US 12,170,902 B2
User agent inference and active endpoint fingerprinting for encrypted connections
Carl Joseph Salji, Bedford (GB)
Assigned to Darktrace Holdings Limited, Cambridge (GB)
Filed by Darktrace Holdings Limited, Cambridge (GB)
Filed on Jan. 7, 2022, as Appl. No. 17/571,153.
Claims priority of provisional application 63/135,394, filed on Jan. 8, 2021.
Prior Publication US 2022/0224716 A1, Jul. 14, 2022
Int. Cl. H04W 12/122 (2021.01); H04L 9/40 (2022.01); H04L 41/16 (2022.01); H04L 41/22 (2022.01)
CPC H04W 12/122 (2021.01) [H04L 41/16 (2013.01); H04L 41/22 (2013.01); H04L 63/1416 (2013.01); H04L 63/1425 (2013.01); H04L 63/1433 (2013.01); H04L 63/1441 (2013.01); H04L 63/145 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A method for a cyber security appliance incorporating data across multiple platforms used by a client system to identify a cyber threat, comprising:
receiving a hostname for a malicious web server;
generating an unencrypted target fingerprint based on intransient characteristics of the malicious web server gleaned from sending a series of unencrypted connection protocol requests to the malicious web server;
generating an encrypted target fingerprint for the malicious web server based on characteristics of the malicious web server gleaned from sending a series of encrypted secure connection protocol requests to the malicious web server;
building a combined web server fingerprint for the malicious web server based on both the characteristics of the malicious web server from the encrypted target fingerprint derived from the series of encrypted secure connection protocol requests and the intransient characteristics of the malicious web server from the unencrypted target fingerprint derived from the series of unencrypted connection protocol requests;
determining a set of one or more suspicious IP addresses that share a substantial similarity over a threshold to information associated with the combined web server fingerprint for the malicious web server; and
inoculating a fleet of network devices against a cyberattack using the set of one or more IP addresses based on the combined web server fingerprint in order to preemptively alert the fleet of network devices to future sources of danger from the cyberattack.