Method and system for tracking machines on a network using fuzzy guid technology
First Claim
1. In a computer-based system which includes a processor, a method for tracking machines on a network of computers, the method comprising:
- identifying a malicious host coupled to the network of computers;
determining, using the processor, a first IP (Internet Protocol) address and attributes associated with the malicious host during a first time period;
determining, using the processor, an attribute fuzzy GUID (Globally Unique Identifier) for the first IP address and each of the attributes, the attribute fuzzy GUID being a globally unique identifier associated with the first IP address and each of the attributes;
forming, using the processor, a host fuzzy GUID of the malicious host based on the first IP address and the attributes by processing the attribute fuzzy GUID associated with the first IP address and each of the attributes, wherein the host fuzzy GUID is a globally unique identifier for each host and includes behavior information;
classifying the malicious host to be in a determined state;
during a second time period, classifying the malicious host to be in a latent state;
identifying, using the processor, an unknown host during the second time period, the unknown host being associated with a second IP address and one or more attributes;
processing, using the processor, the second IP address and the one or more attributes of the unknown host in conjunction with the first IP address and the one or more attributes of the malicious host; and
determining, using the processor, if the malicious host has moved from the first IP address to the second IP address, thereby identifying if the unknown host is the malicious host.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for querying a knowledgebase of malicious hosts numbered from 1 through N. The method includes providing a network of computers, which has a plurality of unknown malicious host machines. In a specific embodiment, the malicious host machines are disposed throughout the network of computers, which includes a world wide network of computers, e.g., Internet. The method includes querying a knowledge base including a plurality of known malicious hosts, which are numbered from 1 through N, where N is an integer greater than 1. In a preferred embodiment, the knowledge base is coupled to the network of computers. The method includes receiving first information associated with an unknown host from the network; identifying an unknown host and querying the knowledge base to determine if the unknown host is one of the known malicious hosts in the knowledge base. The method also includes outputting second information associated with the unknown host based upon the querying process.
-
Citations
20 Claims
-
1. In a computer-based system which includes a processor, a method for tracking machines on a network of computers, the method comprising:
-
identifying a malicious host coupled to the network of computers; determining, using the processor, a first IP (Internet Protocol) address and attributes associated with the malicious host during a first time period; determining, using the processor, an attribute fuzzy GUID (Globally Unique Identifier) for the first IP address and each of the attributes, the attribute fuzzy GUID being a globally unique identifier associated with the first IP address and each of the attributes; forming, using the processor, a host fuzzy GUID of the malicious host based on the first IP address and the attributes by processing the attribute fuzzy GUID associated with the first IP address and each of the attributes, wherein the host fuzzy GUID is a globally unique identifier for each host and includes behavior information; classifying the malicious host to be in a determined state; during a second time period, classifying the malicious host to be in a latent state; identifying, using the processor, an unknown host during the second time period, the unknown host being associated with a second IP address and one or more attributes; processing, using the processor, the second IP address and the one or more attributes of the unknown host in conjunction with the first IP address and the one or more attributes of the malicious host; and determining, using the processor, if the malicious host has moved from the first IP address to the second IP address, thereby identifying if the unknown host is the malicious host. - View Dependent Claims (2, 3, 18)
-
-
4. In a computer-based system which includes a processor, a method for querying a knowledgebase of malicious hosts, the method comprising:
-
providing a network of computers, the network of computers including a plurality of unknown malicious host machines, the plurality of unknown malicious host machines being disposed throughout the network of computers; querying, using the processor, a knowledge base including a plurality of known malicious hosts, the knowledge base being coupled to the network of computers; receiving, using the processor, first information and attributes associated with an unknown host from the network; determining, using the processor, an attribute fuzzy GUID (Globally Unique Identifier) for the first information and each of the attributes, the attribute fuzzy GUID being a globally unique identifier associated with the first information and each of the attributes; forming, using the processor, a host fuzzy GUID (Globally Unique Identifier) of the unknown host by processing each of the attribute fuzzy GUID associated with the received first information and attributes, wherein the host fuzzy GUID is a globally unique identifier for each host and includes behavior information; querying, using the processor, the knowledge base to determine if the unknown host is one of the known malicious hosts in the knowledge base; and outputting, using the processor, second information associated with the unknown host based upon the querying process. - View Dependent Claims (5, 6, 7, 8, 9)
-
-
10. A computer based method for populating a database to form a knowledge base of malicious host entities, the method comprising:
-
collecting one or more evidences from an unknown host; determining a plurality of identity attributes from the one or more evidences, the plurality of identity attributes being associated with the unknown host; assigning a quality measure to each of the plurality the identity attributes; determining an attribute fuzzy GUID (Globally Unique Identifier) for each of the plurality of identity attributes for the unknown host, the attribute fuzzy GUID being a globally unique identifier associated with the plurality of identity attributes; processing the attribute fuzzy GUID for each of the plurality of identity attributes according to the quality measure to determine a host fuzzy GUID for the unknown host, wherein the host fuzzy GUID is a globally unique identifier for each host and includes behavior information; and storing the host fuzzy GUID for the unknown host in one or more memories of a database to form a knowledge base. - View Dependent Claims (11, 12, 19)
-
-
13. A computer based system for populating a database to form a knowledge base of malicious host entities, the system comprising a machine readable memory or memories, the memory or memories comprising:
-
one or more codes directed to collecting one or more evidences from an unknown host; one or more codes directed to determining a plurality of identity attributes from the one or more evidences, the plurality of identity attributes being associated with the unknown host; one or more codes directed to assigning a quality measure to each of the plurality the identity attributes; one or more codes directed to determining an attribute fuzzy GUID (Globally Unique Identifier) for each of the plurality of identity attributes for the unknown host, the attribute fuzzy GUID being associated with the plurality of identity attributes; one or more codes directed to processing the attribute fuzzy GUID for each of the plurality of identity attributes, in order from a highest quality measure to a lowest quality measure, to determine a host fuzzy GUID for the unknown host, wherein the host fuzzy GUID is a globally unique identifier for each host and includes behavior information; and one or more codes directed to storing the host fuzzy GUID for the unknown host in one or more memories of a database to form a knowledge base. - View Dependent Claims (14, 15, 16, 17, 20)
-
Specification