Determining threat level associated with network activity
First Claim
Patent Images
1. A computer-implemented method for determining network security threat level, comprising:
- receiving event data in response to identified network event detected by a sensor;
based upon the event data;
determining a source threat value, the source threat value based upon a source threat weight for a source IP address and a first range of IP network addresses of which the source IP address is a member;
determining a destination vulnerability value, the destination vulnerability value based upon the network event in conjunction with a destination IP address, a destination threat weight for the destination IP address, and a threat level value associated with a second range of network IP address of which the destination IP address is a member;
determining an event validity value based upon the source IP address and an event type;
determining event severity value based upon the event type;
calculating an event threat level value based upon the source threat value, the destination vulnerability value, the event validity value, and the event severity value;
calculating a host threat level value based upon a summation of event threat level values for a host over a first time period associated with a number of correlated events for the host in the first time period;
calculating a differential threat level by associating the host threat level value with a second host threat level value based upon a second time period wherein the second time period exceeds the first time period;
generating at least one of;
a threat report and a threat presentation based at least on the calculated threat levels; and
outputting the at least one of;
threat report and threat presentation.
2 Assignments
0 Petitions
Accused Products
Abstract
Network devices such as intrusion detection systems, routers, firewalls, servers, and other network devices are monitored to aggregate all event data generated by monitored devices to provide a threat ranking of all network activity. A threat level for a given host is determined by a threat weighting assigned to that host and a threat weighting assigned to that host'"'"'s netblock. In addition, a vulnerability for a given event is determined by the event'"'"'s destination threat associated with a vulnerability value indexed by the event'"'"'s destination and the event'"'"'s type.
221 Citations
8 Claims
-
1. A computer-implemented method for determining network security threat level, comprising:
-
receiving event data in response to identified network event detected by a sensor; based upon the event data; determining a source threat value, the source threat value based upon a source threat weight for a source IP address and a first range of IP network addresses of which the source IP address is a member; determining a destination vulnerability value, the destination vulnerability value based upon the network event in conjunction with a destination IP address, a destination threat weight for the destination IP address, and a threat level value associated with a second range of network IP address of which the destination IP address is a member; determining an event validity value based upon the source IP address and an event type; determining event severity value based upon the event type; calculating an event threat level value based upon the source threat value, the destination vulnerability value, the event validity value, and the event severity value; calculating a host threat level value based upon a summation of event threat level values for a host over a first time period associated with a number of correlated events for the host in the first time period; calculating a differential threat level by associating the host threat level value with a second host threat level value based upon a second time period wherein the second time period exceeds the first time period; generating at least one of;
a threat report and a threat presentation based at least on the calculated threat levels; andoutputting the at least one of;
threat report and threat presentation. - View Dependent Claims (2, 3, 4)
-
-
5. A method for determining network security threat level, comprising:
-
receiving event data in response to an identified network event detected by a sensor; determining an event type based upon the event data; and determining a source threat based upon a source threat weighting assigned to a source for the event type associated with a network block threat weighting for the event type assigned to a host network block of which the host is a member; determining a destination threat value based upon a destination threat weighting assigned to the destination for the event type associated with a network block threat weighting for the event type assigned to a host network block of which the host is a member; determining a destination vulnerability by associating the destination threat value with a destination vulnerability value based upon a vulnerability of a destination host for the event type; determining an event validity based upon the source and the event type; determining an event severity based upon the event type; calculating the network security threat based upon the source threat, the destination vulnerability, the event validity, and the event severity; generating at least one of;
a threat report and a threat presentation based at least on the calculated network security threat; andoutputting the at least one of;
threat report and threat presentation.
-
-
6. A method for determining network security threat level, comprising:
-
receiving event data in response to an identified network event detected by a sensor; determining an event type based upon the event data; determining a source threat based upon a source threat weighting assigned to a source for the event type associated with a network block threat weighting for the event type assigned to a host network block of which the host is a member; determining a destination threat value based upon a destination threat weighting assigned to the destination for the event type associated with a network block threat weighting for the event type assigned to a host network block of which the host is a member; determining a destination vulnerability by associating the destination threat value with a destination vulnerability value based upon a vulnerability of a. destination host for the event type; determining an event validity based upon the source and the event type; determining an event severity base upon the event type; calculating an event threat based upon the source threat, the destination vulnerability, the event validity, and the event severity; calculating a compound host threat by associating a plurality of event threats over a time period with a number of correlated events in the time period; generating at least one of;
a threat report and a threat presentation based at least on the calculated threat levels; andoutputting the at least one of;
threat report and threat presentation.
-
-
7. A method for determining network security threat level, comprising:
-
receiving event data in response to an identified network event detected by a sensor; determining an event type based upon the event data; determining a source threat based upon a source threat weighting assigned to a source for the event type associated with a network block threat weighting for the event type assigned to a host network block of which the host is a member; determining a destination threat value based upon a destination threat weighting assigned to the destination for the event type associated with a network block threat weighting for the event type assigned to a host network block of which the host is a member; determining a destination vulnerability by associating the destination threat value with a destination vulnerability value based upon a vulnerability of a destination host for the event type; determining an event validity based upon the source and the event type; determining an event severity base upon the event type; determining an event threat based upon the source threat, the destination vulnerability, the event validity, and the event severity; determining a first compound host threat value by associating a first plurality of event threats over a first time period with a first frequency number of correlated events in the first time period; determining a second compound host threat value by associating a second plurality of event threats over a second time period greater than the first time period with a second frequency number of correlated events in the second time period; determining a differential threat level by associating the first compound host threat value with the second host threat value; generating at least one of;
a threat report and a threat presentation based at least on the calculated threat levels; andoutputting the at least one of;
threat report and threat presentation.
-
-
8. A method for determining network security threat level, comprising:
-
receiving event data in response to an identified network event detected by a sensor; determining an event type based upon the event data; based upon the event data, perform the following steps; determining a first host frequency threat level value by summing event threat level values for a host over a first time period dividing by the number of correlated events for the host in the first time period; determining a second host frequency threat level value by summing event threat level values for the host over a second time period greater than the first time period and associated with the number of correlated events for the host in the second time period; determining a differential threat level numerator by multiplication of the first host frequency threat level value by the second time period; determining a differential threat level denominator by multiplying the second host frequency value by the first time period, and calculating a differential threat level by dividing the differential threat level numerator by the differential threat level denominator; generating at least one of;
a threat report and a threat presentation based at least on the calculated differential threat level; andoutputting the at least one of;
threat report and threat presentation.
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeInternational Business Machines Corporation
-
Original AssigneeInternational Business Machines Corporation
-
InventorsCaldwell, Matthew F., Hughes, Robert T., Buck, Darin J., Connary, Iven
-
Primary Examiner(s)Moazzami; Nasser
-
Assistant Examiner(s)YALEW, FIKREMARIAM A
-
Application NumberUS10/649,804Publication NumberTime in Patent Office1,827 DaysField of Search726 22- 27, 709223-224US Class Current726/25CPC Class CodesH04L 43/045 for graphical visualisation...H04L 43/06 Generation of reportsH04L 43/106 using time related informat...H04L 43/16 Threshold monitoringH04L 63/0218 Distributed architectures, ...H04L 63/0263 Rule managementH04L 63/1416 Event detection, e.g. attac...H04L 63/1441 Countermeasures against mal...H04L 63/20 for managing network securi...
