PREDICTIVE BLACKLISTING USING IMPLICIT RECOMMENDATION
First Claim
1. A method for determining a rating of a likelihood of a victim system receiving malicious traffic from an attacker system at a point in time, comprising:
- generating a first forecast from a time series model based on past history of attacks by the attacker system;
generating a second forecast from a victim neighborhood model based on similarity between the victim system and peer victim systems;
generating a third forecast from a joint attacker-victim neighborhood model based on correlation between a group of attacker systems including the attacker system and a group of victim systems including the victim system; and
determining the rating of the likelihood of the victim system receiving malicious traffic from the attacker system at the point in time based on the first forecast, the second forecast, and the third forecast.
2 Assignments
0 Petitions
Accused Products
Abstract
A method is provided for determining a rating of a likelihood of a victim system receiving malicious traffic from an attacker system at a point in time. The method comprises: generating a first forecast from a time series model based on past history of attacks by the attacker system; generating a second forecast from a victim neighborhood model based on similarity between the victim system and peer victim systems; generating a third forecast from a joint attacker-victim neighborhood model based on correlation between a group of attacker systems including the attacker system and a group of victim systems including the victim system; and determining the rating of the likelihood of the victim system receiving malicious traffic from the attacker system at the point in time based on the first forecast, the second forecast, and the third forecast.
49 Citations
20 Claims
-
1. A method for determining a rating of a likelihood of a victim system receiving malicious traffic from an attacker system at a point in time, comprising:
-
generating a first forecast from a time series model based on past history of attacks by the attacker system; generating a second forecast from a victim neighborhood model based on similarity between the victim system and peer victim systems; generating a third forecast from a joint attacker-victim neighborhood model based on correlation between a group of attacker systems including the attacker system and a group of victim systems including the victim system; and determining the rating of the likelihood of the victim system receiving malicious traffic from the attacker system at the point in time based on the first forecast, the second forecast, and the third forecast. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system comprising:
-
a processor; and a computer program that executes on the processor to; generate a first forecast from a victim neighborhood model based on similarity between a victim system and peer victim systems; associate a first weight with the first forecast that correlates with the similarity between the victim system and peer victim systems; generate a second forecast from a joint attacker-victim neighborhood model based on correlation between a group of attacker systems including the attacker system and a group of victim systems including the victim system; associate a second weight with the second forecast that correlates with a density of the group of attacker systems including the attacker system and the group of victim systems including the victim system; and determine a rating of a likelihood of the victim system receiving malicious traffic from the attacker system at a point in time based on the first forecast weighed with the first weight and the second forecast weighed with the second weight. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A computer readable storage medium having instructions stored thereon that when executed by a processor cause a system to:
-
generate a first forecast from an Exponential Weighted Moving Average model that determines a likelihood of future attacks by an attacking system on a victim system based on past likelihoods of attacks of the victim system by the attacking system that are weighed with exponentially decreasing weights towards older values; generate a second forecast from a neighborhood model based on correlation between the victim system, attacker systems, and peer victim systems; and determine a rating of a likelihood of the victim system receiving malicious traffic from the attacker system at a point in time based on the first forecast and the second forecast. - View Dependent Claims (17, 18, 19, 20)
-
Specification