Structuring data and pre-compiled exception list engines and internet protocol threat prevention
First Claim
1. A computer network firewall system comprising:
- at least one tangible, non-transitory a computer-readable medium storing processor-executable instructions;
a threat assessment processor programmed to execute the instructions, wherein the instructions, when executed by the processor, configure the firewall system to;
acquire a plurality of threat information from one or more internet risk intelligence providers (IRIPs) via a computer communications network;
store the plurality of threat information on the computer-readable medium, the threat information including an IP address, a risk category associated with the IP address, and a risk confidence level associated with the IP address, the threat information further including a determination of geographic proximity characteristics associated with the IP address in relation to geographic proximity characteristics associated with one or more other IP addresses having risk confidence levels exceeding a threshold level;
determine a risk category value associated with the IP address as a function of;
the risk confidence level stored on the computer-readable medium, andtiming information stored on the computer-readable medium, the timing information comprising;
a number of instances the risk confidence level has exceeded the risk category acceptance level during a first time interval, anda second time interval representing the elapsed time since the risk confidence level previously exceeded the risk category acceptance level; and
block computer network communications with a computing device associated with the IP address when the risk category value is greater than or equal to a risk category acceptance level.
6 Assignments
0 Petitions
Accused Products
Abstract
Blocking high-risk IP connections in real-time while allowing tailoring of an acceptable risk profile to match the security requirements of network resources. By acquiring IP threat information about IP addresses, traffic from IP addresses posing unacceptable levels of risk is blocked. A computer executed method is disclosed for sorting a plurality of internet protocol (IP) addresses. The method includes dividing the range of IP addresses into a plurality of clusters representing a plurality of contiguous sub-ranges, assigning each IP address to the cluster associated with the sub-range that includes that IP address, and assigning the IP addresses in each cluster to one of a plurality of pages. A network appliance incorporating aspects of the method is also disclosed.
97 Citations
17 Claims
-
1. A computer network firewall system comprising:
-
at least one tangible, non-transitory a computer-readable medium storing processor-executable instructions; a threat assessment processor programmed to execute the instructions, wherein the instructions, when executed by the processor, configure the firewall system to; acquire a plurality of threat information from one or more internet risk intelligence providers (IRIPs) via a computer communications network; store the plurality of threat information on the computer-readable medium, the threat information including an IP address, a risk category associated with the IP address, and a risk confidence level associated with the IP address, the threat information further including a determination of geographic proximity characteristics associated with the IP address in relation to geographic proximity characteristics associated with one or more other IP addresses having risk confidence levels exceeding a threshold level; determine a risk category value associated with the IP address as a function of; the risk confidence level stored on the computer-readable medium, and timing information stored on the computer-readable medium, the timing information comprising; a number of instances the risk confidence level has exceeded the risk category acceptance level during a first time interval, and a second time interval representing the elapsed time since the risk confidence level previously exceeded the risk category acceptance level; and block computer network communications with a computing device associated with the IP address when the risk category value is greater than or equal to a risk category acceptance level. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer network firewall system comprising:
-
at least one tangible, non-transitory a computer-readable medium storing processor-executable instructions; a threat assessment processor programmed to execute the instructions, wherein the instructions, when executed by the processor, configure the firewall system to; acquire a plurality of threat information from one or more internet risk intelligence providers (IRIPs) via a computer communications network; store the plurality of threat information on the computer-readable medium, the threat information including an IP address, a risk category associated with the IP address, and a risk confidence level associated with the IP address, the threat information further including a determination of source characteristics and destination characteristics associated with the IP address; determine a risk category value associated with the IP address as a function of; the risk confidence level stored on the computer-readable medium, and timing information stored on the computer-readable medium, the timing information comprising; a number of instances the risk confidence level has exceeded the risk category acceptance level during a first time interval, and a second time interval representing the elapsed time since the risk confidence level previously exceeded the risk category acceptance level; adjust the risk category value associated with the IP address as a function of a source/destination weighting factor corresponding to the source characteristics and the destination characteristics; and block computer network communications with a computing device associated with the IP address when the risk category value is greater than or equal to a risk category acceptance level. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A system for protecting a network from a security threat in real-time, the system comprising:
-
a memory storing a plurality of Internet Protocol (IP) addresses, timing information associated with each of the plurality of IP addresses, a risk category associated with each of the plurality of IP addresses, a risk confidence level associated with each of the plurality of IP addresses, and a plurality of threat information, the threat information including a determination of source characteristics and destination characteristics associated with each of the plurality of IP addresses; a graphical user interface (GUI) for displaying a plurality of risk categories associated with the plurality of IP addresses on a display, and for receiving input from a user, the input including a risk acceptance level for each of the plurality of risk categories; a non-transitory computer-readable storage medium having stored thereon computer processor-executable instructions; a threat processor executing the computer-executable instructions, said instructions comprising; receiving a plurality of IP addresses associated with a particular risk category from one or more internet risk intelligence providers; when the one or more received IP addresses are associated with more than one risk category, assigning a source/destination weighting factor for each risk category based on the source characteristics and the destination characteristics associated with the received IP addresses associated therewith; adjusting a confidence level for each of the received IP addresses based on the source/destination weighting factor for each risk category; determining an aggregate risk score for all the IP addresses based on the adjusted confidence levels; storing the aggregate risk score in a memory device; receiving an acceptable risk level for each category from the user, wherein the aggregate risk score is a function of a number of instances the risk confidence level for each of the received IP addresses has exceeded the acceptable risk level during a time interval based on the timing information associated therewith; comparing the stored aggregate risk score with the received acceptable risk level from the user; and allowing communications from any IP addresses having an acceptable risk level to pass through the network'"'"'s firewall.
-
Specification