Method and apparatus for generating highly predictive blacklists
First Claim
Patent Images
1. A method for generating a blacklist of network addresses, the method comprising:
- analyzing attack history data of a plurality of nodes of a computer network;
computing a relevance ranking for a current attack source with respect to a first node of the computer network, the relevance ranking indicative of an attack history of the current attack source with respect to the first network node;
propagating the relevance ranking to a second node of the computer network by applying a weight to the relevance ranking computed for the first network node, the weight indicative of a strength of an attack correlation relationship between the first network node and the second network node, the strength of the attack correlation relationship based on whether the attack history data includes data indicative of a previous attack on the first network node and the second network node, respectively, by a common attack source different than the current attack source;
based at least partly on the propagated relevance ranking, adjusting a score of the current attack source on a list of attack sources; and
generating a blacklist for the second network node by selecting one or more attack sources from the list of attack sources based on respective scores of the one or more selected attack sources.
1 Assignment
0 Petitions
Accused Products
Abstract
In one embodiment, the present invention is a method and apparatus for generating highly predictive blacklists. One embodiment of a method for generating a blacklist of network addresses for a user of a network includes collecting security log data from users of the network, the security log data identifying observed attacks by attack sources, assigning the attack sources to the blacklist based on a combination of the relevance each attack source to the user and the maliciousness of the attack source, and outputting the blacklist.
82 Citations
34 Claims
-
1. A method for generating a blacklist of network addresses, the method comprising:
-
analyzing attack history data of a plurality of nodes of a computer network; computing a relevance ranking for a current attack source with respect to a first node of the computer network, the relevance ranking indicative of an attack history of the current attack source with respect to the first network node; propagating the relevance ranking to a second node of the computer network by applying a weight to the relevance ranking computed for the first network node, the weight indicative of a strength of an attack correlation relationship between the first network node and the second network node, the strength of the attack correlation relationship based on whether the attack history data includes data indicative of a previous attack on the first network node and the second network node, respectively, by a common attack source different than the current attack source; based at least partly on the propagated relevance ranking, adjusting a score of the current attack source on a list of attack sources; and generating a blacklist for the second network node by selecting one or more attack sources from the list of attack sources based on respective scores of the one or more selected attack sources. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 34)
-
-
15. A blacklist generation module embodied in one or more non-transitory computer readable storage media and configured to cause a computing device to:
-
analyze first attack history data of a first network node and second attack history data of a second network node; identify, in the first attack history data, data indicative of an attack by a current attack source; and in response to determining that the second attack history data does not comprise data indicative of an attack by the current attack source; (i) determine a relevance ranking for the current attack source with respect to the first network node, the relevance ranking indicative of an attack history of the current attack source with respect to the first network node; (ii) propagate the relevance ranking to the second network node by applying a weight to the relevance ranking, the weight indicative of a strength of an attack correlation relationship between the first network node and the second network node, the strength of the attack correlation relationship based on whether the attack history data includes data indicative of a previous attack on the first network node and the second network node, respectively, by a common attack source different than the current attack source; (iii) based at least partly on the relevance ranking, adjust a score of the current attack source on a list of attack sources; and (iv) generate a blacklist for the second network node by selecting one or more attack sources from the list of attack sources based on respective scores of the selected one or more attack sources on the list of attack sources. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A system for generating a blacklist of network addresses, the system comprising a computing device configured to:
-
analyze first attack history data of a first network node and second attack history data of a second network node; identify, in the first attack history data, data indicative of an attack by a current attack source; and in response to determining that the second attack history data does not comprise data indicative of an attack by the current attack source; (i) determine a relevance ranking for the current attack source with respect to the first network node, the relevance ranking indicative of an attack history of the current attack source with respect to the first network node; (ii) propagate the relevance ranking to the second network node by applying a weight to the relevance ranking, the weight indicative of a strength of an attack correlation relationship between the first network node and the second network node, the strength of the attack correlation relationship based on whether the attack history data includes data indicative of a previous attack on the first network node and the second network node, respectively, by a common attack source different than the current attack source; (iii) based at least partly on the relevance ranking, adjust a score of the current attack source on a list of attack sources; and (iv) generate a blacklist for the second network node by selecting one or more attack sources from the list of attack sources based on respective scores of the one or more selected attack sources on the list of attack sources. - View Dependent Claims (30, 31, 32, 33)
-
Specification