×

IP reputation

  • US 8,832,832 B1
  • Filed: 01/03/2014
  • Issued: 09/09/2014
  • Est. Priority Date: 01/03/2014
  • Status: Active Grant
First Claim
Patent Images

1. A computer system comprising:

  • one or more computer processors; and

    a tangible storage device storing one or more modules configured for execution by the one or more computer processors in order to cause the computer system to;

    determine an IP address for which a threat score is to be determined;

    access network alert datasets from each of one or more data sources, the data source comprising a computing system connected to a network and the data source has access to originating IP addresses that correspond to a communication protocol of the network, and wherein the network alert datasets comprise;

    a plurality of recorded network threat events, date and time of each of the plurality of recorded network threat events, an originating IP address for each of the plurality of recorded network threat events, and an event type of each of the plurality of recorded network threat events;

    determine which of the network alert datasets includes one or more occurrences of the IP address, wherein each occurrence indicates a threat by the IP address;

    for each of the data sources for which the IP address is a member of the corresponding network alert dataset;

    determine a quantity of occurrences of the IP address in the network alert dataset;

    determine a recency of each occurrence of the IP address in the network alert dataset, wherein recency is determined based at least in part on an amount of time between respective occurrences of the IP address in the network alert dataset and a current time, and wherein recency is further determined based at least in part on a cumulative calculation of the amount of time between respective occurrences of the IP address in the network alert dataset and the current time;

    determine a weighting factor for each of the data sources indicating a likelihood that a perceived threat of the IP address in the network alert dataset is an actual threat, wherein the likelihood is based at least in part on historical data of past threat events for the respective data source of the IP address in the network alert dataset; and

    determine the threat score for the IP address based at least on the determined quantity of occurrences, the recency of occurrences, and the weighting factor for each of the data sources.

View all claims
  • 8 Assignments
Timeline View
Assignment View
    ×
    ×