Generating accurate preemptive security device policy tuning recommendations

US 9,531,759 B2
Filed: 11/06/2015
Issued: 12/27/2016
Est. Priority Date: 03/19/2014
Status: Active Grant

First Claim

Patent Images

1. A method of determining a likelihood of an attack on a first computer system of a first business, the method comprising the steps of:

determining, by a hardware processor of a computer, a plurality of characteristics of the first business, the characteristics including an industry, a size, and a geographical location of the first business, a type of sensitive data managed by the first computer system, a security vulnerability in the first computer system, and an address of a source or a destination of data traffic through a security device in the first computer system;

selecting, by the computer, an Internet Protocol (IP) address from a list of suspicious IP addresses, the selected IP address being an address of one of a plurality of entities responsible for current or recent attacks on computer systems of respective businesses included in a plurality of businesses other than the first business;

determining, by the computer, target businesses within the plurality of businesses as businesses having respective target computer systems, each target computer system currently experiencing or having recently experienced an attack by the one entity whose IP address was selected;

determining, by the computer, characteristics of the target businesses, the characteristics of the target businesses including respective industries, sizes, and geographical locations of the target businesses, respective types of sensitive data managed by the target computer systems, and respective security vulnerabilities in the target computer systems;

determining, by the computer, a plurality of percentages of the target businesses, the percentages being associated with respective characteristics of the target businesses including the industries, sizes, and geographical locations of the target businesses, the types of sensitive data managed by the target computer systems, and the security vulnerabilities in the target computer systems, each percentage indicating a percentage of the target businesses whose associated characteristic matches a corresponding characteristic included in the plurality of characteristics of the first business, and the percentages associated with respective threshold amounts;

determining, by the computer, whether each of the plurality of percentages exceeds the associated threshold amount, and incrementing, by the computer, a score by a predetermined amount for each percentage in the plurality of percentages that is determined to exceed the associated threshold amount, the score having been initialized to zero prior to being incremented;

determining, by the computer, whether the selected IP address matches the address of the source or destination of data traffic through the security device in the first computer system, and incrementing the score by twice the predetermined amount if the selected IP address is determined to match the address of the source or destination of data traffic through the security device in the first computer system;

determining, by the computer, whether the score exceeds twice the predetermined amount which indicates a likelihood that the one entity whose IP address was selected will attack the first computer system of the first business, and if the score exceeds twice the predetermined amount, generating, by the computer, a recommendation to change a security policy for the first computer system of the first business; and

subsequent to the step of determining whether the score exceeds twice the predetermined amount, selecting, by the computer, a next IP address from the list of suspicious IP addresses and repeating, by the computer, steps in the method that had been performed after the step of selecting the IP address and prior to the step of selecting the next IP address until no IP address in the list of suspicious IP addresses remains unselected.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An approach is provided for determining a likelihood of an attack on a first computer system of a first business. Characteristics of the first business and a second business are determined. The second business has a second computer system currently or recently under attack. The characteristics include respective industries, sizes, geographical locations, types of sensitive data, and security vulnerabilities associated with the first and second businesses or first and second computer systems, an address of traffic through a device in the first computer system, and an address of an entity responsible for the attack on the second computer system. Based on a similarity between the characteristics of the first and second businesses, a likelihood that the entity responsible for the attack on the second computer system will attack the first computer system of the first business is determined.

9 Citations

10 Claims

1. A method of determining a likelihood of an attack on a first computer system of a first business, the method comprising the steps of:
- determining, by a hardware processor of a computer, a plurality of characteristics of the first business, the characteristics including an industry, a size, and a geographical location of the first business, a type of sensitive data managed by the first computer system, a security vulnerability in the first computer system, and an address of a source or a destination of data traffic through a security device in the first computer system;
  
  selecting, by the computer, an Internet Protocol (IP) address from a list of suspicious IP addresses, the selected IP address being an address of one of a plurality of entities responsible for current or recent attacks on computer systems of respective businesses included in a plurality of businesses other than the first business;
  
  determining, by the computer, target businesses within the plurality of businesses as businesses having respective target computer systems, each target computer system currently experiencing or having recently experienced an attack by the one entity whose IP address was selected;
  
  determining, by the computer, characteristics of the target businesses, the characteristics of the target businesses including respective industries, sizes, and geographical locations of the target businesses, respective types of sensitive data managed by the target computer systems, and respective security vulnerabilities in the target computer systems;
  
  determining, by the computer, a plurality of percentages of the target businesses, the percentages being associated with respective characteristics of the target businesses including the industries, sizes, and geographical locations of the target businesses, the types of sensitive data managed by the target computer systems, and the security vulnerabilities in the target computer systems, each percentage indicating a percentage of the target businesses whose associated characteristic matches a corresponding characteristic included in the plurality of characteristics of the first business, and the percentages associated with respective threshold amounts;
  
  determining, by the computer, whether each of the plurality of percentages exceeds the associated threshold amount, and incrementing, by the computer, a score by a predetermined amount for each percentage in the plurality of percentages that is determined to exceed the associated threshold amount, the score having been initialized to zero prior to being incremented;
  
  determining, by the computer, whether the selected IP address matches the address of the source or destination of data traffic through the security device in the first computer system, and incrementing the score by twice the predetermined amount if the selected IP address is determined to match the address of the source or destination of data traffic through the security device in the first computer system;
  
  determining, by the computer, whether the score exceeds twice the predetermined amount which indicates a likelihood that the one entity whose IP address was selected will attack the first computer system of the first business, and if the score exceeds twice the predetermined amount, generating, by the computer, a recommendation to change a security policy for the first computer system of the first business; and
  
  subsequent to the step of determining whether the score exceeds twice the predetermined amount, selecting, by the computer, a next IP address from the list of suspicious IP addresses and repeating, by the computer, steps in the method that had been performed after the step of selecting the IP address and prior to the step of selecting the next IP address until no IP address in the list of suspicious IP addresses remains unselected.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein the step ofgenerating the recommendation results in a prevention of an attack on the first computer system by the one entity whose IP address was selected.
  - 3. The method of claim 1, further comprising the steps of:
    - determining, by the computer, that the score exceeds twice the predetermined amount; and
      
      based on the score exceeding twice the predetermined amount, generating, by the computer, a recommendation for an intrusion prevention system in the first computer system to block all traffic having signatures that match attacks by the selected IP address and a recommendation for a firewall in the first computer system to drop traffic at ports utilized by communication from the selected IP address.
  - 4. The method of claim 1, further comprising the step of:
    - providing at least one support service for at least one of creating, integrating, hosting, maintaining, and deploying computer-readable program code in the computer, the program code being executed by the hardware processor of the computer to implement the steps of determining the plurality of characteristics of the first business, selecting the IP address, determining the target businesses, determining the characteristics of the target businesses, determining the plurality of percentages, determining whether each of the plurality of percentages exceeds the associated threshold amount, incrementing the score by the predetermined amount, determining whether the selected IP address matches the address of the source or destination of data traffic through the security device in the first computer system, incrementing the score by twice the predetermined amount, determining whether the score exceeds twice the predetermined amount, generating the recommendation, selecting the next IP address, and repeating the steps.

5. A computer program product for determining a likelihood of an attack on a first computer system of a first business, the computer program product comprising:
- one or more hardware computer-readable storage devices and program instructions stored on the one or more storage devices, the program instructions executing by a hardware processor and the program instructions comprising;
  
  program instructions to determine, by the hardware processor, a plurality of characteristics of the first business, the characteristics including an industry, a size, and a geographical location of the first business, a type of sensitive data managed by the first computer system, a security vulnerability in the first computer system, and an address of a source or a destination of data traffic through a security device in the first computer system;
  
  program instructions to select, by the hardware processor, an Internet Protocol (IP) address from a list of suspicious IP addresses, the selected IP address being an address of one of a plurality of entities responsible for current or recent attacks on computer systems of respective businesses included in a plurality of businesses other than the first business;
  
  program instructions to determine, by the hardware processor, target businesses within the plurality of businesses as businesses having respective target computer systems, each target computer system currently experiencing or having recently experienced an attack by the one entity whose IP address was selected;
  
  program instructions to determine, by the hardware processor, characteristics of the target businesses, the characteristics of the target businesses including respective industries, sizes, and geographical locations of the target businesses, respective types of sensitive data managed by the target computer systems, and respective security vulnerabilities in the target computer systems;
  
  program instructions to determine, by the hardware processor, a plurality of percentages of the target businesses, the percentages being associated with respective characteristics of the target businesses including the industries, sizes, and geographical locations of the target businesses, the types of sensitive data managed by the target computer systems, and the security vulnerabilities in the target computer systems, each percentage indicating a percentage of the target businesses whose associated characteristic matches a corresponding characteristic included in the plurality of characteristics of the first business, and the percentages associated with respective threshold amounts;
  
  program instructions to determine, by the hardware processor, whether each of the plurality of percentages exceeds the associated threshold amount, and increment, by the hardware processor, a score by a predetermined amount for each percentage in the plurality of percentages that is determined to exceed the associated threshold amount, the score having been initialized to zero prior to being incremented;
  
  program instructions to determine, by the hardware processor, whether the selected IP address matches the address of the source or destination of data traffic through the security device in the first computer system, and increment, by the hardware processor, the score by twice the predetermined amount if the selected IP address is determined to match the address of the source or destination of data traffic through the security device in the first computer system;
  
  program instructions to determine, by the hardware processor, whether the score exceeds twice the predetermined amount which indicates a likelihood that the one entity whose IP address was selected will attack the first computer system of the first business, and generate, by the hardware processor, a recommendation to change a security policy for the first computer system of the first business if the score exceeds twice the predetermined amount; and
  
  program instructions to select, by the hardware processor and subsequent to determining whether the score exceeds twice the predetermined amount by an execution of the program instructions to determine whether the score exceeds twice the predetermined amount, a next IP address from the list of suspicious IP addresses and repeat, by the hardware processor, steps that had been performed after selecting the IP address by an execution of the program instructions to select the IP address and prior to selecting the next IP address by an execution of the program instructions to select the next IP address, until no IP address in the list of suspicious IP addresses remains unselected.
- View Dependent Claims (6, 7)
- - 6. The computer program product of claim 5, wherein the program instructionsto generate the recommendation, when executed, results in a prevention of an attack on the first computer system by the one entity whose IP address was selected by an execution of the program instructions to select the IP address.
  - 7. The computer program product of claim 5, further comprising:
    - program instructions, stored on the one or more storage devices, to determine by the hardware processor, that the score exceeds twice the predetermined amount; and
      
      program instructions, stored on the one or more storage devices, to generate, by the hardware processor and based on the score exceeding twice the predetermined amount, a recommendation for an intrusion prevention system in the first computer system to block all traffic having signatures that match attacks by the IP address and a recommendation for a firewall in the first computer system to drop traffic at ports utilized by communication from the IP address.

8. A computer system for determining a likelihood of an attack on a first computer system of a first business, the computer system comprising:
- one or more hardware processors, one or more computer-readable memories, one or more computer-readable storage devices, and program instructions stored on the one or more storage devices for execution by the one or more hardware processors via the one or more memories, the program instructions comprising;
  
  first program instructions to determine, by the computer system, a plurality of characteristics of the first business, the characteristics including an industry, a size, and a geographical location of the first business, a type of sensitive data managed by the first computer system, a security vulnerability in the first computer system, and an address of a source or a destination of data traffic through a security device in the first computer system;
  
  second program instructions to select, by the computer system, an Internet Protocol (IP) address from a list of suspicious IP addresses, the selected IP address being an address of one of a plurality of entities responsible for current or recent attacks on computer systems of respective businesses included in a plurality of businesses other than the first business;
  
  third program instructions to determine, by the computer system, target businesses within the plurality of businesses as businesses having respective target computer systems, each target computer system currently experiencing or having recently experienced an attack by the one entity whose IP address was selected;
  
  fourth program instructions to determine, by the computer system, characteristics of the target businesses, the characteristics of the target businesses including respective industries, sizes, and geographical locations of the target businesses, respective types of sensitive data managed by the target businesses, and respective security vulnerabilities in the target computer systems;
  
  fifth program instructions to determine, by the computer system, a plurality of percentages of the target businesses, the percentages being associated with respective characteristics of the target businesses including the industries, sizes, and geographical locations of the target businesses, the types of sensitive data managed by the target computer systems, and the security vulnerabilities in the target computer systems, each percentage indicating a percentage of the target businesses whose associated characteristic matches a corresponding characteristic included in the plurality of characteristics of the first business, and the percentages associated with respective threshold amounts;
  
  sixth program instructions to determine, by the computer system, whether each of the plurality of percentages exceeds the associated threshold amount, and increment, by the computer system, a score by a predetermined amount for each percentage in the plurality of percentages that is determined to exceed the associated threshold amount, the score having been initialized to zero prior to being incremented;
  
  seventh program instructions to determine, by the computer system, whether the selected IP address matches the address of the source or destination of data traffic through the security device in the first computer system, and increment, by the computer system, the score by twice the predetermined amount if the selected IP address is determined to match the address of the source or destination of data traffic through the security device in the first computer system;
  
  eighth program instructions to determine, by the computer system, whether the score exceeds twice the predetermined amount which indicates a likelihood that the one entity whose IP address was selected will attack the first computer system of the first business, and generate, by the computer system, a recommendation to change a security policy for the first computer system of the first business if the score exceeds twice the predetermined amount;
  
  ninth program instructions to select, by the computer system and subsequent to determining whether the score exceeds twice the predetermined amount by an execution of the eighth program instructions to determine whether the score exceeds twice the predetermined amount, a next IP address from the list of suspicious IP addresses; and
  
  tenth program instructions to repeat, by the computer system, steps that had been performed after selecting the IP address by an execution of the second program instructions to select the IP address and prior to selecting the next IP address by an execution of the ninth program instructions to select the next IP address, until no IP address in the list of suspicious IP addresses remains unselected.
- View Dependent Claims (9, 10)
- - 9. The computer system of claim 8, wherein the eighth program instructions togenerate the recommendation, when executed, results in a prevention of an attack on the first computer system by the one entity whose IP address was selected by an execution of the second program instructions.
  - 10. The computer system of claim 8, further comprising:
    - eleventh program instructions, stored on the one or more storage devices for execution by the one or more processors via the one or more memories, to determine, by the computer system, that the score exceeds twice the predetermined amount; and
      
      twelfth program instructions, stored on the one or more storage devices for execution by the one or more processors via the one or more memories, to generate, by the computer system and based on the score exceeding twice the predetermined amount, a recommendation for an intrusion prevention system in the first computer system to block all traffic having signatures that match attacks by the IP address and a recommendation for a firewall in the first computer system to drop traffic at ports utilized by communication from the IP address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Bradley, Nicholas W., Givental, Gary I., McMillen, David M., Walton, Kaleb D.
Primary Examiner(s)
BEHESHTI SHIRAZI, SAYED ARESH

Application Number

US14/934,841
Publication Number

US 20160065621A1
Time in Patent Office

417 Days
Field of Search

726/4, 726/11, 726/22, 726/25, 713/164
US Class Current

1/1
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/105   Multiple levels of security

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

Generating accurate preemptive security device policy tuning recommendations

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

9 Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Generating accurate preemptive security device policy tuning recommendations

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links