Filtering unwanted data traffic via a per-customer blacklist
First Claim
1. A method for generating a customer blacklist associated with a customer system, comprising:
- generating, at a computer, a network blacklist comprising a first plurality of internet protocol addresses, the first plurality of internet protocol addresses identifying a plurality of unwanted traffic sources;
generating a customer whitelist based on analyzing a customer historical usage pattern including traffic sources with repeatedly completed sessions and traffic sources with repeated initiated sessions, the customer whitelist comprising a second plurality of internet protocol addresses, the second plurality of internet protocol addresses identifying a plurality of wanted traffic sources;
comparing each internet protocol address in the first plurality of internet protocol addresses with each internet protocol address in the second plurality of internet protocol addresses; and
for each internet protocol address in the first plurality of internet protocol addresses;
adding the internet protocol address to the customer blacklist if the internet protocol address is not in the second plurality of internet protocol addresses; and
not adding the internet protocol address to the customer blacklist if the internet protocol address is in the second plurality of internet protocol addresses;
wherein generating a network blacklist further comprises;
acquiring a raw blacklist comprising a third plurality of internet protocol addresses identifying a third plurality of unwanted traffic sources;
sorting the third plurality of internet protocol addresses according to prefix groups with a network-specified prefix length selected based on network-specified heuristics;
rank ordering the prefix groups according to traffic frequency including number of connection attempts over a time interval; and
selecting a set of top prefix groups based on the rank ordering for inclusion in the network blacklist.
1 Assignment
0 Petitions
Accused Products
Abstract
Traffic flow from a traffic source with a source IP address to a customer system with a destination IP address is filtered by comparing the source IP address to a customer blacklist. If the source IP address is on the customer blacklist, then traffic to the customer system is blocked; else, traffic to the customer system is allowed. The customer blacklist is generated from a network blacklist, comprising IP addresses of unwanted traffic sources, and a customer whitelist, comprising IP addresses of wanted traffic sources. The customer blacklist is generated by removing from the network blacklist any IP address also on the customer whitelist. The network blacklist is generated by acquiring raw blacklists from reputation systems. IP addresses on the raw blacklists are sorted by prefix groups, which are rank ordered by traffic frequency. Top prefix groups are selected for the network blacklist.
22 Citations
12 Claims
-
1. A method for generating a customer blacklist associated with a customer system, comprising:
-
generating, at a computer, a network blacklist comprising a first plurality of internet protocol addresses, the first plurality of internet protocol addresses identifying a plurality of unwanted traffic sources; generating a customer whitelist based on analyzing a customer historical usage pattern including traffic sources with repeatedly completed sessions and traffic sources with repeated initiated sessions, the customer whitelist comprising a second plurality of internet protocol addresses, the second plurality of internet protocol addresses identifying a plurality of wanted traffic sources; comparing each internet protocol address in the first plurality of internet protocol addresses with each internet protocol address in the second plurality of internet protocol addresses; and for each internet protocol address in the first plurality of internet protocol addresses; adding the internet protocol address to the customer blacklist if the internet protocol address is not in the second plurality of internet protocol addresses; and not adding the internet protocol address to the customer blacklist if the internet protocol address is in the second plurality of internet protocol addresses; wherein generating a network blacklist further comprises; acquiring a raw blacklist comprising a third plurality of internet protocol addresses identifying a third plurality of unwanted traffic sources; sorting the third plurality of internet protocol addresses according to prefix groups with a network-specified prefix length selected based on network-specified heuristics; rank ordering the prefix groups according to traffic frequency including number of connection attempts over a time interval; and selecting a set of top prefix groups based on the rank ordering for inclusion in the network blacklist. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A non-transitory computer readable medium storing computer program instructions for generating a customer blacklist associated with a customer system, the computer instructions comprising:
-
generating a network blacklist comprising a first plurality of internet protocol addresses, the first plurality of internet protocol addresses identifying a plurality of unwanted traffic sources; generating a customer whitelist based on analyzing a customer historical usage pattern including traffic sources with repeatedly completed sessions and traffic sources with repeated initiated sessions, the customer whitelist comprising a second plurality of internet protocol addresses, the second plurality of internet protocol addresses identifying a plurality of wanted traffic sources; comparing each internet protocol address in the first plurality of internet protocol addresses with each internet protocol address in the second plurality of internet protocol addresses; and for each internet protocol address in the first plurality of internet protocol addresses; adding the internet protocol address to the customer blacklist if the internet protocol address is not in the second plurality of internet protocol addresses; and not adding the internet protocol address to the customer blacklist if the internet protocol address is in the second plurality of internet protocol addresses; wherein generating a network blacklist further comprises; acquiring a raw blacklist comprising a third plurality of internet protocol addresses identifying a third plurality of unwanted traffic sources; sorting the third plurality of internet protocol addresses according to prefix groups with a network-specified prefix length selected based on network-specified heuristics; rank ordering the prefix groups according to traffic frequency including number of connection attempts over a time interval; and selecting a set of top prefix groups based on the rank ordering for inclusion in the network blacklist. - View Dependent Claims (8, 9, 10, 11, 12)
-
Specification