IP reputation

US 8,832,832 B1
Filed: 01/03/2014
Issued: 09/09/2014
Est. Priority Date: 01/03/2014
Status: Active Grant

First Claim

Patent Images

1. A computer system comprising:

one or more computer processors; and

a tangible storage device storing one or more modules configured for execution by the one or more computer processors in order to cause the computer system to;

determine an IP address for which a threat score is to be determined;

access network alert datasets from each of one or more data sources, the data source comprising a computing system connected to a network and the data source has access to originating IP addresses that correspond to a communication protocol of the network, and wherein the network alert datasets comprise;

a plurality of recorded network threat events, date and time of each of the plurality of recorded network threat events, an originating IP address for each of the plurality of recorded network threat events, and an event type of each of the plurality of recorded network threat events;

determine which of the network alert datasets includes one or more occurrences of the IP address, wherein each occurrence indicates a threat by the IP address;

for each of the data sources for which the IP address is a member of the corresponding network alert dataset;

determine a quantity of occurrences of the IP address in the network alert dataset;

determine a recency of each occurrence of the IP address in the network alert dataset, wherein recency is determined based at least in part on an amount of time between respective occurrences of the IP address in the network alert dataset and a current time, and wherein recency is further determined based at least in part on a cumulative calculation of the amount of time between respective occurrences of the IP address in the network alert dataset and the current time;

determine a weighting factor for each of the data sources indicating a likelihood that a perceived threat of the IP address in the network alert dataset is an actual threat, wherein the likelihood is based at least in part on historical data of past threat events for the respective data source of the IP address in the network alert dataset; and

determine the threat score for the IP address based at least on the determined quantity of occurrences, the recency of occurrences, and the weighting factor for each of the data sources.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are presented for generating a threat score and a usage score of each of a plurality of IP addresses. The threat score may be determined based on quantity of occurrences and recency of each occurrence of an IP address in network alert datasets, in addition to a weighting factor for each data source indicating the accuracy of the data source.

Citations

20 Claims

1. A computer system comprising:
- one or more computer processors; and
  
  a tangible storage device storing one or more modules configured for execution by the one or more computer processors in order to cause the computer system to;
  
  determine an IP address for which a threat score is to be determined;
  
  access network alert datasets from each of one or more data sources, the data source comprising a computing system connected to a network and the data source has access to originating IP addresses that correspond to a communication protocol of the network, and wherein the network alert datasets comprise;
  
  a plurality of recorded network threat events, date and time of each of the plurality of recorded network threat events, an originating IP address for each of the plurality of recorded network threat events, and an event type of each of the plurality of recorded network threat events;
  
  determine which of the network alert datasets includes one or more occurrences of the IP address, wherein each occurrence indicates a threat by the IP address;
  
  for each of the data sources for which the IP address is a member of the corresponding network alert dataset;
  
  determine a quantity of occurrences of the IP address in the network alert dataset;
  
  determine a recency of each occurrence of the IP address in the network alert dataset, wherein recency is determined based at least in part on an amount of time between respective occurrences of the IP address in the network alert dataset and a current time, and wherein recency is further determined based at least in part on a cumulative calculation of the amount of time between respective occurrences of the IP address in the network alert dataset and the current time;
  
  determine a weighting factor for each of the data sources indicating a likelihood that a perceived threat of the IP address in the network alert dataset is an actual threat, wherein the likelihood is based at least in part on historical data of past threat events for the respective data source of the IP address in the network alert dataset; and
  
  determine the threat score for the IP address based at least on the determined quantity of occurrences, the recency of occurrences, and the weighting factor for each of the data sources.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer system of claim 1, wherein determining the threat score for the IP address further comprises adjusting the threat score based on the event type of each of the plurality of recorded network threat events.
  - 3. The computer system of claim 2, wherein the event type comprises at least one of malicious attack, advertising, peer-to-peer communication, illegal activity, or spying activity.
  - 4. The computer system of claim 1, wherein the weighting factors are further determined based at least in part on at least one of a quantity or a percentage of network threat events previously provided by a data source that were determined to be actual network threats.
  - 5. The computer system of claim 4, wherein a particular network threat event reported by a first data source is determined to be an actual network threat based on threat data received from one or more other data sources.
  - 6. The computer system of claim 1, wherein each of the data sources comprises at least one of a proprietary network monitoring system, a firewall, a network device access log, a mobile hotspot log, or a Virtual Private Network access log.
  - 7. The computer system of claim 1, wherein the recency of each occurrence of the IP address is further determined based at least in part on a function of the amount of time between the date and time of respective occurrences.
  - 8. The computer system of claim 7, wherein the function is at least one of an exponential decay function, a constant decay function, a step decay function, a linear decay function, a weibull decay function, a hill decay function, or a smooth-compact decay function.
  - 9. The computer system of claim 1, further comprising one or more modules stored on the tangible storage device, the one or more modules configured for execution by the one or more computer processors in order to cause the computer system to:
    - present a report comprising the threat score for the IP address.

10. A computer system comprising:
- one or more computer processors; and
  
  a tangible storage device storing one or more modules configured for execution by the one or more computer processors in order to cause the computer system to;
  
  determine an IP address for which a usage score is to be determined;
  
  access network usage datasets from each of one or more data sources, the data source comprising a computing system connected to a network and the data source has access to originating IP addresses that correspond to a communication protocol of the network, and wherein the network usage datasets comprise;
  
  a plurality of recorded network usage events, date and time of each of the plurality of recorded network usage events, an originating IP address for each of the plurality of recorded network usage events, and an event type of each of the plurality of recorded network usage events;
  
  determine which of the network usage datasets includes one or more occurrences of the IP address, wherein each occurrence indicates a usage by the IP address;
  
  for each of the data sources for which the IP address is a member of the corresponding network usage dataset;
  
  determine a quantity of occurrences of the IP address in the network alert dataset;
  
  determine a recency of each occurrence of the IP address in the network usage dataset, wherein recency is determined based at least in part on an amount of time between date and time of respective occurrences of the IP address in the network alert dataset and a current time, and wherein recency is further determined based at least in part on a cumulative calculation of the amount of time between respective occurrences of the IP address in the network usage dataset and the current time;
  
  determine a weighting factor for each of the data sources indicating a likelihood that a perceived threat of the IP address in the network usage dataset is an actual threat, wherein the likelihood is based at least in part on historical data of activities associated with each of the respective data sources; and
  
  determine an usage score for the IP address based at least on the determined quantity of occurrences, the recency of occurrences, and the weighting factor for each of the data sources.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The computer system of claim 10, wherein determining the usage score for the IP address further comprises adjusting the usage score to constrain the usage score to a value between 0 and 1.
  - 12. The computer system of claim 10, wherein the recency of each occurrence of the IP address is further determined based at least in part on a function of the amount of time between the date and time of respective occurrences.
  - 13. The computer system of claim 12, wherein the function is at least one of an exponential decay function, a constant decay function, a step decay function, a linear decay function, a weibull decay function, a hill decay function, or a smooth-compact decay function.
  - 14. The computer system of claim 10, wherein the event type comprises at least one of VPN connection, proxy server connection, or authorized account log in.

15. A non-transitory computer-readable storage medium storing computer-executable instructions configured to direct a computing system to:
- determine an IP address for which a threat score is to be determined;
  
  access network alert datasets from each of one or more data sources, the data source comprising a computing system connected to a network and the data source has access to originating IP addresses that correspond to a communication protocol of the network, and wherein the network alert datasets comprising;
  
  a plurality of recorded network threat events, date and time of each of the plurality of recorded network threat events, an originating IP address for each of the plurality of recorded network threat events, and an event type of each of the plurality of recorded network threat events;
  
  determine which of the network alert datasets includes one or more occurrences of the IP address, wherein each occurrence indicates a threat by the IP address;
  
  for each of the data sources for which the IP address is a member of the corresponding network alert dataset;
  
  determine a quantity of occurrences of the IP address in the network alert dataset;
  
  determine a recency of each occurrence of the IP address in the network alert dataset, wherein recency is determined based at least in part on an amount of time between respective occurrences of the IP address in the network alert dataset and a current time, and wherein recency is further determined based at least in part on a cumulative calculation of the amount of time between respective occurrences of the IP address in the network alert dataset and the current time;
  
  determine a weighting factor for each of the data sources indicating a likelihood that a perceived threat of the IP address in the network alert dataset is an actual threat, wherein the likelihood is based at least in part on historical data of past threat events for the respective data source of the IP address in the network alert dataset; and
  
  determine the threat score for the IP address based at least on the determined quantity of occurrences, the recency of occurrences, and the weighting factor for each of the data sources.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer-readable storage medium of claim 15, wherein determining the threat score for the IP address further comprises adjusting the threat score based on the event type of each of the plurality of recorded network threat events.
  - 17. The non-transitory computer-readable storage medium of claim 16, wherein the event type comprises at least one of malicious attack, advertising, peer-to-peer communication, illegal activity, or spying activity.
  - 18. The non-transitory computer-readable storage medium of claim 15, wherein the weighting factors are determined based at least in part on at least one of a quantity or a percentage of network threat events previously provided by a data source that were determined to be actual network threats.
  - 19. The non-transitory computer-readable storage medium of claim 15, wherein a particular network threat event reported by a first data source is determined to be an actual network threat based on threat data received from one or more other data sources.
  - 20. The non-transitory computer-readable storage medium of claim 15, wherein each of the data sources comprises at least one of a proprietary network monitoring system, a firewall, a network device access log, a mobile hotspot log, or a Virtual Private Network access log.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palantir Technologies Incorporated
Original Assignee
Palantir Technologies Incorporated
Inventors
Visbal, Alexander
Primary Examiner(s)
Chea, Philip
Assistant Examiner(s)
Dolly, Kendall

Application Number

US14/147,402
Time in Patent Office

249 Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/0236   Filtering by address, proto...

H04L 63/0272   Virtual private networks

H04L 63/101   Access control lists [ACL]

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

IP reputation

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

IP reputation

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links