Method and system for tracking machines on a network using fuzzy guid technology
First Claim
1. A method tracking machines on a network of computers, the method comprising:
- identifying a malicious host coupled to the network of computers;
determining a first IP address and one or more first attributes associated with the malicious host during a first time period, wherein the one or more first attributes includes first behavior information associated with the malicious host during the first time period;
classifying the malicious host to be in a determined state;
determining that the malicious host is in a latent state during a second time periods;
identifying an unknown host during the second time period when the malicious host is in the latent state, the unknown host being associated with a second IP address and one or more second attributes, wherein the one or more second attributes includes second behavior information associated with the unknown host during the second time period;
processing the second IP address and the one or more second attributes of the unknown host with the first IP address and the one or more first attributes of the malicious host; and
determining if the unknown host is the malicious host based on results of the processing of the second IP address and the one or more second attributes of the unknown host with the first IP address and the one or more first attributes of the malicious host.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for querying a knowledgebase of malicious hosts numbered from 1 through N. The method includes providing a network of computers, which has a plurality of unknown malicious host machines. In a specific embodiment, the malicious host machines are disposed throughout the network of computers, which includes a worldwide network of computers, e.g., Internet. The method includes querying a knowledge base including a plurality of known malicious hosts, which are numbered from 1 through N, where N is an integer greater than 1. In a preferred embodiment, the knowledge base is coupled to the network of computers. The method includes receiving first information associated with an unknown host from the network; identifying an unknown host and querying the knowledge base to determine if the unknown host is one of the known malicious hosts in the knowledge base. The method also includes outputting second information associated with the unknown host based upon the querying process.
-
Citations
20 Claims
-
1. A method tracking machines on a network of computers, the method comprising:
-
identifying a malicious host coupled to the network of computers; determining a first IP address and one or more first attributes associated with the malicious host during a first time period, wherein the one or more first attributes includes first behavior information associated with the malicious host during the first time period; classifying the malicious host to be in a determined state; determining that the malicious host is in a latent state during a second time periods; identifying an unknown host during the second time period when the malicious host is in the latent state, the unknown host being associated with a second IP address and one or more second attributes, wherein the one or more second attributes includes second behavior information associated with the unknown host during the second time period; processing the second IP address and the one or more second attributes of the unknown host with the first IP address and the one or more first attributes of the malicious host; and determining if the unknown host is the malicious host based on results of the processing of the second IP address and the one or more second attributes of the unknown host with the first IP address and the one or more first attributes of the malicious host. - View Dependent Claims (2, 3, 4, 9, 10, 11)
-
-
5. A method for querying a knowledgebase of malicious hosts numbered from 1 through N, the method comprising:
-
providing a network of computers, the network of computers including a plurality of unknown malicious host machines, the malicious host machines being disposed throughout the network of computers, the network of computers including a world wide network of computers; querying a knowledge base including a plurality of known malicious hosts, the plurality of known malicious hosts being numbered from 1 through N, where N is an integer greater than 1, the knowledge base being coupled to the network of computers; receiving first information associated with an unknown host from the network wherein the first information includes behavior information associated with the unknown host; identifying the unknown host based on the first information; querying the knowledge base to determine if the unknown host is one of the known malicious hosts in the knowledge base using the first information including the behavior information associated with the unknown host; and outputting second information associated with the unknown host based upon the querying process. - View Dependent Claims (6, 7, 8)
-
-
12. A computer based method for populating a database to form a knowledge base of malicious host entities, the method comprising:
-
determining a plurality of identity attributes; assigning a quality measure to each of the plurality of identity attributes; collecting one or more evidences from the unknown host, wherein the one or more evidences includes behavior information associated with the unknown host; determining an attribute fuzzy GUID for each of the plurality of identity attributes for the unknown host based on the one or more evidences, wherein the attribute fuzzy GUID for each of the plurality of identity attributes including a first attribute fuzzy GUID determined based on the behavior information; processing the attribute fuzzy GUID for each of the plurality of attributes to determine a host fuzzy GUID for the unknown host; and storing the host fuzzy GUID for the unknown host in one or more memories of a database to form a knowledge base. - View Dependent Claims (13, 14)
-
-
15. A computer based system for populating a database to form a knowledge base of malicious host entities, the system comprising a machine readable memory or memories, the memory or memories comprising:
-
one or more codes directed to determining a plurality of identity attributes; one or more codes directed to assigning a quality measure to each of the plurality the identity attributes; one or more codes directed to collecting one or more evidences from the unknown host, wherein the one or more evidences includes behavior information associated with the unknown host; one or more codes directed to determining an attribute fuzzy GUID for each of the plurality of identity attributes for the unknown host based on the one or more evidences, wherein the attribute fuzzy GUID for each of the plurality of identity attributes includes a first attribute fuzzy GUID determined based on the behavior information; one or more codes directed to processing the attribute fuzzy GUID for each of the plurality of attributes to determine a host fuzzy GUID for the unknown host; and one or more codes directed to storing the host fuzzy GUID for the unknown host in one or more memories of a database to form a knowledge base. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification