Determining a reputation of a network entity
First Claim
Patent Images
1. A computer-implemented method, comprising:
- monitoring, by a network traffic monitoring system, network traffic data for a plurality of nodes of a network;
analyzing, by the network traffic monitoring system, the network traffic data to classify a type of traffic for each flow of a plurality of flows;
receiving, to the network traffic monitoring system from a requestor, a request for a reputation score associated with one or more nodes of the network;
identifying, by the network traffic monitoring system, the type of traffic for one or more flows associated with the one or more nodes, each identified flow defining an event;
determining, by the network monitoring system, the reputation score associated with the one or more nodes based on the type of traffic for the one or more flows associated with the one or more nodes; and
sending, by the network traffic monitoring system, the reputation score to the requestor; and
blocking a node of the one or more nodes from sending traffic in response to the reputation score for that node being below a predetermined threshold;
wherein the reputation score is calculated by;
Reputation Score =Σ
i=1 n Valuei+(Recoveryi*[Timecurrent −
Timei])where;
n is the number of events identified during the identifying;
Valuei is an initial relative impact of the type of traffic of an ith event on the reputation score, where Valuei , is different for at least two different values of i;
Recoveryi is a constant for the type of traffic of the ith event, wherein the Recovery for at least one event is non-zero, and the recovery for at least one other event is zero;
Timecurrent is a time value based on a current time;
Timei is a time value based on a time of the ith event.
1 Assignment
0 Petitions
Accused Products
Abstract
An example method can include monitoring a network to identify flows between nodes in the network. Once flows have been identified, the flows can be tagged and labelled according to the type of traffic they represent. If a flow represents malicious or otherwise undesirable traffic, it can be tagged accordingly. A request can then be made for a reputation score of an entity which can identify one or more nodes of the network.
-
Citations
18 Claims
-
1. A computer-implemented method, comprising:
-
monitoring, by a network traffic monitoring system, network traffic data for a plurality of nodes of a network; analyzing, by the network traffic monitoring system, the network traffic data to classify a type of traffic for each flow of a plurality of flows; receiving, to the network traffic monitoring system from a requestor, a request for a reputation score associated with one or more nodes of the network; identifying, by the network traffic monitoring system, the type of traffic for one or more flows associated with the one or more nodes, each identified flow defining an event; determining, by the network monitoring system, the reputation score associated with the one or more nodes based on the type of traffic for the one or more flows associated with the one or more nodes; and sending, by the network traffic monitoring system, the reputation score to the requestor; and blocking a node of the one or more nodes from sending traffic in response to the reputation score for that node being below a predetermined threshold; wherein the reputation score is calculated by;
Reputation Score =Σ
i=1 n Valuei+(Recoveryi*[Timecurrent −
Timei])where; n is the number of events identified during the identifying; Valuei is an initial relative impact of the type of traffic of an ith event on the reputation score, where Valuei , is different for at least two different values of i; Recoveryi is a constant for the type of traffic of the ith event, wherein the Recovery for at least one event is non-zero, and the recovery for at least one other event is zero; Timecurrent is a time value based on a current time; Timei is a time value based on a time of the ith event. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A non-transitory computer-readable medium having computer readable instructions that, when executed by a processor of a computer, cause the computer to:
-
monitor, by a network traffic monitoring system, network traffic data for a plurality of nodes of a network; analyze, by the network traffic monitoring system, the network traffic data to classify a type of traffic for each flow of a plurality of flows; receive, to the network traffic monitoring system from a requestor, a request for a reputation score associated with one or more nodes of the network; identify, by the network traffic monitoring system, the type of traffic for one or more flows associated with the one or more nodes, each identified flow defining an event; determine, by the network monitoring system, the reputation score associated with the one or more nodes based on the type of traffic for the one or more flows associated with the one or more nodes; send, by the network traffic monitoring system, the reputation score to the requestor; and block a node of the one or more nodes from sending traffic in response to the reputation score for that node being below a predetermined threshold; wherein the reputation score is calculated by;
Reputation Score =Σ
i=1 n Valuei+(Recoveryi*[Timecurrent −
Timei])where; n is the number of events identified during the identifying; Valuei is an initial relative impact of the type of traffic of an ith event on the reputation score, where Valuei , is different for at least two different values of i; Recoveryi is a constant for the type of traffic of the ith event, wherein the Recovery for at least one event is non-zero, and the recovery for at least one other event is zero; Timecurrent is a time value based on a current time; Timei is a time value based on a time of the ith event. - View Dependent Claims (10, 11, 12, 13)
-
-
14. A system comprising:
-
a processor; memory including instructions that when executed by the processor, cause the system to; monitor, by a network traffic monitoring system, network traffic data for a plurality of nodes of a network; analyze, by the network traffic monitoring system, the network traffic data to classify a type of traffic for each flow of a plurality of flows; receive, to the network traffic monitoring system from a requestor, a request for a reputation score associated with one or more nodes of the network; identify, by the network traffic monitoring system, the type of traffic for one or more flows associated with the one or more nodes, each identified flow defining an event; determine, by the network monitoring system, the reputation score associated with the one or more nodes based on the type of traffic for the one or more flows associated with the one or more nodes; send, by the network traffic monitoring system, the reputation score to the requestor; and block a node of the one or more nodes from sending traffic in response to the reputation score for that node being below a predetermined threshold; wherein the reputation score is calculated by;
Reputation Score =Σ
i=1 n Valuei+(Recoveryi*[Timecurrent −
Timei])where; n is the number of events identified during the identifying; Valuei is an initial relative impact of the type of traffic of an ith event on the reputation score, where Valuei , is different for at least two different values of i; Recoveryi is a constant for the type of traffic of the ith event, wherein the Recovery for at least one event is non-zero, and the recovery for at least one other event is zero; Timecurrent is a time value based on a current time; Timei is a time value based on a time of the ith event. - View Dependent Claims (15, 16, 17, 18)
-
Specification