Method for tracking machines on a network using multivariable fingerprinting of passively available information

US 9,444,835 B2
Filed: 08/08/2014
Issued: 09/13/2016
Est. Priority Date: 10/17/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A method for remote tracking of machines on a network of computers, the method comprising:

determining one or more assertions to be monitored for a first web site server, the first web site server being coupled to the network of computers;

monitoring traffic flowing to the first web site server through the network of computers;

identifying the one or more assertions from the traffic to determine a malicious host from the network of computers;

associating a first IP address and a first hardware fingerprint to the one or more assertions of the malicious host, wherein the first hardware fingerprint includes sampled attributes associated with one or more of stack ticks, time skew, and TCP Window size;

storing information associated with the first IP address, the first hardware fingerprint, and the one or more assertions of the malicious host in one or more memories of a database;

identifying an unknown host coupled to a second web site server;

determining a second IP address and a second hardware fingerprint associated with the unknown host; and

determining if the unknown host is a malicious host.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for tracking machines on a network of computers includes determining one or more assertions to be monitored by a first web site which is coupled to a network of computers. The method monitors traffic flowing to the web site through the network of computers and identifies the one or more assertions from the traffic coupled to the network of computers to determine a malicious host coupled to the network of computers. The method includes associating a first IP address and first hardware finger print to the assertions of the malicious host and storing information associated with the malicious host in one or more memories of a database. The method also includes identifying an unknown host from a second web site, determining a second IP address and second hardware finger print with the unknown host, and determining if the unknown host is the malicious host.

Citations

14 Claims

1. A method for remote tracking of machines on a network of computers, the method comprising:
- determining one or more assertions to be monitored for a first web site server, the first web site server being coupled to the network of computers;
  
  monitoring traffic flowing to the first web site server through the network of computers;
  
  identifying the one or more assertions from the traffic to determine a malicious host from the network of computers;
  
  associating a first IP address and a first hardware fingerprint to the one or more assertions of the malicious host, wherein the first hardware fingerprint includes sampled attributes associated with one or more of stack ticks, time skew, and TCP Window size;
  
  storing information associated with the first IP address, the first hardware fingerprint, and the one or more assertions of the malicious host in one or more memories of a database;
  
  identifying an unknown host coupled to a second web site server;
  
  determining a second IP address and a second hardware fingerprint associated with the unknown host; and
  
  determining if the unknown host is a malicious host.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein the first hardware fingerprint comprises a device fingerprint.
  - 3. The method of claim 1 wherein the sampled attributes further include remote determination of one or more of ISP, Local Storage Object, first Party Browser Cookie, third Party Browser Cookie, TCP IP Address, HTTP IP Address, HTTPS IP Address, RTSP IP Address, RTP IP Address, FTP IP Address, DNS Names Server IP Address, Maximum Transmission Unit, Connection Type, Connection Speed, Bogon Hijack Address, Static/Dynamic Address, Proxy IP Address, TCP Sequence Number, Browser string, Screen Resolution, Screen DPI, PC Start Time, HTTP Header information, Local Time, Clock-Offset, Clock-Drift, PC Time Zone, Browser Plugins, Enabled and Disabled Browser functions, Browser Document Object Model, Operating System, and Listening, Open and Closed Sockets or other available or derivable information.
  - 4. The method of claim 1 wherein at least one of the malicious host or the unknown host is protected by a proxy.
  - 5. The method of claim 1 wherein at least one of the malicious host or the unknown host is protected by an intermediary network device to disguise its IP Address.
  - 6. The method of claim 1 wherein the first hardware fingerprint is formed by a fingerprinting device associated with the first website server and the second website server.
  - 7. The method of claim 1 wherein the first hardware fingerprint is formed by a fingerprinting device that resides on a data path between the unknown host and the first website server or the second website server.

8. A system for remote tracking of machines on a network of computers, comprising:
- one or more processors configured to;
  
  determine one or more assertions to be monitored for a first web site server, the first web site server being coupled to the network of computers;
  
  monitor traffic flowing to the first web site through the network of computers;
  
  identify the one or more assertions from the traffic to determine a malicious host from the network of computers;
  
  associate a first IP address and a first hardware fingerprint to the one or more assertions of the malicious host, wherein the first hardware fingerprint includes sampled attributes associated with one or more of stack ticks, time skew, and TCP Window size;
  
  store information associated with the first IP address, the first hardware fingerprint, and the one or more assertions of the malicious host in one or more memories of a database;
  
  identify an unknown host coupled to a second web site server;
  
  determine a second IP address and a second hardware fingerprint associated with the unknown host; and
  
  determine if the unknown host is a malicious host.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8 wherein the first hardware fingerprint comprises a device fingerprint.
  - 10. The system of claim 8 wherein the sampled attributes further include remote determination of one or more of ISP, Local Storage Object, first Party Browser Cookie, third Party Browser Cookie, TCP IP Address, HTTP IP Address, HTTPS IP Address, RTSP IP Address, RTP IP Address, FTP IP Address, DNS Names Server IP Address, Maximum Transmission Unit, Connection Type, Connection Speed, Bogon Hijack Address, Static/Dynamic Address, Proxy IP Address, TCP Sequence Number, Browser string, Screen Resolution, Screen DPI, PC Start Time, HTTP Header information, Local Time, Clock-Offset, Clock-Drift, PC Time Zone, Browser Plugins, Enabled and Disabled Browser functions, Browser Document Object Model, Operating System, and Listening, Open and Closed Sockets or other available or derivable information.
  - 11. The system of claim 8 wherein at least one of the malicious host or the unknown host is protected by a proxy.
  - 12. The system of claim 8 wherein at least one of the malicious host or the unknown host is protected by an intermediary network device for the purposes of disguising its IP Address.
  - 13. The system of claim 8 wherein the first hardware fingerprint is formed by a fingerprinting device associated with the first website server and the second website server.
  - 14. The system of claim 8 wherein the first hardware fingerprint is formed by a fingerprinting device that resides on a data path between the unknown host and the first website server or the second website server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Threatmetrix Incorporated (RELX PLC)
Original Assignee
Threatmetrix Incorporated (RELX PLC)
Inventors
Jones, David G., Thomas, Scott, Faulkner, Alisdair
Primary Examiner(s)
WASEL, MOHAMED A

Application Number

US14/455,874
Publication Number

US 20150074809A1
Time in Patent Office

767 Days
Field of Search

709223-225
US Class Current

1/1
CPC Class Codes

H04L 2463/121   Timestamp

H04L 2463/144   Detection or countermeasure...

H04L 43/10   Active monitoring, e.g. hea...

H04L 63/0281   Proxies

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

Method for tracking machines on a network using multivariable fingerprinting of passively available information

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Method for tracking machines on a network using multivariable fingerprinting of passively available information

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links