HK1218175B - A system and method for creating a list of shared information on a peer-to-peer network - Google Patents

Description

A system and method for creating a shared information list on a peer-to-peer network

This application is filed on April 10, 2008, with application number 200880011661.7 and the invention is

Divisional application of the application for "A system and method for creating a shared information list on a peer-to-peer network".

Related applications

This application claims the benefit of U.S. Provisional Application No. 60/923,042, filed April 12, 2007. The entire teachings of the above application are incorporated herein by reference.

Technical Field

The present invention relates to locating information within connected network computers.

Background Art

Peer-to-peer networks utilize heterogeneous connectivity between participants on the network, utilizing the aggregated bandwidth of network participants rather than conventional centralized resources. Peer-to-peer networks are typically used to connect nodes via a large number of ad hoc connections. Such networks are useful for a wide range of purposes. Sharing content files containing audio, video, data, or any digitally formatted information is common, and real-time data such as telephone traffic is also transmitted using peer-to-peer networks. To access a peer-to-peer network to share content files, users utilize peer-to-peer network software applications that connect to networked computers.

Summary of the Invention

The method or corresponding apparatus of an example embodiment includes a network node configured to obtain one or more searches from a peer-to-peer network. The network node compares the one or more searches against one or more criteria. After the comparison, the network node updates the one or more criteria to include variations of the one or more searches. After the update, the network node issues the one or more searches based on the updated criteria. Next, the network node determines the resulting information associated with the one or more searches. After the determination, the network node creates a list of the resulting information for analysis. In an embodiment, the method or corresponding apparatus utilizes C, C++, .NET, or Visual Basic programming code.

In an embodiment, the one or more criteria are one of the following: a predefined keyword, a set of keywords, or a subset of keywords. Additionally, the one or more criteria may relate to an individual, organization, group, or other identifiable entity.

In an embodiment, the one or more searches are broadcast messages in a peer-to-peer network. In an embodiment, the network node compares the one or more searches to the one or more criteria using one of: comparison, within-string, fuzzy logic matching, or other comparison technique(s).

In an embodiment, the network node employs account punctuation, pluralization, or other variations of the one or more criteria for updating. In an embodiment, the network node is further configured to send a TCP/IP packet with the one or more searches to the network node.

In an embodiment, the obtained information is the name of an organization, information related to an organization, the name of an individual, or information related to an individual.

In an embodiment, the list is stored in a database, a computer program, a memory or a suitable storage device. In an embodiment, the network node is further configured to collect a fee for providing access to the list. In an embodiment, the network node is further configured to identify a security risk based on the one or more searches.

Other advantages of the present invention will become apparent from a perusal of the following detailed description of embodiments of the invention.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing will be apparent from the more particular description of example embodiments of the invention, as illustrated in the accompanying drawings in which like reference numerals refer to the same parts throughout the different views. The drawings are not necessarily to scale, emphasis instead being placed upon illustrating embodiments of the invention.

FIG1A is a block diagram depicting a communications network monitoring searches on a peer-to-peer network to create a list according to an example embodiment of the present invention;

FIG1B is an example listing of obtained information according to an example embodiment of the present invention;

FIG2 is a block diagram depicting an example search grouping according to an example embodiment of the present invention;

3A is a flow chart depicting issuing a search on a network according to an example embodiment of the present invention;

FIG3B is an example standard according to an example embodiment of the present invention;

4 is a flow chart depicting adding a search to a database according to an example embodiment of the present invention;

FIG5 is a flow chart depicting an example monitoring process according to an example embodiment of the present invention;

6 is a flowchart illustrating creation of a search information list on a peer-to-peer network according to an example embodiment of the present invention;

7 is a flow chart depicting providing a list to a customer for expenses according to an example embodiment of the present invention.

DETAILED DESCRIPTION

Today, organizations and individuals risk disclosing information that should not be shared. To mitigate this risk, organizations or individuals locate information and identify what information is private (e.g., should not be disclosed). After identifying what information is private, the organization can take action to prevent the disclosure of that information. One way to prevent inappropriate information sharing is by monitoring searches conducted on networks, such as peer-to-peer networks, for phrases, terms, or one or more criteria related to businesses, organizations, or companies, such as company names or other terms.

FIG1A is a block diagram illustrating a communication network 100 monitoring searches 110, 120 on a peer-to-peer network to create a list, according to an exemplary embodiment of the present invention. Specifically, a network node 140 monitors searches issued on a peer-to-peer network 112. The peer-to-peer network 112 includes node a 105, node b 115, and node c 125, which are in communication with one another. In operation, node a 105 sends a search 110 to node b 115. Similarly, node b 115 sends a search b 120 to node c 125. For example, node a 105 and node b 115 may issue a search for the phrase "Acme Bank." Once the search is issued, the network node 140 typically obtains the search 110, 120 from the peer-to-peer network 112 by obtaining a broadcast message associated with the search 110, 120. After obtaining searches 110, 120, network node 140 compares searches 110, 120 to one or more criteria 160 (e.g., phrases) using a comparison technique, such as a comparison. If one or more criteria 160 matches searches 110, 120 (e.g., if the criteria is "AcmeBank"), network node 140 updates the one or more criteria 160 to include variations of searches 110, 120 (e.g., "Acme Banks"). To do so, network node 140 employs pluralization or other algorithms known in the art to determine these additional variations of searches 110, 120.

After updating criteria 160, network node 140 issues new searches 150a-b based on the updated criteria. As a result, network node 140 receives responses from peer network 112 and creates a list of resulting information 155a-b from new searches 150a-b and stores resulting information 155a-b in database 145 for analysis.

In a preferred embodiment, network node 140 receives a response from peer-to-peer network 112 containing result information 155a-b. Example result information 155a is shown in FIG1B . Specifically, FIG1B illustrates result information 155a as a TCP/IP packet containing a 16-byte descriptor ID 107, a payload descriptor ID 119, a time-to-live value (typically 3) 137, a hops value 142 (typically 0), a payload length 147, and a payload 152. The payload typically includes the number of file headers contained within the payload, the TCP/IP port, the IP address, the host speed, a result set with a file index, the file size, the file name, and a servent ID number. In embodiments, the result information may also include the file name and size, as well as the IP address of the computer that owns the file. It should be understood that a servent is a peer-to-peer network node that possesses both server and client characteristics. Other configurations for result information 155a are also possible.

Referring now back to Figure 1A, the analysis node 180 may receive the list 170, which allows an operator or software logic 190 to identify patterns in the search information in the list 170. For example, the software logic 190 determines that information may be inappropriate for sharing, such as a shared folder containing sensitive or private information. That is, information may be shared unintentionally, or due to malicious behavior or a virus. For example, someone may have unintentionally shared dispute letters containing personal information such as a credit card number. A user may search for these dispute letters and obtain the credit card number. That is, the user may issue a search and receive a dispute letter involving a credit card purchase against the credit card owner. In the dispute letter, the credit card owner includes the credit card number and/or other personal information. Therefore, the user can now view and potentially use the credit card number and/or other personal information of the credit card owner.

In other examples, the peer-to-peer network 112 software may have a software bug that allows files or information to be shared. Similarly, a user's computer may have a virus or worm that connects to the peer-to-peer network 112 and shares information without the user's knowledge, such as accidentally sharing folder 118 in node b 115. Regardless of the reason for sharing, a user may issue a search containing terms that target an organization or individual, such as "Acme Bank dispute letter" or "John Smith credit card." Allowing access to sensitive or private information through searches may pose a risk to the organization, national security, or other users.

It should be understood that embodiments of the present invention are not limited to the use of a database, such as database 145, and embodiments of the present invention may also store the list in a report, or in some other suitable location or memory, on network node 140. Other configurations are also possible.

It should also be understood that other configurations of the peer-to-peer network 112 are possible. For example, one or more nodes may be classified as master nodes and other nodes may be classified as leaf nodes. Leaf nodes are connected to master nodes, and master nodes may be connected to other master nodes. Thus, if a leaf node issues a search request, the leaf node sends the search request to the master node connected to the leaf node. Upon receiving the search request, the master node forwards the request to the master node and each leaf node connected to the requesting master node. The receiving master node forwards each search request to each leaf node in the connection. Embodiments of the present invention may also obtain information from leaf node searches. Furthermore, it should be understood that the analysis node 180 and software logic 190 are optional components of the communication network 100, and embodiments without these components may also be employed.

FIG2 is a block diagram illustrating an example search packet 200 according to an example embodiment of the present invention. Specifically, search packet 200 includes a 16-byte descriptor ID 205, a payload descriptor ID 210, a time-to-live value 215, a hop count value 220, a search term's payload length 225, a search term 230, and a minimum speed 235 accepted by the user. In a preferred embodiment, a network node, such as network node 140 in FIG1 , creates a report based on the searches in search packet 200. The report may include a list of all searches that matched the criteria, including duplicates. Alternatively, the report may include a list of search terms 225 that matched the criteria, without duplicates. For reports that include duplicates, a particular search term 225 may be stored a number of times corresponding to the number of searches. Using the number of searches for a particular search term 225 is useful in determining a pattern as described below. In embodiments, the report may also include each search term 225 and its corresponding 16-byte descriptor ID 205.

FIG3A is a flow chart depicting a method of issuing a search on a network according to an exemplary embodiment of the present invention. Specifically, FIG3A shows a process 300 for monitoring organizational information by monitoring searches, issuing searches, and obtaining responses. This process 300 monitors a peer-to-peer network for searches that match one or more criteria 305 by using network nodes to obtain peer-to-peer network broadcast messages. In a preferred embodiment, this process utilizes comparison techniques such as comparison, fuzzy logic matching, or other comparison techniques known in the art using programming languages such as C++ or Visual Basic. Using other programming languages or comparison techniques is also possible. In an exemplary embodiment, the programming language takes into account account punctuation and pluralization, such as abbreviations, to modify the search terms, modify one or more criteria, or add additional standard search terms. For example, if the search term is "Acme Banks," the process removes the "s" at the end of "Banks" to expand the results. In other words, process 300 includes multiple standard search terms, such as "Acme Bank" and "Acme Banks."

Consider the following example. Process 300 monitors a network for a search term or phrase (e.g., "Acme Banks") by extracting a search term from a peer-to-peer network search group, such as search group 200 of FIG. 2 . After extracting the search term, the search term may be compared to criteria using comparison, intrastring, fuzzy logic matching, or other comparison technique(s). More specifically, process 300 determines whether one or more criteria are matched 310 . If no match exists, process 300 returns to monitoring 315 for new searches, otherwise process 300 continues. More specifically, process 300 obtains or receives one or more searches related to an organization (e.g., "Acme Bank") or an individual from a peer-to-peer network. Process 300 compares the one or more searches to one or more criteria. For example, the one or more criteria may be predefined keywords, sets of keywords, or subsets of keywords, and may be stored in a database, computer program, list, report, memory, or other suitable storage device.

In an embodiment, an organization or other user defines one or more criteria for search terms. For example, the organization may define one or more criteria corresponding to the organization, such as a company name, address, brand name(s), name(s) and address(es) of executive management, or other representative criteria (or keywords). Example criteria 350 is shown in FIG3B . More specifically, example criteria 350 displays search terms issued by suspicious individuals on the network. After issuing one or more searches, process 300 returns to monitoring phase 325. Example criteria 350 is typically a list of terms or phrases that match organizational keywords, as specified by human resources, clients, agencies, or computers.

In an embodiment, defining one or more criteria may be manually entered by the organization and other users.In an embodiment, process 300 monitors issued searches and matches the issued searches to existing criteria and adds the searches as additional criteria.

Continuing with FIG3A , if the criteria are matched, process 300 initiates one or more searches onto peer-to-peer network 320. Process 300 initiates the search using one of the following: a peer-to-peer software application, a non-peer-to-peer system, or a system that accesses a peer node to initiate the search. In an embodiment, the search is initiated via a Transmission Control Protocol and Internet Protocol (TCP/IP) packet. A TCP/IP packet typically contains a 16-byte descriptor identifier, a 128-byte payload descriptor identifier, a time-to-live value (typically 3), a hop count value (typically 0), a payload length with the length of the search term, the search term, and a minimum speed accepted by the user.

In one embodiment, process 400 adds one or more searches to memory, as shown in FIG4 . Process 400 monitors the peer-to-peer network for one or more searches that match one or more criteria 405. Process 400 determines whether the one or more criteria match 410. If there is a match, process 400 adds the search to a list 420. If the list contains the name of an organization associated with the customer, as provided in the criteria, process 400 determines that the user is likely malicious and targeting their customers. Process 400 determines the presence of such behavior by using metrics, such as the number of searches received or the complexity of the searches. More specifically, if a user searches for the phrase "Acme Bank Statements," it determines that the user is attempting to find bank statement information. Process 400 adds the search (and/or actual search) record to memory 400 and returns to monitoring stage 425 to identify additional searches. However, if no criteria match, process 400 returns to monitoring stage 410 without adding the search to memory.

Monitoring process 500, as shown in Figure 5, allows organizations to prevent unwanted or inappropriate information sharing. In a preferred embodiment, the monitoring system in monitoring process 500 monitors a peer-to-peer network and monitors the peer-to-peer network for a word or phrase 505 based on a configuration. In embodiments, the configuration may be manually entered by an operator of the monitoring system or predetermined in some other manner. A user of the peer-to-peer network issues a search for a word or phrase 510. The monitoring system, in turn, monitors the search on the peer-to-peer network and compares the search to the word or phrase 515. Furthermore, the monitoring system detects a match between the search and a particular word or phrase and issues the search to network 520. For example, by monitoring searches by "rogue" users, a bank can record the search responses to later identify rogue users. This allows the bank to identify potential issues. The monitoring system can record the responses in a database and/or download files matching the issued search to computer memory, a database, or printed media 525. In a preferred embodiment, the monitoring system can use TCP/IP to connect to a host computer and download the files. It should be understood that searches can be issued using TCP/IP packets or other transport packets.

In one embodiment, the monitoring system issues a "push" message instructing the file host to connect to the monitoring system and upload the file. This monitoring circumvents any host firewalls that might otherwise block message transmission. The push message can be a TCP/IP packet containing a 16-byte descriptor ID, a 64-byte payload descriptor ID, a time-to-live value (typically 3), a hop count (typically 0), a payload length, and a payload. The payload includes a server identifier, a file index, the monitoring system's IP address, and the monitoring system's TCP/IP port.

FIG6 is a flow chart illustrating the creation of a search information list on a peer-to-peer network according to an exemplary embodiment of the present invention. Process 600 obtains one or more searches from the peer-to-peer network at 605. At 610, process 600 compares the one or more searches to one or more criteria to determine if a match exists. At 615, process 600 updates the one or more criteria to include variations or other changes to the one or more searches. At 620, process 600 issues one or more searches to the network based on the updated criteria, thereby obtaining result information. At 625, process 600 determines the result information associated with the one or more searches. At 630, the process creates a list of result information for analysis.

It should be understood that the resulting information can be in the form of a list, report, database report, or other suitable representation. In addition, as explained above, software logic can be used to identify patterns in the searches/obtained information based on one or more criteria. Alternatively, the resulting information can be reviewed by an analyst to identify any patterns/risks. For example, the analyst or software logic may identify in the resulting information a large number of searches for a particular executive in the organization, the searches being related to personal or business information. This large number of searches related to this executive indicates possible identity theft or other potential risks.

FIG7 is a flow chart illustrating providing a list to a client for a fee, according to an example embodiment of the present invention. For example, process 700 creates a list, which may include search results or other information identified by one or more criteria. At 710, process 700 provides the client/organization with access to the list via a database or other suitable representation (e.g., a report). In a preferred embodiment, the client receives access to the list by connecting to a database, such as database 145 in FIG1 , and accesses the list. At 715, process 700 collects a fee from the user for accessing the list. The fee may be collected on a subscription basis ranging from one-time, daily, weekly, monthly, or annual, with the organization invoiced for the fee, or collected on a prepaid basis. In an example embodiment, the fee may be a fixed fee or a fee for accessing the list, with a single fee charged for unlimited access to the list or for each access to the list. Other arrangements are also possible.

Using embodiments of the present invention, a hardware system can be used as a computer, small appliance, ASIC-based device, or other similar device that can be programmed with specific logic or programming code (e.g., software). The system is connected to a physical network, either directly or through a gateway. The programming logic provides the device with the ability to transmit and receive on both the physical network and a peer-to-peer network. Examples of programming logic include software programs or hard-coded program information, such as that found on ASIC-based devices.

It should be understood that any of the processes disclosed herein can be implemented in the form of hardware, firmware, or software. If implemented in software, the software can be processor instructions in any suitable software language and stored on any form of computer-readable medium. The processor instructions are loaded and executed by a processor, such as a general-purpose or application-specific processor, which in turn executes the example embodiments disclosed herein.

While the invention has been particularly shown and described with reference to preferred embodiments thereof, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the scope of the invention as encompassed by the appended claims.

Claims (13)

1. A method for locating information within a connected network computer, comprising: Obtain one or more searches from one or more messages broadcast on a peer-to-peer network; Determine whether the one or more obtained searches match one or more criteria, wherein the one or more criteria are one of the following: predefined keywords, keyword sets, or subsets of keywords that indicate a search for suspicious individuals involving information about individuals, organizations, groups, or other identifiable entities; In response to determining that the one or more obtained searches match the one or more criteria: Update the one or more criteria to include variations of the one or more obtained searches, including account punctuation, plurals, and other variations of the one or more searches. One or more new searches are issued to the peer network based on the updated standards, and these new searches are different from the one or more previously obtained searches. Determine the obtained information associated with the one or more new searches; and Create a list of the obtained information for analysis, the obtained information including one or more of the following: the name of the organization, information related to the organization, the name of the individual, information related to the individual; and In response to determining that one or more obtained searches do not match one or more criteria, the peer network is monitored for other searches. 2. The method of claim 1, wherein comparing the one or more obtained searches with the one or more criteria uses one of the following: comparison, intra-string matching, fuzzy logic matching, or other comparison techniques. 3. The method according to claim 1, executed by C++ or Visual Basic program code. 4. The method of claim 1, wherein issuing one or more new searches based on updated criteria further comprises: sending TCP/IP packets containing the one or more new searches to network nodes on the peer network. 5. The method of claim 1, wherein the list is stored in a database, computer program, memory, or suitable storage device. 6. The method of claim 1, further comprising collecting fees for providing access to the list. 7. The method of claim 1, further comprising providing the list of the obtained information to an organization or individual as evidence that access to sensitive or private information via a peer-to-peer search network poses a risk to the organization or individual. 8. A network node for executing instructions of computer program code to create a list of search information on a peer-to-peer network, comprising: Network nodes containing computer program code are configured as follows: (1) Obtain one or more searches from one or more messages broadcast on a peer-to-peer network; (2) Determine whether the one or more obtained searches match one or more criteria, wherein the one or more criteria are one of the following: predefined keywords, keyword sets, or subsets of keywords indicating that a search is being conducted for information involving a person, organization, group, or other identifiable entity; (3) In response to determining that the one or more obtained searches match the one or more criteria: The one or more criteria are updated to include the one or more obtained search variations by incorporating account punctuation, plurals, and other variations of the search. One or more new searches are issued to the peer network based on the updated standards, and these new searches are different from the one or more previously obtained searches. Determine the obtained information associated with the one or more new searches, and Create a list of the obtained information in the database, the obtained information including one or more of the following: the name of the organization, information related to the organization, the name of the individual, and information related to the individual; and (4) In response to determining that one or more of the obtained searches do not match one or more of the criteria, monitor the peer network for other searches. 9. The network node of claim 8, wherein the network node uses one of the following to compare the one or more obtained searches with the one or more criteria: comparison, intra-string matching, fuzzy logic matching, or other comparison techniques. 10. The network node of claim 8, wherein the network node creates a list of search information using C++ or Visual Basic program code. 11. The network node of claim 8, wherein the network node is further configured to send TCP/IP packets with the one or more new searches to the communication network to determine the obtained information. 12. The network node of claim 8, wherein the list is stored in a database, a computer program, a memory, or a suitable storage device. 13. The network node of claim 8, wherein the network node is further configured to identify security risks based on the one or more new searches.