|HAO WALA NAMAN MALIUS009807092B1 MALTA TAI MULT UIT DI ATTI (12 ) United States Patent (10 ) Patent No. : US 9 ,807 ,092 B1 Gutzmann (45 ) Date of Patent: * Oct . 31, 2017 ( 54 ) SYSTEMS AND METHODS FOR 6 ,789 ,203 B1 9 /2004 Belissent 6 , 944, 663 B2 9 /2005 Schuba et al. CLASSIFICATION OF INTERNET DEVICES 7 ,600 , 255 B1 . 10 / 2009 Baugher AS HOSTILE OR BENIGN 7 , 853 , 533 B2 12 / 2010 Eisen 8 , 112 ,483 B12 / 2012 Emigh et al . (71 ) Applicant : DCS7, LLC, Nashville , TN (US ) 8 , 151 , 327 B2 4 / 2012 Eisen 8 , 321 ,955 B2 11/ 2012 Feng et al. 2002/ 0143914 A1 10 / 2002 Cihula (72 ) Inventor : Kurt Gutzmann, Leesburg , VA (US ) 2002 /0163926 A1 11/ 2002 Moharram (73 ) Assignee : DCS7, LLC , Nashville , TN (US ) (Continued ) ( * ) Notice : Subject to any disclaimer , the term of this OTHER PUBLICATIONS patent is extended or adjusted under 35 U . S . C . 154 ( b ) by 0 days . Buscher, “ Tracking DDOS Attacks: Insights into the business of disrupting the Web ” , NATO Cyber Defense Center of Excellence This patent is subject to a terminal dis CYCON dated Jun . 2012 . claimer . ( Continued ) (21 ) Appl . No .: 15 / 157, 356 Primary Examiner — John B King ( 22) Filed : May 17 , 2016 Assistant Examiner — Arya Golriz ( 74 ) Attorney , Agent , or Firm — Bass , Berry & Sims Related U . S . Application Data PLC (63 ) Continuation -in -part of application No . 14 / 323 , 826 , filed on Jul. 3 , 2014 . (57 ) ABSTRACT (60 ) Provisional application No . 61 / 957 ,497 , filed on Jul. A dynamic access pricing and active countermeasure system 5 , 2013 . and method for detecting and protecting against automated (51 ) Int. Cl. Internet attackers that incapacitates or disables the attackers . H04L 29 /06 ( 2006 .01 ) The dynamic access pricing and active countermeasure ( 52 ) U . S . CI. generally includes 1 ) the provision of a device fingerprint by CPC . .. H04L 63 / 0876 ( 2013 .01 ) ; H04L 63/ 10 a device at the start of an iteration of the client- puzzle ( 2013 .01 ) ; H04L 63 / 1458 ( 2013 .01 ) ; H04L challenge- response protocol; 2 ) a dynamic access pricing policy associated with a transaction identifier ; 3 ) the deter 63 /20 (2013 .01 ) mination of the puzzle difficulty level based on the interac ( 58 ) Field of Classification Search tion history of the device fingerprint solely with respect to CPC . .. HO4L 63 /08 ; HO4L 63 / 0876 ; G06F 21/ 36 the dynamic access pricing policy ; 4 ) the binding of the See application file for complete search history . device fingerprint to the client puzzle challenge ; the gen eration of transaction authorization codes that the device ( 56 ) References Cited presents to a protected application , system , interface or U . S . PATENT DOCUMENTS device . 6 ,088 , 804 A 7 / 2000 Hill et al. 6 ,738 ,814 B1 5 / 2004 Cox et al . 33 Claims, 36 Drawing Sheets HIP Buf Audi 80 " Con App Store AB - Root 10AL DR At HE ART ladim HT | Code dar _FEET AB Badal DO EMTE LIST 41 FAHOW-0 US 9 , 807 ,092 B1 Page 2 ( 56 ) References Cited V . Laurens et al. , “ Requirements for Client Puzzles to Defeat the Denial of Service and Distributed Denial of Service Attacks ” , The U . S . PATENT DOCUMENTS International Arab Journal of Information Technology , vol . 3 , No. 4 , Oct . 2006 . 2003 / 0093509 A1 * 5 / 2003 Li . .. .. .. .. GO6F 11 /0727 Y . Xie et al. , “ Monitoring the Application - Layer DDos Attacks for 709 /223 2009 /0113559 Al 4 / 2009 Schneider Popular Websites , ” IEEE / ACM Transactions Networking , vol. 17 , 2009 / 0192853 A1 7 / 2009 Drake et al . No . 1 , Feb . 2009. 2010 /0031315 A1 2 / 2010 Feng et al. H . Beitollahi et al ., “ Tackling Application -layer DDOS Attacks ” , 2010 / 0180333 A1 * 7 / 2010 Bono . H04L 12 / 585 Procedia Computer Science ; SciVerse ScienceDirect, dated 2012. 726 / 13 H . Beitollahi et al. , “ Analyzing well -known countermeasures 2011/ 0218860 A1 9 / 2011 Barber against distributed denial of service attacks ” , Computer Communi 2011/ 0231913 AL 9 / 2011 Feng et al . cations, dated 2012 . 2012 /0189194 AL 7 / 2012 Srivastava Y . Chen et al ., " A Novel DDOS Attack Defending Framework with 2012 /0323700 Al 12 / 2012 Aleksandrovich et al. Minimized Bilateral Damages” . Dept . of Electrical & Computer 2013 /0055374 A12 / 2013 Kustarz et al . Engineering , SUNY — Binghamton , Binghampton NY 13902 ; Dept. 2013 /0312097 A1 11/ 2013 Turnbull of Computer Science & Software Engineering , Auburn University , Auburn , AL 36849 , dated 2010 . OTHER PUBLICATIONS P . Djalaliev , “ Mitigating Botnet - Based DDOS Attacks Against Web International Telecommunications Union ( ITU ) , IT Recom Servers ” , Submitted to the Graduate Faculty of the Dietrich School mendationX .200 , “ Data Networks and Open System Communica of Arts and Sciences - University of Pittsburgh , dated 2013 . tions -Open Systems Interconnection -Model and Notation , Basic E . Kaiser , “ Addressing Automated Adversaries of Network Appli Reference Model, ” Jul. 1994 . cations” , Submitted to the Dissertation Committee — Portland State Internet Engineering Task Force ( IETF ), Request for Comments University , dated 2010 . 2616 , “ Hypertext Transfer Protocol -HTTP / 1 , 1 " , Jun . 1999 . S . Khor , et al. “ DaaS : DDoS Mitigation as - a -service ” , IEEE /IPSJ J . Mirkovic , et al ., Internet Denial of Service : Attack and defense International Symposium on Applications and the Internet, dated Mechanisms, Prentice -Hall , 2008 . 2011 . J . Crowcroft et al. , “ Lazy Zusan : Dumb waiting as proof of work , ” P . Vu , “ Defending Against Distributed Denial of Service Attacks University of Cambridge Technical Report No. 703 , Nov . 2007 . Using a Cloud Based Architecture ” , Thesis — The University of J . Rangasamy, et al . “ An integrate approach to cryptographic Houston , Clear Lake , Dated Dec . 2012 . mitigation of denial- of - service attacks” , Proceedings of the 6th B . Waters et al. , “ New Client Puzzle Outsourcing Techniques for ACM Symposium on Information , Computer and Communications DoS Resistance ” , Princeton University , Princeton , NJ; RSA Labo Security ( ASIACCS ) 2011 . ratories , Bedford , MA, Oct . 25 -29 , 2004 . Kurt Gutzmann , “ Role - Based Access Control in HTTP Environ S . Zargar et al. , “ A Survey of Defense Mechanisms Aganist Dis ment” , IEEE Journal of Internet Computing , Jan . 2001 . tributed Denial of Service (DDoS ) Flooding Attacks” , IEEE , 2013 . M . Abliz et al. , “ A Guided Tour Puzzle for Denial of Service K . Gutzmann , “ System and Methods for Classifying Internet Prevention ” , Proceedings of the Annual Computer Security Appli Devices as Hostile or Benign ” , filed Jul. 3 , 2014 , U . S . Appl. No . cations Conference , 2009 . 14 / 323 , 826 . P . Mittal et al ., " Towards Deployable DDoS Defense for Web Application ” , Arxiv preprint arXiv : 1110 - 1060 , Oct . 5 , 2011 . * cited by examiner atent Oct . 31 , 2017 Sheet 1 of 36 US 9 ,807 , 092 B1 101 Hostile Devices Benign Devices Load Balancer Black /White List Filter Load Balancer Black /White List Filter - - - - - - Classifier 1 Classifier N Classifier .. - - Device Fingerprints for - Black List & White List Content Server 1 Content Server. Content Server N m 104 Prutat Management Server Parameters Memcache ] Fingerprints for Black List & White List 105 Subscription Management 1-1-1List /Fingerprint Publisher Device Fingerprints for Black List & White List 106 Service Subscriber Connection Fingerprint 107 08 DWUST ????? Figure 1 atent Oct . 31 , 2017 Sheet 2 of 36 US 9 ,807 , 092 B1 Hostile Devices Benign Devices Load Balancer Black /White List Filter . Classification Filter Classification Filter Classification Filter Protoco Parameters Memcached Content Server N Content Server 1 Content Server. Device Fingerprints for Black List & White List Management Server Fingerprints for Blacklist & White List TAYYYY 205 Subscription List/ Fingerprint Management Publisher LH1-0Singerprint - Figure 2 U . S . Patent Oct. 31, 2017 Sheet 3 of 36 US 9 , 807 ,092 B1 HTTP Clientor BOT Customer FrontEnd Processor IFF Service MemCached Store Fingerprint Publishing Service Scheduler Event HandeRequest for Data Start - no cookies , no white list, no blacklist i. e. Device Fingerprings Process Query for Whitelist, blank slate Unikate Black and White List and Blacklist, and Fingerprints Filter Data White /Black Lists 305 Send Request HTTP GET POST + headers HTTP Request Get the Request Cookies 1306 Calculate the SS FingerPrint Device Fingerprint Look forPOW _ FINGERPRINT Black White cookie (prior JS computation ) Lists 302 Redirect Ignored POW FINGERPRINT is present Scheduler Event Execute Time Job To Copy Cache to DB POW FINGERPRINT IS Cache Data on WHITE _ LIST Cache Data (Fingerprints . WL , BL ) (Fingerprints .WL , BL ) Figure 3A U . S . Patent Oct. 31, 2017 Sheet 4 of 36 US 9 ,807 , 092 B1 HTTP Client or BOT Customer Front End Processor iFF Service MemCached Store Fingerprint Publishing Service DDDDDD DDD 309 Forward Request to Pool Member , Normal processing Cache Data Fingerprints , WL, BL ) Device Fingerprints { 3 and 310 White /Black Lists Compute SS Finger Print (HEADERS + P ) memCache Increment Request Counter for 010-11Cache Data SS _ Fingerprint (Fingerprints ,WL , BL ) 302 Redirect ignored Count > Black List Threshold ? Place device an focal Black List & transmit device details to publishing service Black Lested Device particulars Accept New Blacklisted Device 314 Store Device particukars in SS FINGERPRINT Database YES On BLACK kst ? 319 . Figure 3B U . S . Patent Oct. 31, 2017 Sheet 5 of 36 US 9 ,807 , 092 B1 HTTP Client or BOT Customer