Patent Grant
9756133
1. Field of the Invention
The present invention relates generally to device recognition and, more particularly, methods of and systems for recognizing that multiple remote devices are likely under common control and operation.
2. Description of the Related Art
Device fingerprinting (also known as device recognition) is a technology which assigns a unique identifier based on a device's software and hardware settings. This identification technique is attractive because of its adaptability to any device—even where cookies have failed—including PCs, mobile devices, set top boxes, and game consoles.
Device fingerprinting is used to improve on-line advertisement targeting, reduce click fraud, personalize website experiences, and enable multi-channel attribution. While device fingerprinting can identify individual devices, there is currently no accurate way to determine that two or more devices are under common control and operation, e.g., of the same household.
Consider the computer network shown in
A problem arises, however, when attempting to remotely identify devices that belong to the same household, because IP addresses are not static. That is because the entity assigning IP addresses—whether the ISP or the LAN administrator—typically assigns them for a finite period, known as a lease time. Lease time periods typically vary, and may be granted on the order of hours, days, months, or longer, according to the preference of the administrator. Therefore the population of computing devices associated with a particular LAN may share a common WAN IP address on one day, but share another WAN IP address the following day.
To make matters worse, an ISP may rotate an available pool of WAN IP addresses among its many subscribers, such that computing devices in different households could be accessible through identical WAN IP addresses during different parts of the day. For example, from 8 AM to noon, IP address 77.264.195.10 may be assigned to the LAN 1 subscriber and associated with each of its computing devices, and later that same day from noon to 4 PM the same IP address may be assigned to the LAN 2 subscriber and associate with each of its computing devices.
The same problem of rotating IP addresses according to lease time expiration can also occur at the LAN level. As in the WAN case, the rules governing assignment of the LAN IP address are typically configurable by the administrator. Although this does not affect the determination whether a particular computing device exists within an identified household, it emphasizes that, due its transience, the LAN IP address is unsuitable for use as an identifier for purposes of reliably fingerprinting a device.
What is needed is a more reliable way to accurately determine whether two or more devices are under mutual control and operation.
In accordance with the present invention, a device identification server identifies a “household” to which a particular device belongs by associating the device with data (i) that is unique to the router through which the device connects to a wide area network such as the Internet and (ii) that is not readily discoverable by interaction with the router through the wide area network. Using data that is not readily discoverable by interaction with the router through the wide area network impedes spoofing of such data by malicious entities.
The primary function of a router is to manage a network boundary, distinguishing between network traffic intended for two or more networks connected to the router. In a typical installation, a router connects to a wide area network and a local area network. Accordingly, a router typically has a local area network interface and a wide area network interface. Details of the wide area network (WAN) interface are generally discoverable by interaction with the router through the wide area network. However, details of the local area network (LAN) interface are generally not so discoverable. A media access control (MAC) address of a given device is unique among all networked devices. The LAN MAC address of the router is usually unique among all LAN MAC addresses of all routers and is not readily discoverable by interaction with the router through the WAN. While a system administrator can manually change the LAN MAC address of a router such that uniqueness of the LAN MAC address is less certain, most leave the LAN MAC address unaltered. In addition, unlike WAN IP addresses, the LAN MAC address of the router is very stable and changes very rarely, if ever.
The device identification server gains access to the LAN MAC address of the router by cooperation of the device to be identified by the device identification server. In addition to generating and providing a digital fingerprint to the device identification server, the device queries and receives the LAN MAC address of the router through the local area network. The device passes the LAN MAC address of the router along with its digital fingerprint to the device identification server.
Devices that report the same LAN MAC address of the router through which they connect to the wide area network are determined to be from the same “household”, i.e., to be managed by one and the same entity.
Other systems, methods, features and advantages of the invention will be or will become apparent to one with skill in the art upon examination of the following figures and detailed description. It is intended that all such additional systems, methods, features and advantages be included within this description, be within the scope of the invention, and be protected by the accompanying claims. Component parts shown in the drawings are not necessarily to scale, and may be exaggerated to better illustrate the important features of the invention. In the drawings, like reference numerals may designate like parts throughout the different views, wherein:
In accordance with the present invention, a device identification server 250 (
As used herein, “household” does not necessarily infer a residential locale. Instead, “household” refers to constituent devices of a private network connected to wide area network (WAN) 240 (which is the Internet in this illustrative embodiment). Local area network (LAN) 220 is an example of such a private network, being connected to WAN 240 through router 230. Many homes in which families have multiple devices accessing the Internet do so through a router and a LAN. Other establishments do so as well, such as businesses, libraries, government agencies, non-profit organizations, etc. In some cases, an unsecured router may, intentionally or unintentionally, be available for limited public access by transient computing devices that happen to come within wireless reception range of the router. According to the invention described herein, such transient devices are considered constituent devices of the LAN, and such a network is recognized herein as being a private network. All transient and non-transient computing devices accessing the LAN through a common router are members of the same household.
As shown in
A number of IP addresses are reserved for private use and are not permitted to be used in WAN 240, which is the Internet in this illustrative embodiment. Configuration of router 230 includes specifying addresses, e.g., private IP addresses, that are considered within LAN 220. Accordingly, router 230 can distinguish between addresses within LAN 220 and addresses that should be routed through WAN 240.
Each of interfaces 302, 312, 322 and 332 (
WAN IP address 316 is unique to router 230 at any given time; however, WAN IP address 316 can change over time, making use of WAN IP address 316 alone a determining identifier of router 230 and the household behind it (i.e., the household of LAN 120) difficult and transitory. With similar limitations, WAN IP address 336 is unique to router 232 at any given time.
LAN interface 302 includes a LAN MAC address 304 and a LAN IP address 306. LAN interface 322 includes a LAN MAC address 324 and a LAN IP address 326. LAN MAC addresses 304, 324 and LAN IP addresses 306, 326 have the advantage of not being discoverable through WAN 240. Accordingly, spoofing LAN MAC addresses and LAN IP addresses is particularly difficult. In addition, access to LAN MAC addresses and LAN IP addresses by device identifier server 250 is not straightforward.
LAN IP address 306 is unique to router 230 only within LAN 220. Similarly, LAN IP address 326 is unique to router 232 only within LAN 222. For example, the system administrator of router 232 can use the same private IP addresses for LAN 222 that the administrator of router 230 uses for LAN 220. Router 232 can even have exactly the same LAN IP address as router 230.
However, LAN MAC address 304 should be unique to router 230 throughout all MAC addresses of devices of WAN 240 and of other LANs such as LAN 222. Since LAN MAC address 304 is likely unique throughout all the Internet including LANs and is generally not publicly discoverable, device identification server 250 uses LAN MAC address 304, in combination with WAN IP address 316, to uniquely identify a household to which each of devices 202-206 belong.
Similarly, LAN MAC address 324 should be unique to router 232 throughout all MAC addresses of devices of WAN 240 and of other LANs such as LAN 220. Since LAN MAC address 324 is likely unique throughout all the Internet including LANs and is generally not publicly discoverable, device identification server 250 uses LAN MAC address 324, in combination with WAN IP address 336, to uniquely identify a household to which each of devices 208-212 belong.
Since LAN MAC addresses can be manually set, neither LAN MAC address 304, 324 is absolutely guaranteed to be unique among all LAN MAC addresses of all routers connected to WAN 240. However, while neither of the respective WAN IP addresses 316, 336 may remain constant, they each tend to be selected from a relatively small range of IP addresses. Accordingly, the combination of LAN MAC address 304 and WAN IP address 316, and the combination of LAN MAC address 324 and WAN IP address 336, each has a very high probability of uniquely identifying its associated router 230, 232 (respectively) among all routers connected to WAN 240. LAN MAC address 304 or 324 is highly likely to be unique since few system administrators change LAN MAC addresses of routers and can therefore be a useful identifier of the router itself.
For simplicity hereafter, the householding processes of the invention are described only with reference to router 230 and devices within LAN 220. The description applies analogously to any other router communicating through WAN 240.
The manner in which device identifier server 250 obtains a LAN MAC address 304 of router 230 is illustrated by the transaction flow diagram 400 (
Device identification logic 620 sends a request for a digital fingerprint to device 204 (
Device 204 includes digital fingerprint generation logic 520 (
Most devices have an Address Resolution Protocol (ARP) table that includes known LAN IP addresses and associated LAN MAC addresses of all devices connected to the local area network, e.g., LAN 220 in this illustrative example. In addition, each device implementing the Internet Protocol has an IP address designated as a gateway IP address. All communications to an IP address other than the known IP addresses of the ARP table are forward to this gateway IP address. The device at the gateway IP address is responsible for redirecting communications to the intended recipient. In essence, the device of the gateway IP address is a router, regardless of whether the device is a dedicated router device or a computer configured to act as a router. Accordingly, each device connected to LAN 220 has LAN IP address 306 (
Thus, device 204 receives LAN MAC address 304 during network configuration and stores LAN MAC address 304 in the networking logic inherent in the operating system of device 204. Alternatively, device 204 can query router 230 directly for its LAN MAC address 304 as needed.
In step 406 (
In step 408 (
In step 410 (
Device 204 is a computing device such as a smart-phone or personal computer and is shown in greater detail in
Device 204 includes one or more microprocessors 502 (collectively referred to as CPU 502) that retrieve data and/or instructions from memory 504 and execute retrieved instructions in a conventional manner. Memory 504 can include generally any computer-readable medium, for example, persistent memory such as magnetic and/or optical disks, ROM, and PROM and volatile memory such as RAM.
CPU 502 and memory 504 are connected to one another through a conventional interconnect 506, which is a bus in this illustrative embodiment and which connects CPU 502 and memory 504 to one or more input devices 508, output devices 510, and network access circuitry 512. Input devices 508 can include, for example, a keyboard, a keypad, a touch-sensitive screen, a mouse, a microphone, and one or more cameras. Output devices 510 can include, for example, a display—such as a liquid crystal display (LCD)—and one or more loudspeakers. Network access circuitry 512 sends and receives data through computer networks such as LAN 220 (
A number of components of device 204 are stored in memory 504. In particular, digital fingerprint generation logic 520 is all or part of one or more computer processes executing within CPU 502 from memory 504 in this illustrative embodiment but can also be implemented using digital logic circuitry. As used herein, “logic” refers to (i) logic implemented as computer instructions and/or data within one or more computer processes and/or (ii) logic implemented in electronic circuitry. Digital fingerprint 522 is data stored persistently in memory 504.
Device identification server 250 is a trusted server that can verify identity of a particular device and a household to which that particular device belongs and is shown in greater detail in
A number of components of device identification server 212 are stored in memory 604. In particular, device identification logic 620 is all or part of one or more computer processes executing within CPU 602 from memory 604 in this illustrative embodiment but can also be implemented using digital logic circuitry. Device identification data 624 is data stored persistently in memory 404. In this illustrative embodiment, device identification data 624 is organized as one or more databases.
Device identification data 624 includes a number of device identification data records such as device identification data record 700 (
It should be appreciated that, since devices 202-206 (
In this illustrative embodiment, digital fingerprint generation logic 520, in step 408, sends an irreversible, cryptographic hash of LAN MAC address 304 to device identification server 250. In this way, device identification server 250 never has direct access to LAN MAC address 304 of router 230 but can still uniquely identify router 230 by the hash. Analogous digital fingerprint generation logic in others of devices 202-212 use the same hashing method to send irreversible, cryptographic hashes of LAN MAC addresses of routers 230-232. In alternative embodiments, devices 202-212 send LAN MAC addresses in clear text and device identification server 250 has direct access to LAN MAC addresses of routers. In either embodiment, it is preferred that secure communications links, e.g., HTTPS transfers, are used to transport LAN MAC addresses to avoid discovery by unauthorized devices of LAN MAC addresses of routers 230-232.
In yet another embodiment, digital fingerprint 702 and household identifier 704 are inextricably combined, e.g., in an irreversible hash, such that device identification server 250 cannot readily identify devices of the same household. However, in such an embodiment, device identification server 250 identifies device 204 (
Device identification server 250 can also store household identifier 704 (
The above description is illustrative only and is not limiting. The present invention is defined solely by the claims which follow and their full range of equivalents. It is intended that the following appended claims be interpreted as including all such alterations, modifications, permutations, and substitute equivalents as fall within the true spirit and scope of the present invention.
This patent application is a continuation of co-pending U.S. patent application Ser. No. 13/586,111 filed on Aug. 15, 2012, and the benefit of such earlier filing dates is hereby claimed by applicant under 35 U.S.C. §120.
| Number | Name | Date | Kind |
|---|---|---|---|
| 4246638 | Thomas | Jan 1981 | A |
| 4458217 | Wong et al. | Jul 1984 | A |
| 4779224 | Moseley et al. | Oct 1988 | A |
| 4891503 | Jewell | Jan 1990 | A |
| 4956863 | Goss | Sep 1990 | A |
| 5210795 | Lipner et al. | May 1993 | A |
| 5235642 | Wobber et al. | Aug 1993 | A |
| 5239166 | Graves | Aug 1993 | A |
| 5241594 | Kung | Aug 1993 | A |
| 5548578 | Matsune | Aug 1996 | A |
| 5666415 | Kaufman | Sep 1997 | A |
| 5764887 | Kells et al. | Jun 1998 | A |
| 6041411 | Wyatt | Mar 2000 | A |
| 6161185 | Guthrie et al. | Dec 2000 | A |
| 6167517 | Gilchrist et al. | Dec 2000 | A |
| 6243468 | Pearce et al. | Jun 2001 | B1 |
| 6330608 | Stiles | Dec 2001 | B1 |
| 6418472 | Mi et al. | Jul 2002 | B1 |
| 6539479 | Wu | Mar 2003 | B1 |
| 6799272 | Urata | Sep 2004 | B1 |
| 6826690 | Hind et al. | Nov 2004 | B1 |
| 6981145 | Calvez et al. | Dec 2005 | B1 |
| 7082535 | Norman et al. | Jul 2006 | B1 |
| 7083090 | Zuili | Aug 2006 | B2 |
| 7100195 | Underwood | Aug 2006 | B1 |
| 7178025 | Scheidt et al. | Feb 2007 | B2 |
| 7181615 | Fehr et al. | Feb 2007 | B2 |
| 7233997 | Leveridge et al. | Jun 2007 | B1 |
| 7234062 | Daum et al. | Jun 2007 | B2 |
| 7272728 | Pierson et al. | Sep 2007 | B2 |
| 7305562 | Bianco et al. | Dec 2007 | B1 |
| 7310813 | Lin et al. | Dec 2007 | B2 |
| 7319987 | Hoffman et al. | Jan 2008 | B1 |
| 7418665 | Savage | Aug 2008 | B2 |
| 7590852 | Hatter et al. | Sep 2009 | B2 |
| 7620812 | Sikora et al. | Nov 2009 | B2 |
| 7819322 | Hammad et al. | Oct 2010 | B2 |
| 7836121 | Elgressy et al. | Nov 2010 | B2 |
| 8131913 | Pyeon | Mar 2012 | B2 |
| 8145897 | Brickell et al. | Mar 2012 | B2 |
| 8171287 | Villela | May 2012 | B2 |
| 8302152 | Hewinson | Oct 2012 | B1 |
| 8327448 | Eldar et al. | Dec 2012 | B2 |
| 8484705 | Hoppe et al. | Jul 2013 | B2 |
| 8667265 | Hamlet et al. | Mar 2014 | B1 |
| 8812854 | Shah et al. | Aug 2014 | B2 |
| 8874695 | Zhang et al. | Oct 2014 | B2 |
| 8949609 | Teranishi | Feb 2015 | B2 |
| 8954729 | Terry | Feb 2015 | B2 |
| 20020065097 | Brockenbrough et al. | May 2002 | A1 |
| 20020091937 | Ortiz | Jul 2002 | A1 |
| 20020116616 | Mi et al. | Aug 2002 | A1 |
| 20020178366 | Ofir | Nov 2002 | A1 |
| 20020181747 | Topping | Dec 2002 | A1 |
| 20030001721 | Daum et al. | Jan 2003 | A1 |
| 20030056107 | Cammack et al. | Mar 2003 | A1 |
| 20030074568 | Kinsella et al. | Apr 2003 | A1 |
| 20030097331 | Cohen | May 2003 | A1 |
| 20030120920 | Svensson | Jun 2003 | A1 |
| 20030156719 | Cronce | Aug 2003 | A1 |
| 20030182428 | Li et al. | Sep 2003 | A1 |
| 20040003228 | Fehr et al. | Jan 2004 | A1 |
| 20040010685 | Sakaguchi et al. | Jan 2004 | A1 |
| 20040026496 | Zuili | Feb 2004 | A1 |
| 20040049685 | Jaloveczki | Mar 2004 | A1 |
| 20040107360 | Herrmann et al. | Jun 2004 | A1 |
| 20040117321 | Sancho | Jun 2004 | A1 |
| 20040149820 | Zuili | Aug 2004 | A1 |
| 20040172531 | Little et al. | Sep 2004 | A1 |
| 20040172558 | Callahan et al. | Sep 2004 | A1 |
| 20040177255 | Hughes | Sep 2004 | A1 |
| 20040187018 | Owen et al. | Sep 2004 | A1 |
| 20050018687 | Cutler | Jan 2005 | A1 |
| 20050034115 | Carter et al. | Feb 2005 | A1 |
| 20050160138 | Ishidoshiro | Jul 2005 | A1 |
| 20050166263 | Nanopoulos et al. | Jul 2005 | A1 |
| 20050182732 | Miller et al. | Aug 2005 | A1 |
| 20050193198 | Livowsky | Sep 2005 | A1 |
| 20050268087 | Yasuda et al. | Dec 2005 | A1 |
| 20060005237 | Kobata et al. | Jan 2006 | A1 |
| 20060036766 | Baupin et al. | Feb 2006 | A1 |
| 20060080534 | Yeap et al. | Apr 2006 | A1 |
| 20060085310 | Mylet et al. | Apr 2006 | A1 |
| 20060090070 | Bade et al. | Apr 2006 | A1 |
| 20060115082 | Kevenaar et al. | Jun 2006 | A1 |
| 20060168580 | Harada et al. | Jul 2006 | A1 |
| 20060248600 | O'Neill | Nov 2006 | A1 |
| 20060265446 | Elgressy et al. | Nov 2006 | A1 |
| 20060280189 | McRae | Dec 2006 | A1 |
| 20070050850 | Katoh et al. | Mar 2007 | A1 |
| 20070061566 | Bailey et al. | Mar 2007 | A1 |
| 20070078785 | Bush et al. | Apr 2007 | A1 |
| 20070094715 | Brown et al. | Apr 2007 | A1 |
| 20070113090 | Villela | May 2007 | A1 |
| 20070124689 | Weksel | May 2007 | A1 |
| 20070126550 | Richardson | Jun 2007 | A1 |
| 20070143408 | Daigle | Jun 2007 | A1 |
| 20070143838 | Milligan et al. | Jun 2007 | A1 |
| 20070174633 | Draper et al. | Jul 2007 | A1 |
| 20070198850 | Martin et al. | Aug 2007 | A1 |
| 20070207780 | McLean | Sep 2007 | A1 |
| 20070209064 | Qin et al. | Sep 2007 | A1 |
| 20070214093 | Colella | Sep 2007 | A1 |
| 20070234409 | Eisen | Oct 2007 | A1 |
| 20070260883 | Giobbi et al. | Nov 2007 | A1 |
| 20080010673 | Makino et al. | Jan 2008 | A1 |
| 20080028455 | Hatter et al. | Jan 2008 | A1 |
| 20080052775 | Sandhu et al. | Feb 2008 | A1 |
| 20080104683 | Nagami et al. | May 2008 | A1 |
| 20080120195 | Shakkarwar | May 2008 | A1 |
| 20080120707 | Ramia | May 2008 | A1 |
| 20080152140 | Fascenda | Jun 2008 | A1 |
| 20080177997 | Morais et al. | Jul 2008 | A1 |
| 20080226142 | Pennella et al. | Sep 2008 | A1 |
| 20080242405 | Chen et al. | Oct 2008 | A1 |
| 20080261562 | Jwa et al. | Oct 2008 | A1 |
| 20080268815 | Jazra et al. | Oct 2008 | A1 |
| 20080276321 | Svancarek et al. | Nov 2008 | A1 |
| 20080289025 | Schneider | Nov 2008 | A1 |
| 20090019536 | Green et al. | Jan 2009 | A1 |
| 20090083833 | Ziola et al. | Mar 2009 | A1 |
| 20090113088 | Illowsky et al. | Apr 2009 | A1 |
| 20090132813 | Schibuk | May 2009 | A1 |
| 20090138643 | Charles et al. | May 2009 | A1 |
| 20090198618 | Chan et al. | Aug 2009 | A1 |
| 20090210932 | Balakrishnan et al. | Aug 2009 | A1 |
| 20090259747 | Sagefalk et al. | Oct 2009 | A1 |
| 20090271851 | Hoppe et al. | Oct 2009 | A1 |
| 20090300744 | Guo et al. | Dec 2009 | A1 |
| 20100082973 | Brickell et al. | Apr 2010 | A1 |
| 20100197293 | Shem-Tov | Aug 2010 | A1 |
| 20100306038 | Harris | Dec 2010 | A1 |
| 20110047373 | Karasawa et al. | Feb 2011 | A1 |
| 20110093943 | Nakagawa et al. | Apr 2011 | A1 |
| 20110244829 | Kase | Oct 2011 | A1 |
| 20110271109 | Schilling et al. | Nov 2011 | A1 |
| 20120030771 | Pierson et al. | Feb 2012 | A1 |
| 20130031619 | Waltermann et al. | Jan 2013 | A1 |
| 20130044760 | Harjanto | Feb 2013 | A1 |
| 20130183936 | Smtih et al. | Jul 2013 | A1 |
| 20130244614 | Santamaria et al. | Sep 2013 | A1 |
| 20140258441 | L'Heureux | Sep 2014 | A1 |
| Number | Date | Country |
|---|---|---|
| 1 739 879 | Jun 2005 | EP |
| 1 637 958 | Mar 2006 | EP |
| 2355322 | Apr 2001 | GB |
| WO 9209160 | May 1992 | WO |
| WO 00058895 | Oct 2000 | WO |
| WO 0190892 | Nov 2001 | WO |
| WO 03032126 | Apr 2003 | WO |
| WO 2004054196 | Jun 2004 | WO |
| WO 2005104686 | Nov 2005 | WO |
| WO 2008013504 | Jan 2008 | WO |
| WO 2008127431 | Oct 2008 | WO |
| Entry |
|---|
| “Canon User Manual—Nikon Coolpix S52/S52c,” Apr. 21, 2008, entire manual. |
| Iovation, “Using Reputation of Devices to Detect and Prevent Online Retail Fraud,” White Paper, Apr. 2007. |
| Iovation, “Controlling High Fraud Risk of International Transactions,” Iovation Reputation Services, White Paper, May 2007. |
| Jensen et al., “Assigning and Enforcing Security Policies on Handheld Devices,” 2002, 8 pages. |
| Johnson et al. “Dynamic Source Routing in Ad Hoc Wireless Networks,” Mobile Computing, Kluwer Academic Publishers, 1996. |
| Posting from Slashdot on the article “Smart Cards for Windows XP Login” Comment “Re: PIN” posted Dec. 3, 2001. http://en.wikipedia.org/w/index.php?title=Two-factor—authentication&ildid=216794321. |
| Wikipedia: “Software Extension,” May 28, 2009, Internet Article retrieved on Oct. 11, 2010. XP002604710. |
| H. Williams, et al., “Web Database Applications with PHP & MySQL”, Chapter 1, “Database Applications and the Web”, ISBN 0-596-00041-3, O'Reilly & Associates, Inc., Mar. 2002, avail. at: http://docstore.mik.ua/orelly/webprog/webdb/ch01—01.htm. XP002603488. |
| David J-L, “Cookieless Data Persistence in Possible,” Apr. 23, 2003, Internet Article retrieved on Sep. 21, 2010. XP002603490. |
| Number | Date | Country | |
|---|---|---|---|
| 20140181317 A1 | Jun 2014 | US |
| Number | Date | Country | |
|---|---|---|---|
| Parent | 13586111 | Aug 2012 | US |
| Child | 14176906 | US |
