Reputation-based in-network filtering of client event information

US 9,171,151 B2
Filed: 11/16/2012
Issued: 10/27/2015
Est. Priority Date: 11/16/2012
Status: Active Grant

First Claim

Patent Images

1. A policy management system, comprising:

a processing device for implementing computing functionality comprising;

a reputation management system, comprising;

logic configured to receive reputation information from at least one reputation system, each instance of the reputation information identifying at least one client of interest and corresponding behaviors relating to attempts to access at least one service; and

logic configured to store the reputation information in a reputation data set; and

an analysis system comprising;

logic configured to receive the reputation information from the reputation management system;

logic configured to receive forwarded client event information provided by filtering logic, the filtering logic being provided within network infrastructure that connects clients to the at least one service, the client event information identifying behaviors relating to attempts to access the at least one service;

logic configured to generate at least one rule based on at least one instance of the reputation information in combination with the forwarded client event information; and

logic configured to deploy said at least one rule in the filtering logic, for the use by the filtering logic in filtering new client event information, produced by the clients, the new client event information being directed to said at least one service.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A policy management system is described herein which generates rules based, at least in part, on reputation information provided by at least one reputation source and client event information forwarded by filtering logic. The policy management system then deploys the rules to the filtering logic. The filtering logic, which resides in-network between clients and at least one service, uses the rules to process client event information sent by the clients to the service(s). In one illustrative environment, the service corresponds to an ad hosting service, which uses the policy management system and filtering logic to help prevent malicious client traffic from reaching the ad host service, or otherwise negatively affecting the ad hosting service.

Citations

19 Claims

1. A policy management system, comprising:
- a processing device for implementing computing functionality comprising;
  
  a reputation management system, comprising;
  
  logic configured to receive reputation information from at least one reputation system, each instance of the reputation information identifying at least one client of interest and corresponding behaviors relating to attempts to access at least one service; and
  
  logic configured to store the reputation information in a reputation data set; and
  
  an analysis system comprising;
  
  logic configured to receive the reputation information from the reputation management system;
  
  logic configured to receive forwarded client event information provided by filtering logic, the filtering logic being provided within network infrastructure that connects clients to the at least one service, the client event information identifying behaviors relating to attempts to access the at least one service;
  
  logic configured to generate at least one rule based on at least one instance of the reputation information in combination with the forwarded client event information; and
  
  logic configured to deploy said at least one rule in the filtering logic, for the use by the filtering logic in filtering new client event information, produced by the clients, the new client event information being directed to said at least one service.
- View Dependent Claims (2, 3)
- - 2. The policy management system of claim 1, wherein said at least one reputation system is configured to generate an instance of the reputation information when it determines that a malicious client has performed a specified act within a network environment.
  - 3. The policy management system of claim 1, furthering including logic configured to receive and act on control instructions provided by said at least one service.

4. A computer readable storage device for storing computer readable instructions, the computer readable instructions providing an analysis system when executed by one or more processing devices, the computer readable instructions comprising:
- logic configured to receive a forwarded instance of client event information from filtering logic, the forwarded instance of client event information being generated in response to an attempt by a new client to interact with a service;
  
  logic configured to extract selected information from the forwarded instance of client event information;
  
  logic configured to receive reputation information provided by at least one reputation system, the reputation information identifying at least one client of interest and corresponding behaviors relating to attempts to access at least one service;
  
  logic configured to compare the selected information with the reputation information to determine whether the forwarded instance of client event information is similar to the reputation information of any of the clients of interest, the new client being referred to as an identified client if the client event information is similar to the reputation information;
  
  logic configured to produce at least one rule that is associated with the identified client from the reputation information and the client event information; and
  
  logic configured to deploy said at least one rule in the filtering logic, for subsequent use by the filtering logic in filtering new client event information of other new clients.
- View Dependent Claims (5, 6, 7, 8, 9)
- - 5. The computer readable storage device of claim 4, wherein the instructions further comprise:
    - logic configured to determine whether the identified client exhibits behavior that is similar to at least one other client,wherein said at least one rule, produced by said logic configured to produce, identifies both the identified client and said at least one other client.
  - 6. The computer readable storage device of claim 4, wherein the instructions further comprise:
    - logic configured to determine whether the identified client is a member of a subnet that has a number of clients of interest that satisfies a prescribed threshold, wherein said at least one rule, produced by said logic configured to produce, identifies all clients in the subnet.
  - 7. The computer readable storage device of claim 4, wherein the analysis system operates by producing a plurality of candidate rules, and wherein the instructions further comprise:
    - logic configured to sort the candidate rules using a specified cost function, to provide a sorted list of candidate rules having N entries, wherein the filtering logic has a capacity which accommodates storage of M rules.
  - 8. The computer readable storage device of claim 7, wherein the instructions further comprise:
    - logic configured to provide M top-ranked candidate rules from the list of candidate rules to the filtering logic, provided that N≧
      
      M; and
      
      logic configured to additionally provide M−
      
      N random rules, provided that N<
      
      M, the M−
      
      N rules being generated based on clients of interest specified in the reputation information.
  - 9. The computer readable storage device of claim 7, wherein, for each client entity under consideration, the cost function takes into consideration one or more of:
    - at least one factor which reflects how recently the client entity under consideration has sent client event information;
      
      at least one factor which reflects how frequently the client entity under consideration has sent client event information; and
      
      at least one factor which reflects a duration of a connection associated with the client entity under consideration.

10. A method, performed by physical computing functionality, for filtering client event information, comprising the steps of:
- storing a plurality of rules in a data store of filtering logic;
  
  wherein each rule in the plurality of rules is generated, in part, based on reputation information received from at least one reputation system, each instance of the reputation information identifying at least one client of interest and behaviors by the at least one client of interest that reflects activity performed by the at least one client of interest in an attempt to interact with at least one service;
  
  receiving an instance of client event information from a new client that reflects activity performed by the new client in an attempt to interact with a service;
  
  determining whether the instance of client event information matches a rule in the plurality of rules, to identify a matching rule upon a match; and
  
  performing an action on the instance of client event information, as specified by the matching rule, prior to forwarding the instance of client event information to the service.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 11. The method of claim 10, wherein the service corresponds to an ad hosting service, and wherein the action is performed to reduce instances of fraudulent client event information reaching the ad hosting service.
  - 12. The method of claim 10, wherein the action corresponds to one or more of:
    - blocking further propagation of the instance of client event information;
      
      routing the instance of client event information to at least one target destination; and
      
      tagging the instance of client event information with tagging information.
  - 13. The method of claim 10, wherein at least one rule specifies a single client of interest.
  - 14. The method of claim 10, wherein at least one rule includes a mask that specifies two or more clients of interest.
  - 15. The method of claim 14, wherein said two or more clients of interest have been determined, by a policy management system, to belong to an identified subnet having a prescribed number of clients of interest.
  - 16. The method of claim 10, wherein the filtering logic corresponds to at least one filtering unit added to existing filtering infrastructure,said at least one filtering unit being dedicated to performing said storing, receiving, determining, and performing,and the existing filtering infrastructure performing other filtering tasks besides said storing, receiving, determining, and performing.
  - 17. The method of claim 10, wherein the filtering logic corresponds to supplemental functions added to existing filtering infrastructure,the existing filtering infrastructure performing other filtering tasks besides said storing, receiving, determining, and performing.
  - 18. The method of claim 10, wherein the filtering logic corresponds to a hierarchy of filtering units, each filtering unit storing a subset of the plurality of rules.
  - 19. The method of claim 10, further comprising forwarding client event information to a policy management system, to provide forwarded client event information, wherein the policy management system uses the forwarded client event information, together with reputation information received from at least one reputation system, to generate updated rules.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Behrendt, Daniel P., Groves, Vernon R., Arnold, John F., Arefin, Md Ahsan
Primary Examiner(s)
PYZOCHA, MICHAEL J

Application Number

US13/678,556
Publication Number

US 20140143825A1
Time in Patent Office

1,075 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 63/0227   Filtering policies mail mes...

H04L 63/102   Entity profiles

Reputation-based in-network filtering of client event information

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Reputation-based in-network filtering of client event information

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links