Mining user behavior data for IP address space intelligence
First Claim
1. A method for mining behavioral data from users of a system of identified users, the method comprising:
- monitoring user behavior of the identified users in the system;
compiling information about behavior of a user of the system within an Internet Protocol address space;
estimating a nature of an Internet Protocol address the user uses to access the system by determining whether the Internet Protocol address is static or dynamic;
characterizing the Internet Protocol address according to a network type,identifying user behavior as malicious activity; and
performing a plurality of proactive measures against the malicious activity, each of the plurality of proactive measures being performed for a length of time, wherein which proactive measures are performed and the length of time for which a proactive measure of the plurality of proactive measures is performed are based on the nature of the Internet Protocol Address of the user,wherein the monitoring, the compiling, the estimating, the characterizing, the identifying, and the performing are performed in a computing system.
2 Assignments
0 Petitions
Accused Products
Abstract
The claimed subject matter is directed to mining user behavior data for increasing Internet Protocol (“IP”) space intelligence. Specifically, the claimed subject matter provides a method and system of mining user behavior within an IP address space and the application of the IP address space intelligence derived from the mined user behavior.
In one embodiment, the IP address space intelligence is formed and/or increased with information obtained from the mined user behavior data. A system of uniquely-identified users is monitored and their behavior within the IP address space is recorded. Further data is mined from estimated characteristics about the user, including the nature of the IP address the user uses to log into the service, and characterizing the IP address according to a network type.
-
Citations
23 Claims
-
1. A method for mining behavioral data from users of a system of identified users, the method comprising:
-
monitoring user behavior of the identified users in the system; compiling information about behavior of a user of the system within an Internet Protocol address space; estimating a nature of an Internet Protocol address the user uses to access the system by determining whether the Internet Protocol address is static or dynamic; characterizing the Internet Protocol address according to a network type, identifying user behavior as malicious activity; and performing a plurality of proactive measures against the malicious activity, each of the plurality of proactive measures being performed for a length of time, wherein which proactive measures are performed and the length of time for which a proactive measure of the plurality of proactive measures is performed are based on the nature of the Internet Protocol Address of the user, wherein the monitoring, the compiling, the estimating, the characterizing, the identifying, and the performing are performed in a computing system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method of tracking behavior in a system of identified users based on mined behavior data for an Internet Protocol address space, the method comprising:
-
mining behavioral data from a system of identified users by monitoring user behavior in the system and deriving information about user behavior in an Internet Protocol address space based on the monitored user behavior; identifying one or more activities; tracking the one or more activities to one or more Internet Protocol Address(es); determining if the one or more Internet Protocol Address(es) are static or dynamic; mapping the identified activity to the one or more Internet Protocol Addresses of a user, the identified activity comprising identified malicious activity; and performing a plurality of proactive measures against the malicious activity, each of the plurality of proactive measures being performed for a length of time, wherein which proactive measures are performed and the length of time for which a proactive measure of the plurality of proactive measures is performed are based on whether the Internet Protocol Address(es) are static or dynamic, wherein the mining, the identifying, the determining, the mapping and the performing are performed in a computer system. - View Dependent Claims (15, 16, 17, 18)
-
-
19. A system for tracking malicious behavior in a system of identified users based on mined behavior data for an Internet Protocol address space, the system comprising:
-
a computer system having a processor coupled to a memory, the memory having computer readable code, which when executed by the processor causes the computer system to implement an application for tracking user behavior in a system of identified users based on mined behavior data for the Internet Protocol address space, wherein, the application tracks user behavior in a system by mining behavioral data from users of a system of identified users by deriving information about user behavior in the Internet Protocol address space, linking a specific user of the system to activity occurring with the Internet Protocol address space based upon the information obtained, identifying malicious activity and tracking the malicious activity to a Internet Protocol Address of a user, and mapping the user to the identified malicious activity coming from the Internet Protocol Address of the user, wherein, deriving information about user behavior in the Internet Protocol address space comprises estimating a nature of the Internet Protocol address the user uses to access the system by determining whether the Internet Protocol address is static or dynamic, further wherein, the application performs a plurality of proactive measures against the malicious activity, each of the plurality of proactive measures being performed for a length of time, wherein which proactive measures are performed and the length of time for which a proactive measure of the plurality of proactive measures is performed are based on whether the Internet Protocol Address(es) are static or dynamic. - View Dependent Claims (20, 21, 22, 23)
-
Specification