Structuring data and pre-compiled exception list engines and internet protocol threat prevention

US 10,135,857 B2
Filed: 01/03/2018
Issued: 11/20/2018
Est. Priority Date: 04/21/2009
Status: Active Grant

First Claim

Patent Images

1. A computer network firewall system comprising:

at least one tangible, non-transitory a computer-readable medium storing processor-executable instructions;

a threat assessment processor programmed to execute the instructions, wherein the instructions, when executed by the processor, configure the firewall system to;

acquire a plurality of threat information from one or more internet risk intelligence providers (IRIPs) via a computer communications network;

store the plurality of threat information on the computer-readable medium, the threat information including an IP address, a risk category associated with the IP address, and a risk confidence level associated with the IP address, the threat information further including a determination of geographic proximity characteristics associated with the IP address in relation to geographic proximity characteristics associated with one or more other IP addresses having risk confidence levels exceeding a threshold level;

determine a risk category value associated with the IP address as a function of;

the risk confidence level stored on the computer-readable medium, andtiming information stored on the computer-readable medium, the timing information comprising;

a number of instances the risk confidence level has exceeded the risk category acceptance level during a first time interval, anda second time interval representing the elapsed time since the risk confidence level previously exceeded the risk category acceptance level; and

block computer network communications with a computing device associated with the IP address when the risk category value is greater than or equal to a risk category acceptance level.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Blocking high-risk IP connections in real-time while allowing tailoring of an acceptable risk profile to match the security requirements of network resources. By acquiring IP threat information about IP addresses, traffic from IP addresses posing unacceptable levels of risk is blocked. A computer executed method is disclosed for sorting a plurality of internet protocol (IP) addresses. The method includes dividing the range of IP addresses into a plurality of clusters representing a plurality of contiguous sub-ranges, assigning each IP address to the cluster associated with the sub-range that includes that IP address, and assigning the IP addresses in each cluster to one of a plurality of pages. A network appliance incorporating aspects of the method is also disclosed.

97 Citations

17 Claims

1. A computer network firewall system comprising:
- at least one tangible, non-transitory a computer-readable medium storing processor-executable instructions;
  
  a threat assessment processor programmed to execute the instructions, wherein the instructions, when executed by the processor, configure the firewall system to;
  
  acquire a plurality of threat information from one or more internet risk intelligence providers (IRIPs) via a computer communications network;
  
  store the plurality of threat information on the computer-readable medium, the threat information including an IP address, a risk category associated with the IP address, and a risk confidence level associated with the IP address, the threat information further including a determination of geographic proximity characteristics associated with the IP address in relation to geographic proximity characteristics associated with one or more other IP addresses having risk confidence levels exceeding a threshold level;
  
  determine a risk category value associated with the IP address as a function of;
  
  the risk confidence level stored on the computer-readable medium, andtiming information stored on the computer-readable medium, the timing information comprising;
  
  a number of instances the risk confidence level has exceeded the risk category acceptance level during a first time interval, anda second time interval representing the elapsed time since the risk confidence level previously exceeded the risk category acceptance level; and
  
  block computer network communications with a computing device associated with the IP address when the risk category value is greater than or equal to a risk category acceptance level.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer network firewall system of claim 1, wherein the timing information is based on a timestamp corresponding to the acquisition of the plurality of threat information on the computer-readable medium.
  - 3. The computer network firewall system of claim 1, wherein the instructions, when executed by the processor, further configure the firewall system to:
    - receive the risk category acceptance level from a user via a graphical user interface;
      
      compare the risk category value to the risk category acceptance level; and
      
      allow communications with the computing device associated with the IP address when the risk category value is less than the risk category acceptance level.
  - 4. The computer network firewall system of claim 1, wherein the threat information further includes a determination of whether the IP address is acquired from more than one IRIP and wherein the instructions, when executed by the processor, further configure the firewall system to adjust the risk category value associated with the IP address as a function of a multiple IRIP weighting factor when the IP address is acquired from more than one IRIP, the multiple IRIP weighting factor increasing the risk category value.
  - 5. The computer network firewall system of claim 1, wherein the threat information further includes a determination of whether the IP address is associated with more than one risk category and wherein the instructions, when executed by the processor, further configure the firewall system to adjust the risk category value associated with the IP address as a function of a multiple category weighting factor when the IP address is associated with more than one risk category, the multiple category weighting factor increasing the risk category value.
  - 6. The computer network firewall system of claim 1, wherein the threat information further includes a determination of source characteristics and destination characteristics associated with the IP address and wherein the instructions, when executed by the processor, further configure the firewall system to adjust the risk category value associated with the IP address as a function of a source/destination weighting factor corresponding to the source characteristics and the destination characteristics.
  - 7. The computer network firewall system of claim 6, wherein the source characteristics and the destination characteristics comprise at least one of:
    - a geographic area, a country, a business sector, an industrial sector, and a political region.
  - 8. The computer network firewall system of claim 1, wherein the threat information further includes a determination of Internet Service Provider (ISP) characteristics associated with the IP address and wherein the instructions, when executed by the processor, further configure the firewall system to adjust the risk category value associated with the IP address as a function of an ISP weighting factor corresponding to the ISP characteristics, the ISP weighting factor increasing the risk category value.

9. A computer network firewall system comprising:
- at least one tangible, non-transitory a computer-readable medium storing processor-executable instructions;
  
  a threat assessment processor programmed to execute the instructions, wherein the instructions, when executed by the processor, configure the firewall system to;
  
  acquire a plurality of threat information from one or more internet risk intelligence providers (IRIPs) via a computer communications network;
  
  store the plurality of threat information on the computer-readable medium, the threat information including an IP address, a risk category associated with the IP address, and a risk confidence level associated with the IP address, the threat information further including a determination of source characteristics and destination characteristics associated with the IP address;
  
  determine a risk category value associated with the IP address as a function of;
  
  the risk confidence level stored on the computer-readable medium, andtiming information stored on the computer-readable medium, the timing information comprising;
  
  a number of instances the risk confidence level has exceeded the risk category acceptance level during a first time interval, anda second time interval representing the elapsed time since the risk confidence level previously exceeded the risk category acceptance level;
  
  adjust the risk category value associated with the IP address as a function of a source/destination weighting factor corresponding to the source characteristics and the destination characteristics; and
  
  block computer network communications with a computing device associated with the IP address when the risk category value is greater than or equal to a risk category acceptance level.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer network firewall system of claim 9, wherein the timing information is based on a timestamp corresponding to the acquisition of the plurality of threat information on the computer-readable medium.
  - 11. The computer network firewall system of claim 9, wherein the instructions, when executed by the processor, further configure the firewall system to:
    - receive the risk category acceptance level from a user via a graphical user interface;
      
      compare the risk category value to the risk category acceptance level; and
      
      allow communications with the computing device associated with the IP address when the risk category value is less than the risk category acceptance level.
  - 12. The computer network firewall system of claim 9, wherein the threat information further includes a determination of whether the IP address is acquired from more than one IRIP and wherein the instructions, when executed by the processor, further configure the firewall system to adjust the risk category value associated with the IP address as a function of a multiple IRIP weighting factor when the IP address is acquired from more than one IRIP, the multiple IRIP weighting factor increasing the risk category value.
  - 13. The computer network firewall system of claim 9, wherein the threat information further includes a determination of whether the IP address is associated with more than one risk category and wherein the instructions, when executed by the processor, further configure the firewall system to adjust the risk category value associated with the IP address as a function of a multiple category weighting factor when the IP address is associated with more than one risk category, the multiple category weighting factor increasing the risk category value.
  - 14. The computer network firewall system of claim 9, wherein the source characteristics and the destination characteristics comprise at least one of:
    - a geographic area, a country, a business sector, an industrial sector, and a political region.
  - 15. The computer network firewall system of claim 9, wherein the threat information further includes a determination of Internet Service Provider (ISP) characteristics associated with the IP address and wherein the instructions, when executed by the processor, further configure the firewall system to adjust the risk category value associated with the IP address as a function of an ISP weighting factor corresponding to the ISP characteristics, the ISP weighting factor increasing the risk category value.
  - 16. The computer network firewall system of claim 9, wherein the threat information further includes a determination of geographic proximity characteristics associated with the IP address in relation to geographic proximity characteristics associated with one or more other IP addresses having risk confidence levels exceeding the threshold level and wherein the instructions, when executed by the processor, further configure the firewall system to adjust the risk category value associated with the IP address as a function of a geographic weighting factor corresponding to the geographic proximity characteristics associated with the IP address, the geographic weighting factor increasing the risk value.

17. A system for protecting a network from a security threat in real-time, the system comprising:
- a memory storing a plurality of Internet Protocol (IP) addresses, timing information associated with each of the plurality of IP addresses, a risk category associated with each of the plurality of IP addresses, a risk confidence level associated with each of the plurality of IP addresses, and a plurality of threat information, the threat information including a determination of source characteristics and destination characteristics associated with each of the plurality of IP addresses;
  
  a graphical user interface (GUI) for displaying a plurality of risk categories associated with the plurality of IP addresses on a display, and for receiving input from a user, the input including a risk acceptance level for each of the plurality of risk categories;
  
  a non-transitory computer-readable storage medium having stored thereon computer processor-executable instructions;
  
  a threat processor executing the computer-executable instructions, said instructions comprising;
  
  receiving a plurality of IP addresses associated with a particular risk category from one or more internet risk intelligence providers;
  
  when the one or more received IP addresses are associated with more than one risk category, assigning a source/destination weighting factor for each risk category based on the source characteristics and the destination characteristics associated with the received IP addresses associated therewith;
  
  adjusting a confidence level for each of the received IP addresses based on the source/destination weighting factor for each risk category;
  
  determining an aggregate risk score for all the IP addresses based on the adjusted confidence levels;
  
  storing the aggregate risk score in a memory device;
  
  receiving an acceptable risk level for each category from the user, wherein the aggregate risk score is a function of a number of instances the risk confidence level for each of the received IP addresses has exceeded the acceptable risk level during a time interval based on the timing information associated therewith;
  
  comparing the stored aggregate risk score with the received acceptable risk level from the user; and
  
  allowing communications from any IP addresses having an acceptable risk level to pass through the network'"'"'s firewall.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Threater Incorporated
Original Assignee
Bandura, LLC
Inventors
Maestas, David E.
Primary Examiner(s)
Rahman, Mahfuzur

Application Number

US15/861,367
Publication Number

US 20180131714A1
Time in Patent Office

321 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2119   Authenticating web pages, e...

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

Structuring data and pre-compiled exception list engines and internet protocol threat prevention

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

97 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Structuring data and pre-compiled exception list engines and internet protocol threat prevention

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

97 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links