasures against mal...

H04L 63/1458 : Denial of Service

H04L 63/1466 : Active attacks involving in...

H04L 67/02 : based on web technology, e....

H04L 67/146 : Markers for unambiguous ide...

H04L 67/56 : Provisioning of proxy servi...

H04L 67/561 : Adding application-function...

H04L 67/568 : Storing data temporarily at...

H04L 69/40 : for recovering from a failu...

View All

Recording internet visitor threat information through an internet-based proxy service

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

94 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Recording internet visitor threat information through an internet-based proxy service

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

94 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links