| Patent application number | Description | Published |
|---|
| 20090249480 | MINING USER BEHAVIOR DATA FOR IP ADDRESS SPACE INTELLIGENCE - The claimed subject matter is directed to mining user behavior data for increasing Internet Protocol (“IP”) space intelligence. Specifically, the claimed subject matter provides a method and system of mining user behavior within an IP address space and the application of the IP address space intelligence derived from the mined user behavior. | 10-01-2009 |
| 20090265786 | AUTOMATIC BOTNET SPAM SIGNATURE GENERATION - A framework may be used for generating URL signatures to identify botnet spam and membership. The framework may take a set of unlabeled emails as input that are grouped based on URLs contained within the emails. The framework may return a set of spam URL signatures and a list of corresponding botnet host IP addresses by analyzing the URLs within the emails that are contained within the groups. Each URL signature may be in the form of either a complete URL string or a URL regular expression. The signatures may be used to identify spam emails launched from botnets, while the knowledge of botnet host identities can help filter other spam emails also sent by them. | 10-22-2009 |
| 20100057647 | ACCOMMODATING LEARNED CLAUSES IN RECONFIGURABLE HARDWARE ACCELERATOR FOR BOOLEAN SATISFIABILITY SOLVER - A hardware accelerator is provided for Boolean constraint propagation (BCP) using field-programmable gate arrays (FPGAs) for use in solving the Boolean satisfiability problem (SAT). An inference engine may perform implications. Learned clauses may be generated during conflict analysis. Operations pertaining to learned clauses may include clause insertion and clause deletion (e.g., by invalidation) from a learned clause inference engine, and “garbage collection” in which unused or invalidated clauses may be removed from an inference engine. | 03-04-2010 |
| 20100095374 | GRAPH BASED BOT-USER DETECTION - Computer implemented methods are disclosed for detecting bot-user groups that send spam email over a web-based email service. Embodiments of the present system employ a two-prong approach to detecting bot-user groups. The first prong employs a historical-based approach for detecting anomalous changes in user account information, such as aggressive bot-user signups. The second prong of the present system entails constructing a large user-user relationship graph, which identifies bot-user sub-graphs through finding tightly connected subgraph components. | 04-15-2010 |
| 20100312877 | HOST ACCOUNTABILITY USING UNRELIABLE IDENTIFIERS - An IP (Internet Protocol) address is a directly observable identifier of host network traffic in the Internet and a host's IP address can dynamically change. Analysis of traffic (e.g., network activity or application request) logs may be performed and a host tracking graph may be generated that shows hosts and their bindings to IP addresses over time. A host tracking graph may be used to determine host accountability. To generate a host tracking graph, a host is represented. Host representations may be application-dependent. In an implementation, application-level identifiers (IDs) such as user email IDs, messenger login IDs, social network IDs, or cookies may be used. Each identifier may be associated with a human user. These unreliable IDs can be used to track the activity of the corresponding hosts. | 12-09-2010 |
| 20110208714 | LARGE SCALE SEARCH BOT DETECTION - A framework may be used for identifying low-rate search bot traffic within query logs by capturing groups of distributed, coordinated search bots. Search log data may be input to a history-based anomaly detection engine to determine if query-click pairs associated with a query are suspicious in view of historical query-click pairs for the query. Users associated with suspicious query-click pairs may be input to a matrix-based bot detection engine to determine correlations between queries submitted by the users. Those users indicating strong correlations may be categorized as bots, whereas those who do not may be categorized as part of flash crowd traffic. | 08-25-2011 |
| 20110283360 | IDENTIFYING MALICIOUS QUERIES - A framework identifies malicious queries contained in search logs to uncover relationships between the malicious queries and the potential attacks launched by attackers submitting the malicious queries. A small seed set of malicious queries may be used to identify an IP address in the search logs that submitted the malicious queries. The seed set may be expanded by examining all queries in the search logs submitted by the identified IP address. Regular expressions may be generated from the expanded set of queries and used for detecting yet new malicious queries. Upon identifying the malicious queries, the framework may be used to detect attacks on vulnerable websites, spamming attacks, and phishing attacks. | 11-17-2011 |
