Mining user behavior data for IP address space intelligence

US 8,789,171 B2
Filed: 03/26/2008
Issued: 07/22/2014
Est. Priority Date: 03/26/2008
Status: Active Grant

First Claim

Patent Images

1. A method for mining behavioral data from users of a system of identified users, the method comprising:

monitoring user behavior of the identified users in the system;

compiling information about behavior of a user of the system within an Internet Protocol address space;

estimating a nature of an Internet Protocol address the user uses to access the system by determining whether the Internet Protocol address is static or dynamic;

characterizing the Internet Protocol address according to a network type,identifying user behavior as malicious activity; and

performing a plurality of proactive measures against the malicious activity, each of the plurality of proactive measures being performed for a length of time, wherein which proactive measures are performed and the length of time for which a proactive measure of the plurality of proactive measures is performed are based on the nature of the Internet Protocol Address of the user,wherein the monitoring, the compiling, the estimating, the characterizing, the identifying, and the performing are performed in a computing system.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The claimed subject matter is directed to mining user behavior data for increasing Internet Protocol (“IP”) space intelligence. Specifically, the claimed subject matter provides a method and system of mining user behavior within an IP address space and the application of the IP address space intelligence derived from the mined user behavior.

In one embodiment, the IP address space intelligence is formed and/or increased with information obtained from the mined user behavior data. A system of uniquely-identified users is monitored and their behavior within the IP address space is recorded. Further data is mined from estimated characteristics about the user, including the nature of the IP address the user uses to log into the service, and characterizing the IP address according to a network type.

Citations

23 Claims

1. A method for mining behavioral data from users of a system of identified users, the method comprising:
- monitoring user behavior of the identified users in the system;
  
  compiling information about behavior of a user of the system within an Internet Protocol address space;
  
  estimating a nature of an Internet Protocol address the user uses to access the system by determining whether the Internet Protocol address is static or dynamic;
  
  characterizing the Internet Protocol address according to a network type,identifying user behavior as malicious activity; and
  
  performing a plurality of proactive measures against the malicious activity, each of the plurality of proactive measures being performed for a length of time, wherein which proactive measures are performed and the length of time for which a proactive measure of the plurality of proactive measures is performed are based on the nature of the Internet Protocol Address of the user,wherein the monitoring, the compiling, the estimating, the characterizing, the identifying, and the performing are performed in a computing system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein estimating the nature of the Internet Protocol address used to access the system further comprises determining whether the Internet Protocol address is a proxy address or an address used by a network address translation device.
  - 3. The method of claim 2, wherein determining if the Internet Protocol Address is the proxy address or the address used by a network address translation device further comprises evaluating heavy user activity on a given Internet Protocol Address.
  - 4. The method of claim 1, wherein determining whether the Internet Protocol address is dynamic further comprises monitoring user log-ins over a period of time to determine dynamic pools of Internet Protocol addresses available to the user when connecting to the Internet.
  - 5. The method of claim 4, wherein determining a dynamic pool of Internet Protocol addresses an identified user can use to access the Internet with a dynamic Internet Protocol address further comprises:
    - collecting user data of a presence of the user seen on a first subnet;
      
      monitoring one or more second subnets for the presence of the user; and
      
      grouping the first subnet and the second subnets together to form the dynamic pool of Internet Protocol addresses the user can be assigned to when connecting to the Internet with the dynamic Internet Protocol address.
  - 6. The method of claim 5, wherein grouping the first subnet and the second subnets together comprises performing probabilistic analysis to determine a level of consensus of users with a user presence on both the first and second subnets.
  - 7. The method of claim 1, wherein characterizing the Internet Protocol address according to a network type further comprises using a time series analysis of user activities at the determined Internet Protocol address of the user.
  - 8. The method of claim 7, wherein a time series analysis of user activities further comprises comparing a log of the user activities with certain distinctions corresponding to the various network types.
  - 9. The method of claim 1, the method further comprising estimating dynamic characteristics related to the Internet Protocol address.
  - 10. The method according to claim 1, wherein the proactive measures comprise preventing a user corresponding to the identified malicious activity from distributing files of a specified file type.
  - 11. The method according to claim 1, wherein the proactive measures comprise blocking emails from being sent from the Internet Protocol Address of the user.
  - 12. The method according to claim 1, wherein the proactive measures comprise downgrading a number of clicks received from the Internet Protocol Address of the user.
  - 13. The method of claim 1, further comprising:
    - mapping the user of the system to the identified malicious activity; and
      
      storing the user linked to malicious activity on a plurality of occasions into a database of identified infected users.

14. A method of tracking behavior in a system of identified users based on mined behavior data for an Internet Protocol address space, the method comprising:
- mining behavioral data from a system of identified users by monitoring user behavior in the system and deriving information about user behavior in an Internet Protocol address space based on the monitored user behavior;
  
  identifying one or more activities;
  
  tracking the one or more activities to one or more Internet Protocol Address(es);
  
  determining if the one or more Internet Protocol Address(es) are static or dynamic;
  
  mapping the identified activity to the one or more Internet Protocol Addresses of a user, the identified activity comprising identified malicious activity; and
  
  performing a plurality of proactive measures against the malicious activity, each of the plurality of proactive measures being performed for a length of time, wherein which proactive measures are performed and the length of time for which a proactive measure of the plurality of proactive measures is performed are based on whether the Internet Protocol Address(es) are static or dynamic,wherein the mining, the identifying, the determining, the mapping and the performing are performed in a computer system.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The method of claim 14, the method further comprising recording a log of user data, the log of user data including:
    - an identity of the user;
      
      one or more actions of the user;
      
      the Internet Protocol address from which the user was observed performing an action; and
      
      a time the action was performed.
  - 16. The method of claim 15, the method further comprising recording a log of identified activities and the Internet Protocol addresses the activities access the system from.
  - 17. The method of claim 16, wherein mapping a user to the identified activity from the Internet Protocol address of the user further comprises cross referencing the log of user data with the log of identified activities to determine the probability that a specific user is associated with the identified activity.
  - 18. The method of claim 17, the method further comprising recording a log of infected users, wherein the log of infected users records the users mapped to identified malicious activity.

19. A system for tracking malicious behavior in a system of identified users based on mined behavior data for an Internet Protocol address space, the system comprising:
- a computer system having a processor coupled to a memory, the memory having computer readable code, which when executed by the processor causes the computer system to implement an application for tracking user behavior in a system of identified users based on mined behavior data for the Internet Protocol address space,wherein, the application tracks user behavior in a system by mining behavioral data from users of a system of identified users by deriving information about user behavior in the Internet Protocol address space, linking a specific user of the system to activity occurring with the Internet Protocol address space based upon the information obtained, identifying malicious activity and tracking the malicious activity to a Internet Protocol Address of a user, and mapping the user to the identified malicious activity coming from the Internet Protocol Address of the user,wherein, deriving information about user behavior in the Internet Protocol address space comprises estimating a nature of the Internet Protocol address the user uses to access the system by determining whether the Internet Protocol address is static or dynamic,further wherein, the application performs a plurality of proactive measures against the malicious activity, each of the plurality of proactive measures being performed for a length of time, wherein which proactive measures are performed and the length of time for which a proactive measure of the plurality of proactive measures is performed are based on whether the Internet Protocol Address(es) are static or dynamic.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The system according to claim 19, wherein the user accesses the system from a remote computing device.
  - 21. The system according to claim 20, wherein the remote computing device is a computer system.
  - 22. The system according to claim 20, wherein the remote computing device is a hand-held computing device.
  - 23. The system according to claim 20, wherein the use accesses the system via the Internet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Osipkov, Ivan, Hulten, Geoffrey, Mehr, John, Xie, Yinglian, Yu, Fang
Primary Examiner(s)
McNally, Michael S

Application Number

US12/055,321
Publication Number

US 20090249480A1
Time in Patent Office

2,309 Days
Field of Search

726/22
US Class Current

726/22
CPC Class Codes

H04L 2463/144   Detection or countermeasure...

H04L 61/5061   Pools of addresses

H04L 63/1408   by monitoring network traff...

H04L 67/535   Tracking the activity of th...

Mining user behavior data for IP address space intelligence

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Mining user behavior data for IP address space intelligence

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links