Generating accurate preemptive security device policy tuning recommendations
First Claim
1. A method of determining a likelihood of an attack on a first computer system of a first business, the method comprising the steps of:
- determining, by a hardware processor of a computer, target businesses within a plurality of businesses other than the first business as businesses having respective target computer systems, each target computer system currently experiencing or having recently experienced an attack by one entity whose Internet Protocol (IP) address is selected from a list of suspicious IP addresses;
determining, by the hardware processor of the computer, characteristics of the target businesses, the characteristics of the target businesses including respective industries, sizes, and geographical locations of the target businesses, respective types of sensitive data managed by the target computer systems, and respective security vulnerabilities in the target computer systems;
determining, by the hardware processor of the computer, a plurality of percentages of the target businesses, the percentages being associated with respective characteristics of the target businesses including the industries, sizes, and geographical locations of the target businesses, the types of sensitive data managed by the target computer systems, and the security vulnerabilities in the target computer systems, each percentage indicating a percentage of the target businesses whose associated characteristic matches a corresponding characteristic included in a plurality of characteristics of the first business, and the percentages associated with respective threshold amounts;
determining, by the hardware processor of the computer, whether each of the plurality of percentages exceeds the associated threshold amount, and incrementing, by the computer, a score by a predetermined amount for each percentage in the plurality of percentages that is determined to exceed the associated threshold amount, the score having been initialized to zero prior to being incremented;
determining, by the hardware processor of the computer, whether the selected IP address matches an address of a source or a destination of data traffic through a security device in the first computer system, and incrementing the score by twice the predetermined amount if the selected IP address is determined to match the address of the source or destination of data traffic through the security device in the first computer system;
determining, by the hardware processor of the computer, whether the score exceeds twice the predetermined amount which indicates a likelihood that the one entity whose IP address was selected will attack the first computer system of the first business, and if the score exceeds twice the predetermined amount, generating, by the computer, a recommendation to change a security policy for the first computer system of the first business;
subsequent to the step of determining whether the score exceeds twice the predetermined amount, selecting, by the hardware processor of the computer, a next IP address from the list of suspicious IP addresses; and
repeating, by the hardware processor of the computer, the steps of determining the target businesses, determining the characteristics of the target businesses, determining the plurality of percentages, determining whether each of the plurality of percentages exceeds the associated threshold amount, incrementing the score by the predetermined amount for each of the percentages that is determined to exceed the associated threshold amount, determining whether the score exceeds twice the predetermined amount, and generating the recommendation if the score exceeds twice the predetermined amount, until no IP address in the list of suspicious IP addresses remains unselected.
2 Assignments
0 Petitions
Accused Products
Abstract
An approach is provided for determining a likelihood of an attack on a first computer system of a first business. Characteristics are determined for target businesses having target computer systems currently or recently under attack by an entity whose Internet Protocol (IP) address was selected from a list of suspicious IP addresses. Percentages associated with the characteristics are determined. Each percentage indicates a percentage of the target businesses whose associated characteristic matches a corresponding characteristic of the first business. A score is incremented by an amount for each of the percentages that exceeds an associated threshold. The score is incremented by twice the amount if the IP address matches an address of a source or destination of traffic through a security device in the first computer system. A recommendation to change a security policy for the first computer system is generated if the score exceeds twice the predetermined amount.
11 Citations
13 Claims
-
1. A method of determining a likelihood of an attack on a first computer system of a first business, the method comprising the steps of:
-
determining, by a hardware processor of a computer, target businesses within a plurality of businesses other than the first business as businesses having respective target computer systems, each target computer system currently experiencing or having recently experienced an attack by one entity whose Internet Protocol (IP) address is selected from a list of suspicious IP addresses; determining, by the hardware processor of the computer, characteristics of the target businesses, the characteristics of the target businesses including respective industries, sizes, and geographical locations of the target businesses, respective types of sensitive data managed by the target computer systems, and respective security vulnerabilities in the target computer systems; determining, by the hardware processor of the computer, a plurality of percentages of the target businesses, the percentages being associated with respective characteristics of the target businesses including the industries, sizes, and geographical locations of the target businesses, the types of sensitive data managed by the target computer systems, and the security vulnerabilities in the target computer systems, each percentage indicating a percentage of the target businesses whose associated characteristic matches a corresponding characteristic included in a plurality of characteristics of the first business, and the percentages associated with respective threshold amounts; determining, by the hardware processor of the computer, whether each of the plurality of percentages exceeds the associated threshold amount, and incrementing, by the computer, a score by a predetermined amount for each percentage in the plurality of percentages that is determined to exceed the associated threshold amount, the score having been initialized to zero prior to being incremented; determining, by the hardware processor of the computer, whether the selected IP address matches an address of a source or a destination of data traffic through a security device in the first computer system, and incrementing the score by twice the predetermined amount if the selected IP address is determined to match the address of the source or destination of data traffic through the security device in the first computer system; determining, by the hardware processor of the computer, whether the score exceeds twice the predetermined amount which indicates a likelihood that the one entity whose IP address was selected will attack the first computer system of the first business, and if the score exceeds twice the predetermined amount, generating, by the computer, a recommendation to change a security policy for the first computer system of the first business; subsequent to the step of determining whether the score exceeds twice the predetermined amount, selecting, by the hardware processor of the computer, a next IP address from the list of suspicious IP addresses; and repeating, by the hardware processor of the computer, the steps of determining the target businesses, determining the characteristics of the target businesses, determining the plurality of percentages, determining whether each of the plurality of percentages exceeds the associated threshold amount, incrementing the score by the predetermined amount for each of the percentages that is determined to exceed the associated threshold amount, determining whether the score exceeds twice the predetermined amount, and generating the recommendation if the score exceeds twice the predetermined amount, until no IP address in the list of suspicious IP addresses remains unselected. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer program product for determining a likelihood of an attack on a first computer system of a first business, the computer program product comprising:
one or more hardware computer-readable storage devices and program instructions stored on the one or more hardware computer-readable storage devices, the program instructions executing by a hardware processor and the program instructions comprising; program instructions to determine, by the hardware processor, target businesses within a plurality of businesses other than the first business as businesses having respective target computer systems, each target computer system currently experiencing or having recently experienced an attack by one entity whose Internet Protocol (IP) address is selected from a list of suspicious IP addresses; program instructions to determine, by the hardware processor, characteristics of the target businesses, the characteristics of the target businesses including respective industries, sizes, and geographical locations of the target businesses, respective types of sensitive data managed by the target computer systems, and respective security vulnerabilities in the target computer systems; program instructions to determine, by the hardware processor, a plurality of percentages of the target businesses, the percentages being associated with respective characteristics of the target businesses including the industries, sizes, and geographical locations of the target businesses, the types of sensitive data managed by the target computer systems, and the security vulnerabilities in the target computer systems, each percentage indicating a percentage of the target businesses whose associated characteristic matches a corresponding characteristic included in a plurality of characteristics of the first business, and the percentages associated with respective threshold amounts; program instructions to determine, by the hardware processor, whether each of the plurality of percentages exceeds the associated threshold amount, and increment, by the hardware processor, a score by a predetermined amount for each percentage in the plurality of percentages that is determined to exceed the associated threshold amount, the score having been initialized to zero prior to being incremented; program instructions to determine, by the hardware processor, whether the selected IP address matches an address of a source or a destination of data traffic through a security device in the first computer system, and increment, by the hardware processor, the score by twice the predetermined amount if the selected IP address is determined to match the address of the source or destination of data traffic through the security device in the first computer system; program instructions to determine, by the hardware processor, whether the score exceeds twice the predetermined amount which indicates a likelihood that the one entity whose IP address was selected will attack the first computer system of the first business, and generate, by the hardware processor, a recommendation to change a security policy for the first computer system of the first business if the score is determined to exceed twice the predetermined amount; program instructions to select, by the hardware processor and subsequent to determining whether the score exceeds twice the predetermined amount, a next IP address from the list of suspicious IP addresses; and program instructions to repeat an execution of the program instructions to determine the target businesses, determine the characteristics of the target businesses, determine the plurality of percentages, determine whether each of the plurality of percentages exceeds the associated threshold amount, increment the score by the predetermined amount for each of the percentages that is determined to exceed the associated threshold amount, determine whether the score exceeds twice the predetermined amount, and generate the recommendation if the score is determined to exceed twice the predetermined amount, until no IP address in the list of suspicious IP addresses remains unselected. - View Dependent Claims (7, 8, 9)
-
10. A computer system for determining a likelihood of an attack on a first computer system of a first business, the computer system comprising:
one or more hardware processors, one or more computer-readable memories, one or more computer-readable storage devices, and program instructions stored on the one or more storage devices for execution by the one or more hardware processors via the one or more computer-readable memories, the program instructions comprising; first program instructions to determine, by the computer system, target businesses within a plurality of businesses other than the first business as businesses having respective target computer systems, each target computer system currently experiencing or having recently experienced an attack by one entity whose Internet Protocol (IP) address is selected from a list of suspicious IP addresses; second program instructions to determine, by the computer system, characteristics of the target businesses, the characteristics of the target businesses including respective industries, sizes, and geographical locations of the target businesses, respective types of sensitive data managed by the target computer systems, and respective security vulnerabilities in the target computer systems; third program instructions to determine, by the computer system, a plurality of percentages of the target businesses, the percentages being associated with respective characteristics of the target businesses including the industries, sizes, and geographical locations of the target businesses, the types of sensitive data managed by the target computer systems, and the security vulnerabilities in the target computer systems, each percentage indicating a percentage of the target businesses whose associated characteristic matches a corresponding characteristic included in a plurality of characteristics of the first business, and the percentages associated with respective threshold amounts; fourth program instructions to determine, by the computer system, whether each of the plurality of percentages exceeds the associated threshold amount, and increment, by the computer system, a score by a predetermined amount for each percentage in the plurality of percentages that is determined to exceed the associated threshold amount, the score having been initialized to zero prior to being incremented; fifth program instructions to determine, by the computer system, whether the selected IP address matches an address of a source or a destination of data traffic through a security device in the first computer system, and increment, by the computer system, the score by twice the predetermined amount if the selected IP address is determined to match the address of the source or destination of data traffic through the security device in the first computer system; sixth program instructions to determine, by the computer system, whether the score exceeds twice the predetermined amount which indicates a likelihood that the one entity whose IP address was selected will attack the first computer system of the first business, and generate, by the computer system, a recommendation to change a security policy for the first computer system of the first business if the score is determined to exceed twice the predetermined amount; seventh program instructions to select, by the computer system and subsequent to determining whether the score exceeds twice the predetermined amount, a next IP address from the list of suspicious IP addresses; and eighth program instructions to repeat, by the computer system, an execution of the program instructions to determine the target businesses, determine the characteristics of the target businesses, determine the plurality of percentages, determine whether each of the plurality of percentages exceeds the associated threshold amount, increment the score by the predetermined amount for each of the percentages that is determined to exceed the associated threshold amount, determine whether the score exceeds twice the predetermined amount, and generate the recommendation if the score is determined to exceed twice the predetermined amount, until no IP address in the list of suspicious IP addresses remains unselected. - View Dependent Claims (11, 12, 13)
Specification