Honey monkey network exploration

US 8,812,652 B2
Filed: 06/17/2010
Issued: 08/19/2014
Est. Priority Date: 03/01/2006
Status: Active Grant

First Claim

Patent Images

1. One or more processor-accessible storage devices comprising instructions that are executable by one or more processors to perform actions comprising:

visiting a uniform resource locator (URL) of a parent list of redirection URLs;

producing a child list of redirection URLs based on visiting the URL of the parent list of redirection URLs, the child list of redirection URLs including a plurality of child URLs;

recursively visiting the child URLs of the child list of redirection URLs to discover redirection relationships between the child URLs that are visited; and

creating a graph that includes the child URLs that are visited and that indicates the redirection relationships between the child URLs.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network can be explored to investigate exploitive behavior. For example, network sites may be actively explored by a honey monkey system to detect if they are capable of accomplishing exploits, including browser-based exploits, on a machine Also, the accomplishment of exploits may be detected by tracing events occurring on a machine after visiting a network site and analyzing the traced events for illicit behavior. Alternatively, site redirections between and among uniform resource locators (URLs) may be explored to discover relationships between sites that are visited.

27 Citations

View as Search Results

20 Claims

1. One or more processor-accessible storage devices comprising instructions that are executable by one or more processors to perform actions comprising:
- visiting a uniform resource locator (URL) of a parent list of redirection URLs;
  
  producing a child list of redirection URLs based on visiting the URL of the parent list of redirection URLs, the child list of redirection URLs including a plurality of child URLs;
  
  recursively visiting the child URLs of the child list of redirection URLs to discover redirection relationships between the child URLs that are visited; and
  
  creating a graph that includes the child URLs that are visited and that indicates the redirection relationships between the child URLs.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The one or more processor-accessible storage devices as recited in claim 1, wherein the actions further comprise:
    - visiting a given URL;
      
      monitoring URL redirections resulting from visiting the given URL; and
      
      tracing the URL redirections to produce the parent list of redirection URLs.
  - 3. The one or more processor-accessible storage devices as recited in claim 1, wherein site nodes and page nodes of the graph are visually differentiated.
  - 4. The one or more processor-accessible storage devices as recited in claim 1, wherein creating the graph comprises:
    - representing URLs with corresponding symbols; and
      
      visually indicating a number of redirections that are associated with each of the URLs by changing the corresponding symbols.
  - 5. The one or more processor-accessible storage devices as recited in claim 1, wherein creating the graph comprises visually differentiating between connections that represent relationships between site nodes and page nodes hosted by the site nodes and connections that represent redirection relationships.
  - 6. The one or more processor-accessible storage devices as recited in claim 1, wherein the actions further comprise:
    - visiting each respective URL of the parent list of redirection URLs;
      
      producing respective child lists of redirection URLs from visiting each respective URL of the parent list of redirection URLs; and
      
      recursively visiting child URLs of the respective child lists of redirection URLs to discover redirection relationships between the child URLs that are visited.
  - 7. The one or more processor-accessible storage devices as recited in claim 1, wherein the topology graph identifies content provider URLs and exploit provider URLs.
  - 8. The One or more processor-accessible storage devices of claim 1, wherein the parent list of redirection URLs, and the child list of redirection URLs, include URLs that a content location instructs a browser to auto-visit.
  - 9. The one or more processor-accessible storage devices of claim 1, wherein the actions include forming the redirection relationships between the child URLs by a first content of a first one of the child URL including an instruction to a browser to auto-visit second content of a second one of the child URLs.

10. a system comprising:
- one or more processors; and
  
  one or more processor-accessible storage media storing;
  
  a trace file;
  
  a browser; and
  
  a strider tracer module including instructions executable by the one or more processors to;
  
  determine a given uniform resource locator (URL) visited by the browser;
  
  trace visits to a number of redirection URLs in response to the browser visiting the given URL;
  
  log the visit to the given URL and the visits to the redirection URLs in the trace file; and
  
  generate a topology graph that indicates redirection relationships between the number of redirection URLs.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The system of claim 10, wherein the trace file indicates directly visited URLs and indirectly visited URLs.
  - 12. The system of claim 10, wherein the one or more processor-accessible storage media store a dynamic link library (DLL) that loads into the browser and implements a URL tracer as a proxy, wherein requests to visit URLs from the browser are routed through the proxy.
  - 13. The system of claim 10, wherein the strider tracer module includes instructions executable by the processor to record one or more pages hosted by the given URL and one or more pages hosted by the number of redirection URLs.
  - 14. The system of claim 10, wherein the number of redirection URLs are visited with a redirection blocking feature enabled.
  - 15. The system of claim 10, wherein the strider tracer module includes instructions executable by the one or more processors to trace registry writes, file writes, process creations, or combinations thereof.
  - 16. The system of claim 10, wherein the one or more processor-accessible storage media store a honey monkey controller executable by the one or more processors to analyze the trace file to determine whether an exploit has been detected with respect to the visit to the given URL, with respect to the visits to the number of redirection URLs, or a combination thereof.
  - 17. The apparatus of claim 10, wherein the redirection URLs include URLs that a content location instructs a client to auto-visit while remaining at the content location.

18. A method comprising:
- determining a given uniform resource locator (URL) visited by a browser;
  
  tracing cross-domain auto visits to a number of redirection URLs in response to the browser visiting the given URL;
  
  logging the visit to the given URL and the cross-domain auto-visits to the redirection URLs in a trace file; and
  
  generating a topology graph that indicates redirection relationships between the number of redirection URLs, wherein the redirection relationships between the redirection URLs include a plurality of cross-domain auto visit relationships between the redirection URLs.
- View Dependent Claims (19, 20)
- - 19. The method of claim 18, wherein the generating the topology graph includes visually distinguishing between directly visited URLs and redirection URLs.
  - 20. The method of claim 18, further comprising analyzing the trace file to determine whether an exploit has been detected with respect to the visit to the given URL, with respect to the visits to the number of redirection URLs, or a combination thereof.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Wang, Yi-Min, Beck, Douglas R.
Primary Examiner(s)
SALAD, ABDULLAHI ELMI

Application Number

US12/818,038
Publication Number

US 20100257592A1
Time in Patent Office

1,524 Days
Field of Search

709/224, 726 22- 25
US Class Current

709/224
CPC Class Codes

G06F 16/9566   URL specific, e.g. using al...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 67/02   based on web technology, e....

H04L 67/125   involving control of end-de...

H04L 67/535   Tracking the activity of th...

Honey monkey network exploration

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

27 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Honey monkey network exploration

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links