Method and system for processing a stream of information from a computer network using node based reputation characteristics

US 8,763,113 B2
Filed: 10/17/2006
Issued: 06/24/2014
Est. Priority Date: 11/28/2005
Status: Active Grant

First Claim

Patent Images

1. A method, implemented in a computer system that includes at least one processor and at least one storage device, for determining a reputation of a node using information received electronically from a plurality of submitters, the method comprising:

receiving information about one or more nodes from a submitter of the plurality of submitters, the one or more nodes being associated with a network, wherein the submitter is distinct from the one or more nodes;

identifying, using the at least one processor, a reputation of the submitter from a knowledge base, wherein the reputation of the submitter is determined at least by assertions associated with the submitter'"'"'s past behavior and attributes from one or more submitters of a second plurality of submitters weighted by reputations of the one or more submitters;

determining, using the at least one processor, a node reputation of the node based upon at least the reputation of the submitter and the received information from the submitter wherein the node reputation of the node in a context is determined by calculating the sum of all assertions from the submitter with respect to the context weighted by each submitter'"'"'s reputation in the context, wherein the node reputation is expressed as a rational number based on normalized assertions, where a normalized assertion is expressed as

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for processing information from a variety of submitters, e.g., forensic sources. The method includes receiving information about one or more nodes from a submitter from a plurality of submitters numbered from 1 through N. In a specific embodiment, the one or more nodes are associated respectively with one or more IP addresses on a world wide network of computers. The method includes identifying a submitter reputation of the submitter from a knowledge base and associating a node reputation of the node based upon at least the reputation of the submitter and submitted information from the submitter. The method also transfers the node reputation.

Citations

32 Claims

1. A method, implemented in a computer system that includes at least one processor and at least one storage device, for determining a reputation of a node using information received electronically from a plurality of submitters, the method comprising:
- receiving information about one or more nodes from a submitter of the plurality of submitters, the one or more nodes being associated with a network, wherein the submitter is distinct from the one or more nodes;
  
  identifying, using the at least one processor, a reputation of the submitter from a knowledge base, wherein the reputation of the submitter is determined at least by assertions associated with the submitter'"'"'s past behavior and attributes from one or more submitters of a second plurality of submitters weighted by reputations of the one or more submitters;
  
  determining, using the at least one processor, a node reputation of the node based upon at least the reputation of the submitter and the received information from the submitter wherein the node reputation of the node in a context is determined by calculating the sum of all assertions from the submitter with respect to the context weighted by each submitter'"'"'s reputation in the context, wherein the node reputation is expressed as a rational number based on normalized assertions, where a normalized assertion is expressed as
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 wherein the submitter is selected from a firewall log, a client device, a spam trap, a spam filter server, or a virus filter server.
  - 3. The method of claim 1 further comprising assigning a policy to the node based upon at least the node reputation.
  - 4. The method of claim 1 further comprising storing the submitter reputation in the knowledge base as legal evidence.
  - 5. The method of claim 1 further comprising receiving information about the one or more nodes from another submitter.

6. A system for determining a reputation of an actor using information received electronically from a plurality of submitters, the system comprising:
- a processor;
  
  a non-transitory storage medium; and
  
  computer code stored in said non-transitory storage medium wherein said computer code, when retrieved from said storage medium and executed by said processor, results in;
  
  receiving information about an actor from a submitter of the a plurality of submitters the actor being associated with a network, wherein the submitter is distinct from the actor;
  
  identifying a reputation of the submitter from a knowledge base, wherein the reputation of the submitter is associated with past behavior of the submitter and is determined at least by assertions from one or more submitters from a second plurality of submitters weighted by reputations of the one or more submitters;
  
  determining a reputation of the actor based upon at least the reputation of the submitter and the received information from the submitter, wherein the reputation of the actor is determined at least by assertions regarding past behaviors of the actor from the submitter weighted by the submitter reputation; and
  
  transferring to a user of the system the reputation of the actor;
  
  wherein the reputation of the submitter in a context is determined by calculating the sum of all assertions from the one or more submitter with respect to the context weighted by reputation in the context of each of the one or more submitters;
  
  wherein the reputation of the actor is expressed as a rational number based on normalized assertions, where a normalized assertion is expressed as
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14)
- - 7. The system of claim 6 wherein the actor comprises an internet node.
  - 8. The system of claim 6 wherein the actor comprises an entity controlling the behavior of a network node.
  - 9. The system of claim 8 wherein the entity comprises a human user or an automated computer program.
  - 10. The system of claim 6 wherein the actor comprises a combination of an internet node and an entity controlling the internet node either directly or remotely.
  - 11. The system of claim 6 wherein the actor comprises a combination of an internet node and an entity controlling the internet node, the actor being configured to operate through a proxy.
  - 12. The system of claim 6 wherein the actor is associated with one or more of the following identifiers:
    - an email address of a user, an attribute, a device ID of a network node, an ISP name, a country of origin, an IP address, a host operating system, and a host ID.
  - 13. The system of claim 6 wherein the information about the actor comprises information about fraudulent behaviors.
  - 14. The system of claim 6 further comprising one or more codes directed to processing at least the reputation of the submitter and submitted information from the submitter by a firewall process, an intrusion detection process, or a filtering process, wherein the reputation of the actor associates the actor with fraudulent behaviors.

15. In a system for characterizing reputations of one or more nodes in a computer network environment, the system comprising at least one processor and a knowledge base implemented on at least one non-transitory storage device, the at least one non-transitory device comprises a knowledge base which, when accessed by the at least one processor, provides reputations for the one or more nodes,the knowledge base having information about a plurality of nodes, each of the nodes being assigned one or more reputation characteristics, each of the reputation characteristics comprising one or more of a plurality of properties, one or more of the properties being associated with a submitter, the submitter having a submitter reputation characteristic, wherein the submitter reputation characteristics is determined at least by assertions regarding past behaviors of the submitter from one or more submitters from a second plurality of submitters weighted by reputations of the one or more submitters;
- wherein the reputation characteristic of the submitter in a context is determined by calculating the sum of all assertions from the one or more submitter with respect to the context weighted by reputation in the context of each of the one or more submitters;
  
  wherein the reputation of the actor is expressed as a rational number based on normalized assertions, where a normalized assertion is expressed as
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23)
- - 16. The system of claim 15 wherein the submitter reputation characteristic comprises a history of the submitter.
  - 17. The system of claim 15 wherein the submitter reputation characteristic comprises a history of the submitter, the history comprising a plurality of submitter components.
  - 18. The system of claim 17 wherein one of the submitter components is a correlation between the submitter and one or more other submitters.
  - 19. The system of claim 17 wherein one of the submitter components is a frequency of activity of the submitter.
  - 20. The system of claim 17 wherein one of the submitter components is a volume of activity of the submitter.
  - 21. The system of claim 17 wherein one of the submitter components is a type of different information being provided by the submitter.
  - 22. The system of claim 15 wherein the number of nodes is four billion.
  - 23. The system of claim 15 wherein the number of nodes is less than one percent of a total number of active nodes.

24. A method, implemented in a computer system that includes at least one processor and at least one storage device, for creating a real time knowledge base of a plurality of nodes based on input received electronically from a plurality of submitters, the method comprising:
- receiving first information about one or more nodes from a first submitter of the plurality of submitters, the one or more nodes being associated with a network, wherein the submitter is distinct from the one or more nodes;
  
  identifying, using the at least one processor, a reputation of the first submitter from a knowledge base, the submitter being one of the plurality of submitters, wherein the reputation of the submitter is associated with past behavior of the submitter;
  
  determining, using the at least one processor, a node reputation of the node based upon at least the reputation of the first submitter and first submitted assertion regarding past behavior of the node from the first submitter;
  
  storing the first submitted assertion in a first portion of the knowledge base; and
  
  repeating the receiving, identifying, associating, and storing for second information from a second submitter;
  
  wherein the node reputation of the node in a context is determined according to the following equations,
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32)
- - 25. The method of claim 24 wherein the repeating occurs automatically to update the knowledge base.
  - 26. The method of claim 24 further comprising repeating the receiving, identifying, associating, and storing for other submitters.
  - 27. The method of claim 24 further comprising receiving a request for submitter reputation information and transferring the submitter reputation information through the world wide network of computers.
  - 28. The method of claim 24 wherein the receiving comprises a push process or a pull process.
  - 29. The method of claim 24 wherein the node reputation comprises at least a score, the score being a measure of historic behavior.
  - 30. The method of claim 24 wherein the knowledge base comprises at least 30 Gigabytes of disk space.
  - 31. The method of claim 24 wherein the knowledge base comprises a database.
  - 32. The method of claim 24 further comprising determining one or more zones, each of the zones representing one or more of the nodes, each of the zones being associated with a unique set of reputations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Threatmetrix Incorporated (RELX PLC)
Original Assignee
Threatmetrix Incorporated (RELX PLC)
Inventors
Thomas, Scott, Jones, David G.
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Kabir, Jahangir

Application Number

US11/550,393
Publication Number

US 20070214151A1
Time in Patent Office

2,807 Days
Field of Search

713/150, 713153-155, 713/189, 713/190, 726/2, 726/3, 726/5, 726 11- 15, 726 22- 25
US Class Current

726/22
CPC Class Codes

G06F 16/3331   Query processing

G06F 16/3334   Selection or weighting of t...

G06F 2216/03   Data mining

H04L 63/14   for detecting or protecting...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Method and system for processing a stream of information from a computer network using node based reputation characteristics

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for processing a stream of information from a computer network using node based reputation characteristics

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links