Generating Accurate Preemptive Security Device Policy Tuning Recommendations

US 20150271199A1
Filed: 03/19/2014
Published: 09/24/2015
Est. Priority Date: 03/19/2014
Status: Active Grant

First Claim

Patent Images

1. A method of determining a likelihood of an attack on a first computer system of a first business, the method comprising the steps of:

a computer determining characteristics of the first business, the characteristics including an industry, a size, and a geographical location of the first business, a type of sensitive data managed by the first computer system, a security vulnerability in the first computer system, and an address of a source or a destination of data traffic through a security device in the first computer system;

the computer determining characteristics of a second business which has a second computer system currently or recently under attack, the characteristics of the second business including an industry, a size, and a geographical location of the second business, a type of sensitive data managed by the second computer system, a security vulnerability in the second computer system, and an address of an entity responsible for the current or recent attack on the second computer system;

the computer determining a similarity between the characteristics of the first and second businesses; and

based on the similarity, the computer determining a likelihood that the entity responsible for the current or recent attack on the second computer system will attack the first computer system of the first business.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An approach is provided for determining a likelihood of an attack on a first computer system of a first business. Characteristics of the first business and a second business are determined. The second business has a second computer system currently or recently under attack. The characteristics include respective industries, sizes, geographical locations, types of sensitive data, and security vulnerabilities associated with the first and second businesses or first and second computer systems, an address of traffic through a device in the first computer system, and an address of an entity responsible for the attack on the second computer system. Based on a similarity between the characteristics of the first and second businesses, a likelihood that the entity responsible for the attack on the second computer system will attack the first computer system of the first business is determined.

34 Citations

View as Search Results

20 Claims

1. A method of determining a likelihood of an attack on a first computer system of a first business, the method comprising the steps of:
- a computer determining characteristics of the first business, the characteristics including an industry, a size, and a geographical location of the first business, a type of sensitive data managed by the first computer system, a security vulnerability in the first computer system, and an address of a source or a destination of data traffic through a security device in the first computer system;
  
  the computer determining characteristics of a second business which has a second computer system currently or recently under attack, the characteristics of the second business including an industry, a size, and a geographical location of the second business, a type of sensitive data managed by the second computer system, a security vulnerability in the second computer system, and an address of an entity responsible for the current or recent attack on the second computer system;
  
  the computer determining a similarity between the characteristics of the first and second businesses; and
  
  based on the similarity, the computer determining a likelihood that the entity responsible for the current or recent attack on the second computer system will attack the first computer system of the first business.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising the steps of:
    - the computer determining the likelihood exceeds a threshold amount; and
      
      based on the likelihood exceeding the threshold amount, the computer generating a recommendation for a change to a policy of a security device included in the first computer system, the change preventing an attack on the first computer system by the entity.
  - 3. The method of claim 1, wherein the step of the computer determining the similarity between the characteristics of the first and second businesses includes the computer determining one or more matches selected from the group of first, second, third, fourth, fifth and sixth matches, wherein the first match is a match between the industries of the first and second businesses, the second match is a match between the sizes of the first and second businesses, the third match is a match between the geographical locations of the first and second businesses, the fourth match is a match between the types of sensitive data managed by the first and second computer systems, the fifth match is a match between the security vulnerabilities of the first and second computer systems, and the sixth match is a match between the address of the source or the destination of data traffic through the security device in the first computer system and the address of the entity responsible for the current or recent attack on the second computer system.
  - 4. The method of claim 3, further comprising the steps of:
    - the computer initializing a score; and
      
      based on the one or more matches, the computer adjusting the score so that the score indicates the likelihood that the entity responsible for the current or recent attack on the second computer system will attack the first computer system of the first business.
  - 5. The method of claim 1, further comprising the steps of:
    - the computer selecting an Internet Protocol (IP) address from a list of suspicious IP addresses, the selected IP address being the address of the entity that is responsible for current or recent attacks on computer systems of respective businesses including the second business;
      
      the computer determining an initial value of a score that indicates a likelihood that the entity will attack the first computer system of the first business;
      
      the computer determining characteristics of the businesses, the characteristics of the businesses including respective industries, sizes, and geographical locations of the businesses, respective types of sensitive data managed by the computer systems of the businesses, and respective security vulnerabilities in the computer systems;
      
      the computer determining a first percentage of the businesses whose respective industries match the industry of the first business;
      
      the computer determining a second percentage of the businesses whose respective sizes match the size of the first business;
      
      the computer determining a third percentage of the businesses whose respective geographical locations match the geographical location of the first business;
      
      the computer determining a fourth percentage of the businesses whose respective computer systems manage types of sensitive data that matches the type of sensitive data managed by the first computer system of the first business;
      
      the computer determining a fifth percentage of the businesses whose respective computer systems have security vulnerabilities that match the security vulnerability of the first computer system of the first business;
      
      the computer determining whether the selected IP address is a source or a destination of data traffic flowing in a network in the first computer system of the first business;
      
      if the first percentage exceeds a first threshold amount, the computer incrementing the score by a first predetermined amount;
      
      if the second percentage exceeds a second threshold amount, the computer incrementing the score by a second predetermined amount;
      
      if the third percentage exceeds a third threshold amount, the computer incrementing the score by a third predetermined amount;
      
      if the fourth percentage exceeds a fourth threshold amount, the computer incrementing the score by a fourth predetermined amount;
      
      if the fifth percentage exceeds a fifth threshold amount, the computer incrementing the score by a fifth predetermined amount;
      
      if the selected IP address is the source or destination of the data traffic flowing in the network in the first computer system of the first business, the computer incrementing the score by a sixth predetermined amount; and
      
      the computer determining whether the score exceeds a second threshold amount which indicates a likelihood that the entity responsible for the current or recent attacks on the computer systems will attack the first computer system of the first business.
  - 6. The method of claim 5, further comprising if the score exceeds the second threshold amount, the computer generating a recommendation for a change to a policy of a security device included in the first computer system, the change preventing an attack on the first computer system by the entity.
  - 7. The method of claim 6, wherein the step of generating the recommendation includes generating a recommendation for an intrusion prevention system in the first computer system to block all traffic having signatures that match attacks by the IP address or a recommendation for a firewall in the first computer system to drop traffic at ports utilized by communication from the IP address.

8. A computer program product for determining a likelihood of an attack on a first computer system of a first business, the computer program product comprising:
- one or more computer-readable storage devices and program instructions stored on the one or more storage devices, the program instructions comprising;
  
  program instructions to determine characteristics of the first business, the characteristics including an industry, a size, and a geographical location of the first business, a type of sensitive data managed by the first computer system, a security vulnerability in the first computer system, and an address of a source or a destination of data traffic through a security device in the first computer system;
  
  program instructions to determine characteristics of a second business which has a second computer system currently or recently under attack, the characteristics of the second business including an industry, a size, and a geographical location of the second business, a type of sensitive data managed by the second computer system, a security vulnerability in the second computer system, and an address of an entity responsible for the current or recent attack on the second computer system;
  
  program instructions to determine a similarity between the characteristics of the first and second businesses; and
  
  program instructions to determine, based on the similarity, a likelihood that the entity responsible for the current or recent attack on the second computer system will attack the first computer system of the first business.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer program product of claim 8, further comprising:
    - program instructions, stored on the one or more storage devices, to determine the likelihood exceeds a threshold amount; and
      
      program instructions, stored on the one or more storage devices to generate, based on the likelihood exceeding the threshold amount, a recommendation for a change to a policy of a security device included in the first computer system, the change preventing an attack on the first computer system by the entity.
  - 10. The computer program product of claim 8, wherein the program instructions to determine the similarity between the characteristics of the first and second businesses determine one or more matches selected from the group of first, second, third, fourth, fifth and sixth matches, wherein the first match is a match between the industries of the first and second businesses, the second match is a match between the sizes of the first and second businesses, the third match is a match between the geographical locations of the first and second businesses, the fourth match is a match between the types of sensitive data managed by the first and second computer systems, the fifth match is a match between the security vulnerabilities of the first and second computer systems, and the sixth match is a match between the address of the source or the destination of data traffic through the security device in the first computer system and the address of the entity responsible for the current or recent attack on the second computer system.
  - 11. The computer program product of claim 10, further comprising:
    - program instructions, stored on the one or more storage devices, to initialize a score; and
      
      program instructions, stored on the one or more storage devices, to adjust, based on the one or more matches, the score so that the score indicates the likelihood that the entity responsible for the current or recent attack on the second computer system will attack the first computer system of the first business.
  - 12. The computer program product of claim 8, further comprising:
    - program instructions, stored on the one or more storage devices, to select an Internet Protocol (IP) address from a list of suspicious IP addresses, the selected IP address being the address of the entity that is responsible for current or recent attacks on computer systems of respective businesses including the second business;
      
      program instructions, stored on the one or more storage devices, to determine an initial value of a score that indicates a likelihood that the entity will attack the first computer system of the first business;
      
      program instructions, stored on the one or more storage devices, to determine characteristics of the businesses, the characteristics of the businesses including respective industries, sizes, and geographical locations of the businesses, respective types of sensitive data managed by the computer systems of the businesses, and respective security vulnerabilities in the computer systems;
      
      program instructions, stored on the one or more storage devices, to determine a first percentage of the businesses whose respective industries match the industry of the first business;
      
      program instructions, stored on the one or more storage devices, to determine a second percentage of the businesses whose respective sizes match the size of the first business;
      
      program instructions, stored on the one or more storage devices, to determine a third percentage of the businesses whose respective geographical locations match the geographical location of the first business;
      
      program instructions, stored on the one or more storage devices, to determine a fourth percentage of the businesses whose respective computer systems manage types of sensitive data that matches the type of sensitive data managed by the first computer system of the first business;
      
      program instructions, stored on the one or more storage devices, to determine a fifth percentage of the businesses whose respective computer systems have security vulnerabilities that match the security vulnerability of the first computer system of the first business;
      
      program instructions, stored on the one or more storage devices, to determine whether the selected IP address is a source or a destination of data traffic flowing in a network in the first computer system of the first business;
      
      program instructions, stored on the one or more storage devices, to increment, if the first percentage exceeds a first threshold amount, the score by a first predetermined amount;
      
      program instructions, stored on the one or more storage devices, to increment, if the second percentage exceeds a second threshold amount, the score by a second predetermined amount;
      
      program instructions, stored on the one or more storage devices, to increment, if the third percentage exceeds a third threshold amount, the score by a third predetermined amount;
      
      program instructions, stored on the one or more storage devices, to increment, if the fourth percentage exceeds a fourth threshold amount, the score by a fourth predetermined amount;
      
      program instructions, stored on the one or more storage devices, to increment, if the fifth percentage exceeds a fifth threshold amount, the score by a fifth predetermined amount;
      
      program instructions, stored on the one or more storage devices, to increment, if the selected IP address is the source or destination of the data traffic flowing in the network in the first computer system of the first business, the score by a sixth predetermined amount; and
      
      program instructions, stored on the one or more storage devices, to determine whether the score exceeds a second threshold amount which indicates a likelihood that the entity responsible for the current or recent attacks on the computer systems will attack the first computer system of the first business.
  - 13. The computer program product of claim 12, further comprising program instructions, stored on the one or more storage devices, to generate, if the score exceeds the second threshold amount, a recommendation for a change to a policy of a security device included in the first computer system, the change preventing an attack on the first computer system by the entity.
  - 14. The computer program product of claim 13, wherein the program instructions to generate the recommendation generate a recommendation for an intrusion prevention system in the first computer system to block all traffic having signatures that match attacks by the IP address or a recommendation for a firewall in the first computer system to drop traffic at ports utilized by communication from the IP address.

15. A computer system for determining a likelihood of an attack on a first computer system of a first business, the computer system comprising:
- one or more processors, one or more computer-readable memories, one or more computer-readable storage devices, and program instructions stored on the one or more storage devices for execution by the one or more processors via the one or more memories, the program instructions comprising;
  
  first program instructions to determine characteristics of the first business, the characteristics including an industry, a size, and a geographical location of the first business, a type of sensitive data managed by the first computer system, a security vulnerability in the first computer system, and an address of a source or a destination of data traffic through a security device in the first computer system;
  
  second program instructions to determine characteristics of a second business which has a second computer system currently or recently under attack, the characteristics of the second business including an industry, a size, and a geographical location of the second business, a type of sensitive data managed by the second computer system, a security vulnerability in the second computer system, and an address of an entity responsible for the current or recent attack on the second computer system;
  
  third program instructions to determine a similarity between the characteristics of the first and second businesses; and
  
  fourth program instructions to determine, based on the similarity, a likelihood that the entity responsible for the current or recent attack on the second computer system will attack the first computer system of the first business.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer system of claim 15, further comprising:
    - fifth program instructions, stored on the one or more storage devices for execution by the one or more processors via the one or more memories, to determine the likelihood exceeds a threshold amount; and
      
      sixth program instructions, stored on the one or more storage devices for execution by the one or more processors via the one or more memories, to generate, based on the likelihood exceeding the threshold amount, a recommendation for a change to a policy of a security device included in the first computer system, the change preventing an attack on the first computer system by the entity.
  - 17. The computer system of claim 15, wherein the third program instructions to determine the similarity between the characteristics of the first and second businesses determine one or more matches selected from the group of first, second, third, fourth, fifth and sixth matches, wherein the first match is a match between the industries of the first and second businesses, the second match is a match between the sizes of the first and second businesses, the third match is a match between the geographical locations of the first and second businesses, the fourth match is a match between the types of sensitive data managed by the first and second computer systems, the fifth match is a match between the security vulnerabilities of the first and second computer systems, and the sixth match is a match between the address of the source or the destination of data traffic through the security device in the first computer system and the address of the entity responsible for the current or recent attack on the second computer system.
  - 18. The computer system of claim 17, further comprising:
    - fifth program instructions, stored on the one or more storage devices for execution by the one or more processors via the one or more memories, to initialize a score; and
      
      sixth program instructions, stored on the one or more storage devices for execution by the one or more processors via the one or more memories, to adjust, based on the one or more matches, the score so that the score indicates the likelihood that the entity responsible for the current or recent attack on the second computer system will attack the first computer system of the first business.
  - 19. The computer system of claim 15, further comprising:
    - fifth program instructions, stored on the one or more storage devices for execution by the one or more processors via the one or more memories, to select an Internet Protocol (IP) address from a list of suspicious IP addresses, the selected IP address being the address of the entity that is responsible for current or recent attacks on computer systems of respective businesses including the second business;
      
      sixth program instructions, stored on the one or more storage devices for execution by the one or more processors via the one or more memories, to determine an initial value of a score that indicates a likelihood that the entity will attack the first computer system of the first business;
      
      seventh program instructions, stored on the one or more storage devices for execution by the one or more processors via the one or more memories, to determine characteristics of the businesses, the characteristics of the businesses including respective industries, sizes, and geographical locations of the businesses, respective types of sensitive data managed by the computer systems of the businesses, and respective security vulnerabilities in the computer systems;
      
      eighth program instructions, stored on the one or more storage devices for execution by the one or more processors via the one or more memories, to determine a first percentage of the businesses whose respective industries match the industry of the first business;
      
      ninth program instructions, stored on the one or more storage devices for execution by the one or more processors via the one or more memories, to determine a second percentage of the businesses whose respective sizes match the size of the first business;
      
      tenth program instructions, stored on the one or more storage devices for execution by the one or more processors via the one or more memories, to determine a third percentage of the businesses whose respective geographical locations match the geographical location of the first business;
      
      eleventh program instructions, stored on the one or more storage devices for execution by the one or more processors via the one or more memories, to determine a fourth percentage of the businesses whose respective computer systems manage types of sensitive data that matches the type of sensitive data managed by the first computer system of the first business;
      
      twelfth program instructions, stored on the one or more storage devices for execution by the one or more processors via the one or more memories, to determine a fifth percentage of the businesses whose respective computer systems have security vulnerabilities that match the security vulnerability of the first computer system of the first business;
      
      thirteenth program instructions, stored on the one or more storage devices for execution by the one or more processors via the one or more memories, to determine whether the selected IP address is a source or a destination of data traffic flowing in a network in the first computer system of the first business;
      
      fourteenth program instructions, stored on the one or more storage devices for execution by the one or more processors via the one or more memories, to increment, if the first percentage exceeds a first threshold amount, the score by a first predetermined amount;
      
      fifteenth program instructions, stored on the one or more storage devices for execution by the one or more processors via the one or more memories, to increment, if the second percentage exceeds a second threshold amount, the score by a second predetermined amount;
      
      sixteenth program instructions, stored on the one or more storage devices for execution by the one or more processors via the one or more memories, to increment, if the third percentage exceeds a third threshold amount, the score by a third predetermined amount;
      
      seventeenth program instructions, stored on the one or more storage devices for execution by the one or more processors via the one or more memories, to increment, if the fourth percentage exceeds a fourth threshold amount, the score by a fourth predetermined amount;
      
      eighteenth program instructions, stored on the one or more storage devices for execution by the one or more processors via the one or more memories, to increment, if the fifth percentage exceeds a fifth threshold amount, the score by a fifth predetermined amount;
      
      nineteenth program instructions, stored on the one or more storage devices for execution by the one or more processors via the one or more memories, to increment, if the selected IP address is the source or destination of the data traffic flowing in the network in the first computer system of the first business, the score by a sixth predetermined amount; and
      
      twentieth program instructions, stored on the one or more storage devices for execution by the one or more processors via the one or more memories, to determine whether the score exceeds a second threshold amount which indicates a likelihood that the entity responsible for the current or recent attacks on the computer systems will attack the first computer system of the first business.
  - 20. The computer system of claim 19, further comprising twenty-first program instructions, stored on the one or more storage devices for execution by the one or more processors via the one or more memories, to generate, if the score exceeds the second threshold amount, a recommendation for a change to a policy of a security device included in the first computer system, the change preventing an attack on the first computer system by the entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Givental, Gary I., Walton, Kaleb D., Bradley, Nicholas W., McMillen, David M.

Granted Patent

US 9,253,204 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/105   Multiple levels of security

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

Generating Accurate Preemptive Security Device Policy Tuning Recommendations

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

34 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Generating Accurate Preemptive Security Device Policy Tuning Recommendations

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links