Method for tracking machines on a network using multivariable fingerprinting of passively available information
First Claim
1. A method for remote tracking of machines on a network of computers, the method comprising:
- determining one or more assertions to be monitored for a first web site server, the first web site server being coupled to the network of computers;
monitoring traffic flowing to the first web site server through the network of computers;
identifying the one or more assertions from the traffic to determine a malicious host from the network of computers;
associating a first IP address and a first hardware fingerprint to the one or more assertions of the malicious host, wherein the first hardware fingerprint includes sampled attributes associated with one or more of stack ticks, time skew, and TCP Window size;
storing information associated with the first IP address, the first hardware fingerprint, and the one or more assertions of the malicious host in one or more memories of a database;
identifying an unknown host coupled to a second web site server;
determining a second IP address and a second hardware fingerprint associated with the unknown host; and
determining if the unknown host is a malicious host.
2 Assignments
0 Petitions
Accused Products
Abstract
A method for tracking machines on a network of computers includes determining one or more assertions to be monitored by a first web site which is coupled to a network of computers. The method monitors traffic flowing to the web site through the network of computers and identifies the one or more assertions from the traffic coupled to the network of computers to determine a malicious host coupled to the network of computers. The method includes associating a first IP address and first hardware finger print to the assertions of the malicious host and storing information associated with the malicious host in one or more memories of a database. The method also includes identifying an unknown host from a second web site, determining a second IP address and second hardware finger print with the unknown host, and determining if the unknown host is the malicious host.
-
Citations
14 Claims
-
1. A method for remote tracking of machines on a network of computers, the method comprising:
-
determining one or more assertions to be monitored for a first web site server, the first web site server being coupled to the network of computers; monitoring traffic flowing to the first web site server through the network of computers; identifying the one or more assertions from the traffic to determine a malicious host from the network of computers; associating a first IP address and a first hardware fingerprint to the one or more assertions of the malicious host, wherein the first hardware fingerprint includes sampled attributes associated with one or more of stack ticks, time skew, and TCP Window size; storing information associated with the first IP address, the first hardware fingerprint, and the one or more assertions of the malicious host in one or more memories of a database; identifying an unknown host coupled to a second web site server; determining a second IP address and a second hardware fingerprint associated with the unknown host; and determining if the unknown host is a malicious host. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for remote tracking of machines on a network of computers, comprising:
one or more processors configured to; determine one or more assertions to be monitored for a first web site server, the first web site server being coupled to the network of computers; monitor traffic flowing to the first web site through the network of computers; identify the one or more assertions from the traffic to determine a malicious host from the network of computers; associate a first IP address and a first hardware fingerprint to the one or more assertions of the malicious host, wherein the first hardware fingerprint includes sampled attributes associated with one or more of stack ticks, time skew, and TCP Window size; store information associated with the first IP address, the first hardware fingerprint, and the one or more assertions of the malicious host in one or more memories of a database; identify an unknown host coupled to a second web site server; determine a second IP address and a second hardware fingerprint associated with the unknown host; and determine if the unknown host is a malicious host. - View Dependent Claims (9, 10, 11, 12, 13, 14)
Specification