Method For Tracking Machines On A Network Using Multivariable Fingerprinting Of Passively Available Information
Abstract
A method for tracking machines on a network of computers includes determining one or more assertions to be monitored by a first web site which is coupled to a network of computers. The method monitors traffic flowing to the web site through the network of computers and identifies the one or more assertions from the traffic coupled to the network of computers to determine a malicious host coupled to the network of computers. The method includes associating a first IP address and first hardware finger print to the assertions of the malicious host and storing information associated with the malicious host in one or more memories of a database. The method also includes identifying an unknown host from a second web site, determining a second IP address and second hardware finger print with the unknown host, and determining if the unknown host is the malicious host.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A method for remote tracking of machines on a network of computers, the method comprising:
determining one or more assertions to be monitored by a first web site, the first web site being coupled to a network of computers; monitoring traffic flowing to the web site through the network of computers; identifying the one or more assertions from the traffic coupled to the network of computers to determine a malicious host coupled to the network of computers; associating a first IP address and first hardware fingerprint to the one or more assertions of the malicious host; storing information associated with the IP address, hardware fingerprint, and the one or more assertions of the malicious host in one or more memories of a database; identifying an unknown host from a second web site; determining a second IP address and second hardware fingerprint with the unknown host; and determining if the unknown host is a malicious host.
1 . The method of claim 1 wherein the hardware fingerprint comprises device fingerprint.
2 . The method of claim 1 wherein the hardware fingerprint includes sampled attributes associated with one or more of ‘stack ticks’, ‘time-skew’, and TCP Window size.
3 . The method of claim 1 wherein the sampled attributes further include remote determination of one or more of ISP, Local Storage Object, first Party Browser Cookie, third Party Browser Cookie, TCP IP Address, HTTP IP Address, HTTPS IP Address, RTSP IP Address, RTP IP Address, FTP IP Address, DNS Names Server IP Address, Maximum Transmission Unit, Connection Type, Connection Speed, Bogon Hijack Address, Static/Dynamic Address, Proxy IP Address, TCP Sequence Number, Browser string, Screen Resolution, Screen DPI, PC Start Time, HTTP Header information, Local Time, Clock-Offset, Clock-Drift, PC Time Zone, Browser Plugins, Enabled and Disabled Browser functions, Browser Document Object Model, Operating System, and Listening, Open and Closed Sockets or other available or derivable information.
4 . The method of claim 1 wherein the connecting host is protected by a 12 proxy.
5 . The method of claim 1 wherein the connecting host is protected by an intermediary network device for the purposes of disguising its IP Address.
6 . The method of claim 1 wherein the hardware fingerprint is formed by a fingerprinting device associated with a protected host.
7 . The method of claim 1 wherein the hardware fingerprint is formed by a fingerprinting device that resides on a data path between the unknown host and a protected 3 host.
8 . A method for fingerprinting a connecting host machine on a network, the method comprising:
forcing the connecting host into a TCP connection, wherein timestamps are transmitted with each packet associated with the connection; assigning a session handle to the connection, some or all of subsequent connections that are associated with the session handle being able to exchange data with one another; extending a longevity of the connection, the longevity allowing extended sampling of the host for the purposes of fingerprinting; sampling attributes associated with the connection; queuing the sampled attributes, IP address, and session handle to a correlator process, the correlator process including one or more algorithms for processing the sampled attributes; processing the sampled attributes, IP address, and session handle; and forming a fingerprint for the connecting host.
9 . The method of claim 9 wherein the sampled attributes are associated with one or more of ‘stack ticks’, ‘time-skew’, TCP Window size, and IP address.
10 . The method of claim 9 wherein the sampled attributes further include remote determination of one or more of ISP, Local Storage Object, first Party Browser Cookie, third Party Browser Cookie, TCP IP Address, HTTP IP Address, HTTPS IP Address, RTSP IP Address, RTP IP Address, FTP IP Address, DNS name server, Maximum Transmission Unit, Connection Type, Connection Speed, Bogon Hijack Address, Static/Dynamic Address, Proxy Address, TCP Sequence Number, Browser string, Screen Resolution, Screen DPI, PC Start Time, HTTP Header information, Local Time, Clock-Offset, TCP-Time Stamp, TCP stack-tick, Clock-Drift, Time Zone, Browser Plugins, Enabled and Disabled Browser functions, Browser Document Object Model, Operating System, and Listening, Open and Closed Sockets or other available or derivable information.
11 . The method of claim 9 wherein the extending of the longevity of the connection includes a tar-pitting process.
12 . The method of claim 12 wherein the extending of the longevity of the connection includes:
delivering requested payload data in a delayed or retarded manner; and
requesting repeated transmission of data and/or requests by simulating TCP data loss.
13 . The method of claim 12 further comprising selecting a second plurality of identity attributes characterized by quality measures higher than a predetermined value.
14 . A computer based system for populating a database to form a knowledge base of malicious host entities, the system comprising a machine readable memory or memories, the memory or memories comprising:
one or more codes directed to determining a plurality of identity attributes; one or more codes directed to assigning a quality measure to each of the plurality the identity attributes; one or more codes directed to collecting one or more evidences from the unknown host; one or more codes directed to determining an attribute fuzzy GUID for each of the plurality of identity attributes for the unknown host, the attribute fuzzy GUID being associated with the evidences; one or more codes directed to processing the attribute fuzzy GUID for each of the plurality of attributes to determine a host fuzzy GUID for the unknown host; and one or more codes directed to storing the host fuzzy GUID for the unknown host in one or more memories of a database to form a knowledge base.
15 . The system of claim 15 wherein the unknown host is one of a plurality of computing devices in a world wide network of computers.
16 . The system of claim 15 wherein the one or more codes directed to storing is an executable code.
17 . The system of claim 15 wherein the knowledge base comprises a plurality of malicious host information.
18 . The system of claim 15 wherein the host fuzzy GUID comprises an identifier.
19 . The system of claim 19 wherein the identifier is an IP address.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.