System and method for evaluating network threats and usage
First Claim
Patent Images
1. A system for detecting computer network threats, the system comprising one or more computer hardware processors that execute specific code instructions to cause the system to at least:
- receive a network address of a computing system connected to a network attempting or requesting to access a first server connected to the network;
determine a threat indicator for the network address, wherein the threat indicator indicates a risk level associated with the network address, and wherein the threat indicator is based at least in part on;
a recency of historical activity associated with the network address, wherein the recency is determined by the system based at least in part on;
a time associated with an activity of the network address, wherein the time is determined by the system based on at least one of the following;
an amount of time between an occurrence of the network address and a current time, oran amount of time between a first occurrence of the network address and a second occurrence of the network address; and
a determination regarding reliability of a data source providing some or all of the historical activity data, wherein the reliability of the data source indicates a history of the data source in previously identifying a perceived threat; and
in response to determining the threat indicator, initiate an action based at least in part on the threat indicator to perform one or more of;
blocking the network address, allowing the network address, or modifying a network address list.
8 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods are presented for generating a threat score and a usage score of each of a plurality of IP addresses. The threat score may be determined based on quantity of occurrences and recency of each occurrence of an IP address in network alert datasets, in addition to a weighting factor for each data source indicating the accuracy of the data source.
-
Citations
19 Claims
-
1. A system for detecting computer network threats, the system comprising one or more computer hardware processors that execute specific code instructions to cause the system to at least:
-
receive a network address of a computing system connected to a network attempting or requesting to access a first server connected to the network; determine a threat indicator for the network address, wherein the threat indicator indicates a risk level associated with the network address, and wherein the threat indicator is based at least in part on; a recency of historical activity associated with the network address, wherein the recency is determined by the system based at least in part on; a time associated with an activity of the network address, wherein the time is determined by the system based on at least one of the following; an amount of time between an occurrence of the network address and a current time, or an amount of time between a first occurrence of the network address and a second occurrence of the network address; and a determination regarding reliability of a data source providing some or all of the historical activity data, wherein the reliability of the data source indicates a history of the data source in previously identifying a perceived threat; and in response to determining the threat indicator, initiate an action based at least in part on the threat indicator to perform one or more of;
blocking the network address, allowing the network address, or modifying a network address list. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer-implemented method comprising:
-
receiving, at a computing device, a network address of a computing system connected to a network attempting or requesting to access a first server connected to the network; determining a threat indicator for the network address, wherein the threat indicator indicates a risk level associated with the network address, and wherein the threat indicator is based at least in part on; a recency of activity of the network address based on historic activity associated with the network address, wherein the recency is determined by the system based at least in part on; a time associated with an activity of the network address, wherein the time is determined by the system based on at least one of the following; an amount of time between an occurrence of the network address and a current time, or an amount of time between a first occurrence of the network address and a second occurrence of the network address; and a determination regarding reliability of a data source providing some or all of the historical activity data, wherein the reliability of the data source indicates a history of the data source in previously identifying a perceived threat; and in response to determining the threat indicator, initiate an action based at least in part on the threat indicator to perform one or more of;
blocking the network address, allowing the network address, or modifying a network address list. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A non-transitory computer-readable storage medium storing computer-executable instructions that, when executed by one or more processors, cause the processors to:
-
receive a network address of a computing system connected to a network attempting or requesting to access a first server connected to the network; determine a threat indicator for the network address, wherein the threat indicator indicates a risk level associated with the network address, and wherein the threat indicator is based at least in part on; a recency of activity of the network address based on historic activity associated with the network address, wherein the recency is determined by the system based at least in part on; a time associated with an activity of the network address, wherein the time is determined by the system based on at least one of the following; an amount of time between an occurrence of the network address and a current time, or an amount of time between a first occurrence of the network address and a second occurrence of the network address; and a determination regarding reliability of a data source providing some or all of the historical activity data, wherein the reliability of the data source indicates a history of the data source in previously identifying a perceived threat; and in response to determining the threat indicator, initiate an action based at least in part on the determined threat indicator to perform one or more of;
blocking the network address, allowing the network address, or modifying a network address list. - View Dependent Claims (18, 19)
-
Specification