Method and System for Processing a Stream of Information From a Computer Network Using Node Based Reputation Characteristics

Abstract

A method for processing information from a variety of submitters, e.g., forensic sources. The method includes receiving information about one or more nodes from a submitter from a plurality of submitters numbered from 1 through N. In a specific embodiment, the one or more nodes are associated respectively with one or more IP addresses on a world wide network of computers. The method includes identifying a submitter reputation of the submitter from a knowledge base and associating a node reputation of the node based upon at least the reputation of the submitter and submitted information from the submitter. The method also transfers the node reputation.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a simplified diagram illustrating an overall system according to an embodiment of the present invention;

FIG. 2 is a more detailed diagram illustrating an overall system according to an embodiment of the present invention;

FIG. 3 is a more detailed diagram illustrating a knowledge base for storing node reputations according to an embodiment of the present invention;

FIG. 4 is a simplified diagram of a computing system for the knowledge base of FIG. 3 according to an embodiment of the present invention;

FIG. 5 is a block diagram of a computing system for the knowledge base of FIG. 3 according to an embodiment of the present invention;

FIG. 6 is a more detailed diagram of system modules of the knowledge base according to an embodiment of the present invention;

FIG. 7 is a simplified diagram of a data structure for a knowledge base according to an embodiment of the present invention; and

FIGS. 8 through 14 are simplified diagrams illustrating systems and methods according to embodiments of the present invention.

Claims

1. A method for processing information from a variety of submitters, the method comprising: receiving information about one or more nodes from a submitter from a plurality of submitters numbered from 1 through N, the one or more nodes being associated respectively with one or more IP addresses on a world wide network of computers;identifying a submitter reputation of the submitter from a knowledge base;associating a node reputation of the node based upon at least the reputation of the submitter and submitted information from the submitter; andtransferring the node reputation.

2. The method of claim 1 wherein the submitter is selected from a firewall log, a client, a spam trap, another spam or virus filter server, or other source.

3. The method of claim 1 further comprising assigning a policy to the node based upon at least the node reputation.

4. The method of claim 1 further comprising storing the submitter reputation in the knowledge base as legal evidence.

5. The method of claim 1 further comprising receiving information about one or more nodes from another submitter.

6. A system for processing information from a variety of submitters, the system comprising one or more computer readable memories, the one or more computer readable memories including: one or more codes directed to receiving information about one or more nodes from a submitter from a plurality of submitters numbered from 1 through N, the one or more nodes being associated respectively with one or more IP addresses on a world wide network of computers;one or more codes directed to identifying a submitter reputation of the submitter from a knowledge base;one or more codes directed to associating a node reputation of the node based upon at least the reputation of the submitter and submitted information from the submitter; andone or more codes directed to transferring the node reputation.

7. A method for processing a stream of information to determine a security level, the method comprising: providing a knowledge base, the knowledge base having information about a plurality of nodes, each of the nodes numbered from 1 through N, each of the nodes being assigned a reputation characteristic numbered respectively from 1 through N, each of the reputation characteristics comprising one or more of a plurality of properties;identifying a selected node from the plurality of nodes, the selected node being coupled to a network of computers;requesting reputation information associated with the selected node through the network of computers;deriving at least one of the reputation characteristics numbered from 1 through N of the selected node from the knowledge base;transferring the reputation characteristic through the network of computers; andprocessing information from a stream of data associated with the selected node within the plurality of nodes using a selection of at least one of a plurality of processes, the selected process being associated with the reputation characteristic of the selected node.

8. The method of claim 7 wherein the one or more properties comprises one or more evidence elements.

9. The method of claim 7 wherein the one or more properties comprises one or more assertions.

10. The method of claim 7 wherein the one or more plurality of properties is selected from a country of origin, an attribute, a use characteristic or an action.

11. The method of claim 7 wherein the one or more plurality of properties is selected from an ISP name, host operating system, host behavior when contacting another host, host association with another malicious host, volume of traffic from a host or a result of a scan of a host.

12. The method of claim 7 wherein the one of the plurality of processes is selected from do nothing, drop connect, redirect information, delay information or tar pit information.

13. The method of claim 7 wherein the processing is provided by a firewall process, an intrusion detection process or a filtering process.

14. The method of claim 7 wherein the knowledge base comprises a data base.

15. The method of claim 7 wherein the knowledge base is coupled to the network of computers.

16. A system for characterizing reputations of one or more nodes in a computer network environment, the system comprising a knowledge base, the knowledge base having information about a plurality of nodes, each of the nodes numbered from 1 through N, each of the nodes being assigned a reputation characteristic numbered respectively from 1 through N, each of the reputation characteristics comprising one or more of a plurality of properties, one or more of the properties being associated with a submitter, the submitter having a submitter reputation characteristic.

17. The system of claim 16 wherein the submitter reputation characteristic is a history of the submitter.

18. The system of claim 16 wherein the submitter reputation characteristic is a history of the submitter, the history comprising a score, the history comprising a plurality of submitter components.

19. The system of claim 18 wherein one of the submitter components is a correlation between the submitter and one or more other submitters.

20. The system of claim 18 wherein one of the submitter components is a frequency of activity of the submitter.

21. The system of claim 18 wherein one of the submitter components is a volume of activity of the submitter.

22. The system of claim 18 wherein one of the submitter components is a type of different information being provided by the submitter.

23. The system of claim 16 wherein N is four billion.

24. The system of claim 16 wherein N is 1 percent or less of a total number of active nodes.

25. A method for creating a real time knowledge base of a plurality of nodes from a variety of submitters, the method comprising: receiving first information about one or more nodes from a first submitter from a plurality of submitters numbered from 1 through N, the one or more nodes being associated respectively with one or more IP addresses on a world wide network of computers;identifying a submitter reputation of the first submitter from a knowledge base, the submitter being one of the plurality of submitters numbered from 1 through N;associating a node reputation of the node based upon at least the reputation of the first submitter and first submitted information from the first submitter;storing the first submitted information in a first portion of the knowledge base; andrepeating the receiving, identifying, associating, and storing for second information from a second submitter.

26. The method of claim 25 wherein the repeating occurs automatically to update the knowledge base.

27. The method of claim 25 further comprising repeating the receiving, identifying, associating, and storing for other submitters.

28. The method of claim 25 further comprising receiving a request for submitter reputation information and transferring the submitter reputation information through the world wide network of computers.

29. The method of claim 25 wherein the receiving comprises a push process or a pull process.

30. The method of claim 25 wherein N is four billion.

31. The method of claim 30 wherein N is 1 percent or less of a total number of active nodes.

32. The method of claim 25 wherein the node reputation comprises at least a score, the score being a measure of historic behavior.

33. The method of claim 25 wherein the knowledge base comprises at least 30 Gigabytes of disk space.

34. The method of claim 25 wherein the knowledge base comprises a database.

35. The method of claim 25 further comprising determining one or more zones numbered from 1 through M, each of the zones representing one of more of the nodes, each of the zones being associated with a unique set of reputations.