Courtesy of Brian Harring, Domestic Intelligence Editor

Method for geolocating logical network addresses

Abstract

Method for geolocating logical network addresses on electronically switched dynamic communications networks, such as the Internet, using the time latency of communications to and from the logical network address to determine its location. Minimum round-trip communications latency is measured between numerous stations on the network and known network addressed equipment to form a network latency topology map. Minimum round-trip communications latency is also measured between the stations and the logical network address to be geolocated. The resulting set of minimum round-trip communications latencies is then correlated with the network latency topology map to determine the location of the network address to be geolocated.

References Cited [Referenced By]

U.S. Patent Documents

Primary Examiner: Harvey; Jack B.

Assistant Examiner: Nguyen; Hai V.

Attorney, Agent or Firm: Bloor; Stephen M., Morelli; Robert D.

Claims

1. A method for geolocating network equipment associated with a logical network address on a communications network, comprising the steps of: measuring a network latency from a plurality of network stations to a plurality of network endpoints of known physical location by pinging said network endpoints from said network stations multiple times over a calibration period, determining round-trip propagation times between each of said network stations and each of said network endpoints over the calibration period from said pinging, and setting the network latency for each combination of said network stations and said network endpoints to the corresponding minimum round-trip propagation time determined for each of said combination of said network stations and said network endpoints; measuring the network latency from each of said network stations to said network equipment by pinging said network equipment from said network stations, determining the minimum round-trip propagation time between each of said network stations and said network equipment, and setting the network latency between each of said network stations and said network equipment to the corresponding minimum round-trip propagation time determined; for each of said network endpoints arranging the network latency from the network endpoint to each of said network stations in turn, in a particular order, as vector elements in an endpoint vector; arranging the network latency from said network equipment to each of said network stations in turn, in said particular order, as vector elements in a network equipment vector; determining a distance between the network equipment vector and each of the endpoint vectors; and identifying the physical location of the network equipment as proximate to said known physical location of the network endpoint corresponding to the endpoint vector having said distance to the network equipment vector not greater than the distance from any other of the endpoint vectors to the target equipment vector.

2. A method for verifying that the geolocation of network equipment associated with a logical network address on a communications network is consistent with network equipments associated with vetted geolocations, comprising the steps of: measuring a network latency from a plurality of network stations to at least one piece of network equipment associated with vetted geolocations by pinging each of said network equipments associated with vetted geolocations from said network stations multiple times over a calibration period, determining round-trip propagation times between each of said network stations and each of said network equipments associated with vetted geolocations over the calibration period from said pinging, and setting the network latency for each combination of said network stations and said network equipments associated with vetted geolocations to the corresponding minimum round-trip propagation time determined for each of said combination of said network stations and said network equipments associated with vetted geolocations; measuring the network latency from each of said network stations to said network equipment by pinging said network equipment from said network stations, determining the minimum round-trip propagation time between each of said network stations and said network equipment, and setting the network latency between each of said network stations and said network equipment to the corresponding minimum round-trip propagation time determined; for each of said network equipments associated with vetted geolocations arranging the network latency from each of said network equipments associated with vetted geolocations to each of said network stations in turn, in a particular order, as vector elements in a vetted equipment vector; arranging the network latency from said network equipment to each of said network stations in turn, in said particular order, as vector elements in a network equipment vector; determining a distance between the network equipment vector and each of the vetted equipment vectors; and determining if the physical location of the network equipment is proximate to one of said network equipments associated with vetted geolocations.

3. A method for geolocating network equipment associated with a logical network address on a communications network as recited in claim 1, further comprising the additional step of determining if said distance to the network equipment vector not greater than the distance from any other of the endpoint vectors to the target equipment vector is within a user defined threshold.

4. A method for geolocating network equipment associated with a logical network address on a communications network as recited in claim 3, wherein said steps of: measuring a network latency from a plurality of network stations to a plurality of network endpoints of known physical location; measuring the network latency for each of said network stations to said network equipment; for each of said network endpoints arranging the network latency from the network endpoint to each of said network stations in turn, in a particular order, as vector elements in an endpoint vector; arranging the network latency from said network equipment to each of said network stations in turn, in said particular order, as vector elements in a network equipment vector; and determining a distance between the network equipment vector and each of the endpoint vectors; are repeated in iteration using additional of said network endpoints until said distance to the network equipment vector not greater than the distance from any other of the endpoint vectors to the target equipment vector is within said user defined threshold.

5. A method for geolocating network equipment associated with a logical network address on a communications network as recited in claim 3, wherein said steps of: measuring a network latency from a plurality of network stations to a plurality of network endpoints of known physical location; measuring the network latency for each of said network stations to said network equipment; for each of said network endpoints arranging the network latency from the network endpoint to each of said network stations in turn, in a particular order, as vector elements in an endpoint vector; arranging the network latency from said network equipment to each of said network stations in turn, in said particular order, as vector elements in a network equipment vector; and determining a distance between the network equipment vector and each of the endpoint vectors; are repeated in iteration using a different set of said network endpoints until said distance to the network equipment vector not greater than the distance from any other of the endpoint vectors to the target equipment vector is within said user defined threshold.

6. A method for geolocating network equipment associated with a logical network address on a communications network as recited in claim 3, wherein said steps of: measuring a network latency from a plurality of network stations to a plurality of network endpoints of known physical location; for each of said network endpoints arranging the network latency from the network endpoint to each of said network stations in turn, in a particular order, as vector elements in an endpoint vector; arranging the network latency from said network equipment to each of said network stations in turn, in said particular order, as vector elements in a network equipment vector; and determining a distance between the network equipment vector and each of the endpoint vectors; are repeated in iteration until said distance to the network equipment vector not greater than the distance from any other of the endpoint vectors to the target equipment vector is within said user defined threshold.

7. A method for geolocating network equipment associated with a logical network address on a communications network as recited in claim 3, wherein said steps of: measuring the network latency for each of said network stations to said network equipment; arranging the network latency from said network equipment to each of said network stations in turn, in said particular order, as vector elements in a network equipment vector; and determining a distance between the network equipment vector and each of the endpoint vectors; are repeated in iteration until said distance to the network equipment vector not greater than the distance from any other of the endpoint vectors to the target equipment vector is within said user defined threshold.

8. A method for geolocating network equipment associated with a logical network address on a communications network as recited in claim 1, wherein said calibration period extends to all previous measuring of said network latency.

9. A method for geolocating network equipment associated with a logical network address on a communications network as recited in claim 1, wherein said calibration period extends back only a user determined amount of time.

10. A method for geolocating network equipment associated with a logical network address on a communications network as recited in claim 1, wherein said communications network is the Internet.

11. A method for geolocating network equipment associated with a logical network address on a communications network as recited in claim 1, wherein said steps of: measuring a network latency from a plurality of network stations to a plurality of network endpoints of known physical location; and for each of said network endpoints arranging the network latency from the network endpoint to each of said network stations in turn, in a particular order, as vector elements in an endpoint vector; are performed based on particular sets of user defined external factors and also further comprising the additional step of saving said arranged endpoint vector.

Description

FIELD OF THE INVENTION

The present invention, a Method for Geolocating Logical Network Addresses, relates to networked communications, and more particularly to a method for determining or verifying the physical location of a logical network address.

BACKGROUND OF THE INVENTION

As more of the nation's commerce and communication have moved from traditional fixed-point services to electronically switched networks the correlation between who you are communicating or doing business with and where they are physically located no longer exists. In the past, communication and commerce took place between parties at known physical locations, whether across a store counter or between post office addressees. Even telephone numbers correlated, more or less, to a permanent fixed location.

There are still many advantages to knowing the physical location of a party one is dealing with across electronically switched networks. For example, in the realm of advertising, knowing the geographic distribution of sales or inquires can be used to measure the effectiveness of advertising across geographic regions. As another example, logon IDs and passwords can only go so far in providing security when a remote user is logging into a system. If stolen, they can be easily used to masquerade as valid users. But if an ability to check the location were part of the security procedure, and the host machine knew the physical location of the remote user, a stolen logon/password could be noted or disabled if not used from or near the appropriate location. Network operators could benefit from knowing the location of a network logon to ensure that an account is being accessed from a valid location and logons from unexpected locations could be brought to the network operator's attention.

Methods of locating electronic emitters to a point on the earth, or geolocating emitters, have been used for many years. These methods include a range of techniques from high-frequency direction finding triangulation techniques for finding a ship in distress to quickly locating the origin of an emergency "911" call on a point-to-point wireline telephone system. These techniques can be entirely passive and cooperative, such as when geolocating oneself using the Global Positioning System or active and uncooperative, such as a military targeting radar tracking its target.

These geolocation techniques may be targeted against a stationary or moving target but most of these direction finding and geolocation techniques start with the assumption they are working with signals in a linear medium. For example, in radio triangulation, several stations each determine the direction from which a common signal was intercepted. Because the assumption can be made that the intercepted signal traveled in a straight line, or at least on a known line of propagation, from the transmitter to each station, lines of bearing can be drawn from each station in the direction from which the signal was intercepted. The point where they cross is the point at which the signal source is assumed to be located.

In addition to the direction of the signal, other linear characteristics can be used to geolocate signals, including propagation time and Doppler shift, but the underlining tenets that support these geolocation methodologies are not applicable to a network environment. Network elements are not connected via the shortest physical path between them, data transiting the network is normally queued and later forwarded depending on network loading causing the data to effectively propagate at a non-constant speed, and switching elements within the network can cause the data to propagate through non-constant routing. Thus, traditional time-distance geolocation methodologies are not effective in a network environment.

In his book "The Cuckoo's Egg" (Doubleday 1989, Ch. 17), Clifford Stoll recounted his difficulties in using simple echo timing on a network to determine the distance from his computer to his nemesis, a computer hacker attacking a University of California at Berkeley computer. Network switching and queuing delays produced echo distance results several orders of magnitude greater than the actual distance between the computers.

In a fully meshed network, every station, from which a geolocation in initiated, is directly connected to every endpoint from which an "echo timing" is measured. The accuracy results of geolocation using round-trip echo timing are dependent on: the degree to which the network is interconnected or "meshed," the specific web of connectivity between the stations and endpoints, the number and deployment of stations, and the number and deployment of endpoints chosen.

Fortunately many of the survivability concerns for which the original ARPAnet was designed, and the commercial forces which gave rise to the expansion of the follow-on Internet and continue to fuel its growth, are also forces and concerns which drive it not only to be more interconnected and meshed but are also working to minimize the effects of latency due to line speed, queue size, and switching speeds. As a result there is a reasonable expectation that forces will continue to work toward the development of a highly meshed Internet.

There are other methods for physically locating a logical network address on the Internet that do not rely on the physics of electronic propagation. One method currently in use for determining the location of a network address relies on network databases. This method of network geolocation looks up the IP address of the host computer to be located, retrieves the physical address of a point of contact for that logical network address from the appropriate registry and then cross-references that physical address to a latitude and longitude. An example of an implementation of such a method can be found at the University of Illinois web site: http://cello.cs.uiuc.edu/cgi-bin/slamm/ip2ll. This implementation uses the Internic registry and the listed technical point of contact to report the physical location of the logical address.

There are a number of shortcomings to this method. First, the level of resolution to which the address is resolved is dependent on the level of resolution of the information in the registry. Second, there is an assumption that the supplied data in the registry correctly and properly identifies the physical location of the logical network address. It is entirely possible the host associated with the logical address is at a completely different physical location than the physical address given for the technical point of contact in the registry. Third, if the supplied physical address given cannot be cross-referenced to a physical location no geolocation is possible. Geolocation information is often available from network databases but access to and the veracity of this information is uncertain. An independent method is needed to geolocate network addresses.

SUMMARY OF THE INVENTION

In consideration of the problems detailed above and the discrepancies enumerated in the partial solutions thereto, an object of the present invention is to provide a method for determining the physical location of network hardware using a logical network address on a non-linear electronically switched network.

Another object of the present invention is to provide a method for determining the physical location of network hardware using a logical network address on a nonlinear electronically switched network evolving in real-time.

Another object of the present invention is to provide a method for determining the physical location of network hardware using a logical network address on a non-linear electronically switched dynamic network independent of databases of network geolocation information.

Another object of the present invention is to provide a method for determining the physical location of network hardware using a logical network address on a non-linear electronically switched dynamic network without reliance on time-distance correlations.

In order to attain the objectives described above, according to an aspect of the present invention, there is provided a method for geolocating logical network addresses.

This invention describes a methodology for geolocation in a non-linear electronically switched dynamic network environment. The instant invention uses the latency of communications to and from an address to be located (ATBL) to determine its location. In order to do this a network latency topology map must first be created. The network latency topology is mapped by measuring the round-trip latency between one or more network stations of known location and many network endpoints, which can themselves be network stations, of known location. Endpoints are chosen to be points dispersed across the network within the area where geolocations will be performed. Potential geolocation resolution is enhanced with an increasing density of endpoints.

The next step is to measure network latency between each station and each endpoint. Latency is the time between when the station sends a message to an endpoint and when an automatic immediate response is received at that station from the endpoint addressed. Multiple latency measurement between each station-endpoint pair are made. The smallest latency value from these multiple measurements between a station-endpoint pair is the empirically determined T_min for that station-endpoint pair.

Multiple stations determine their respective Tmin values to each endpoint, these are known as T_mins. The set of T_mins for each endpoint as measured from each station define an endpoint vector specifying the location of that endpoint in latency space relative to the stations. Additionally, a set of T_mins is measured between each station and the ATBL, defining an ATBL vector specifying the location of the ATBL in latency space relative to the stations. Next, the distances between the ATBL vector and each endpoint vector are calculated. The smallest of these distances is identified. The ATBL is determined to be most nearly co-located with the endpoint associated with this smallest distance measurement.

Today in DC: Commandos in the Streets?

Washington Post
William M. Arkin
September 23 2005

Today, somewhere in the DC metropolitan area, the military is conducting a highly classified

Granite Shadow "demonstration."

Granite Shadow is yet another new Top Secret and compartmented operation related to the military’s extra-legal powers regarding weapons of mass destruction.

It allows for emergency military operations in the United States without civilian supervision or control.

A spokesman at the Joint Force Headquarters-National Capital Region (JFHQ-NCR) confirmed the existence of Granite Shadow to me yesterday, but all he would say is that Granite Shadow is the unclassified name for a classified plan.

That classified plan, I believe, after extensive research and after making a couple of assumptions, is CONPLAN 0400, formally titled Counter-Proliferation of Weapons of Mass Destruction.

Concept Plan (CONPLAN) 0400 is a long-standing contingency plan of the Chairman of the Joint Chiefs of Staff (CJCS) that serves as the umbrella for military efforts to counter the spread of weapons of mass destruction. It has extensively been updated and revised since 9/11.

The CJCS plan lays out national policy and priorities for dealing with WMD threats in peacetime and crisis -- from far away offensive strikes and special operations against foreign WMD infrastructure and capabilities, to missile defenses and "consequence management" at home if offensive efforts fail.

All of the military planning incorporates the technical capabilities of the intelligence agencies and non-military organizations such as the national laboratories of the Department of Energy.

And finally, CONPLAN 0400 directs regional combatant commanders to customize counter-proliferation plans for each of their own areas of operations.

When that "area of operations" is the United States, things become particularly sensitive.

That's where Granite Shadow comes in.

U.S. Northern Command (NORTHCOM), the military's new homeland security command, is preparing its draft version of CONPLAN 0400 for military operations in the United States, and the resulting Granite Shadow plan has been classified above Top Secret by adding a Special

Category (SPECAT) compartment restricting access.

The sensitivities, according to military sources, include deployment of "special mission units" (the so-called Delta Force, SEAL teams, Rangers, and other special units of Joint Special Operations Command) in Washington, DC and other domestic hot spots.

NORTHCOM has worked closely with U.S. Special Operations Command (SOCOM), as well as the secret branches of non-military agencies and departments to enforce  "unity of command" over any post 9/11 efforts.

Further, Granite Shadow posits domestic military operations, including

-----intelligence collection and surveillance,

-----unique rules of engagement regarding the use of lethal force,

-----the use of experimental non-lethal weapons, and

-----federal and military control of incident locations that are highly controversial and might border on the illegal.

Granite Shadow is the twin to Power Geyser, a program I first revealed to The New York Times in January.

The JFHQ spokesman confirms that Granite Shadow and Power Geyser are two different unclassified names for two different classified plans.

In the case of Power Geyser, the classified plan is CJCS CONPLAN 0300, whose entire title is classified.

According the military documents, the unclassified title is"Counter-Terrorism Special Operations Support to Civil Agencies in the event of a domestic incident."

It is another Top Secret/SPECAT plan directing the same special mission units to provide weapons of mass destruction recovery and "render safe" in either a terrorist incident or in the case of a stolen (or lost) nuclear weapon.

Render safe refers to the ability of explosive ordnance disposal experts to isolate and disarm any type of biological, chemical, nuclear or radiological weapon.

The obvious question is why there is a need for two plans.

My guess is that Power Geyser and CONPLAN 0300 refers to operations in support of a civil agency "lead" (most likely the Attorney General for a WMD attack) while Granite Shadow and CONPLAN 0400 lays out contingencies where the military is in the lead.

I'll wait to be corrected by someone in the know. Both plans seem to live behind a veil of extraordinary secrecy because military forces operating under them have already been given a series of ''special authorities'' by the President and the secretary of defense.

These special authorities include, presumably, military roles in civilian law enforcement and abrogation of State's powers in a declared or perceived emergency.

In January, when The New York Times reported on the Power Geyser name from my Code Names website, the Pentagon argued that "It would be irresponsible … to comment on any classified program that may or may not exist."

I can't see how the Defense Department can continue this line of argument post-Katrina. We see the human cost of a system of contingency planning done in complete secret, with a lack of any debate as to what should be the federal government's priorities, emphasis, and rules.

As the Granite Shadow commandos and their federal brethren go through their paces today, some inside the system will lament that I have "compromised" their work.

But the very fact that nothing in my writing damages the Granite Shadow effort should demonstrate that we can have a discussion of contingency planning priorities in the United States, and debate extraordinary special authorities granted to those in uniform, without compromising the details of the plans themselves.

There's still time.

The full-scale exercise of Granite Shadow's capabilities and procedures doesn’t start until April 2006.

A note to readers: Today begins a weekly feature of Early Warning, namely code name of the week.

This will endeavor to discuss some secret program of the government, sometimes with an argument that the secrecy is excessive, sometime with far more questions than answers.