Structuring data and pre-compiled exception list engines and internet protocol threat prevention
First Claim
1. A computer-implemented method of protecting a computer network from a computing device associated with an Internet Protocol (IP) address, the method comprising:
- acquiring a plurality of threat information from one or more internet risk intelligence providers (IRIPs) via a computer communications network;
storing the plurality of threat information in a memory device, the threat information including the IP address, a risk category associated with the IP address, and a risk confidence level associated with the IP address, the threat information further including a determination of geographic proximity characteristics associated with the IP address in relation to geographic proximity characteristics associated with one or more other IP addresses having risk confidence levels exceeding a threshold level;
storing a risk category acceptance level in the memory device;
determining, by a processing device coupled to the memory device, a risk category value associated with the IP address as a function of;
the risk confidence level stored in the memory device, andtiming information stored in the memory device comprising;
a number of instances the risk confidence level has exceeded the risk category acceptance level during a first time interval, anda second time interval representing the elapsed time since the risk confidence level previously exceeded the risk category acceptance level;
storing the risk category value in the memory device; and
blocking, by the processing device, communications from the computing device associated with the IP address when the risk category value is equal to or greater than the risk category acceptance level.
6 Assignments
0 Petitions
Accused Products
Abstract
Blocking high-risk IP connections in real-time while allowing tailoring of an acceptable risk profile to match the security requirements of network resources. By acquiring IP threat information about IP addresses, traffic from IP addresses posing unacceptable levels of risk is blocked. A computer executed method is disclosed for sorting a plurality of internet protocol (IP) addresses. The method includes dividing the range of IP addresses into a plurality of clusters representing a plurality of contiguous sub-ranges, assigning each IP address to the cluster associated with the sub-range that includes that IP address, and assigning the IP addresses in each cluster to one of a plurality of pages. A network appliance incorporating aspects of the method is also disclosed.
101 Citations
3 Claims
-
1. A computer-implemented method of protecting a computer network from a computing device associated with an Internet Protocol (IP) address, the method comprising:
-
acquiring a plurality of threat information from one or more internet risk intelligence providers (IRIPs) via a computer communications network; storing the plurality of threat information in a memory device, the threat information including the IP address, a risk category associated with the IP address, and a risk confidence level associated with the IP address, the threat information further including a determination of geographic proximity characteristics associated with the IP address in relation to geographic proximity characteristics associated with one or more other IP addresses having risk confidence levels exceeding a threshold level; storing a risk category acceptance level in the memory device; determining, by a processing device coupled to the memory device, a risk category value associated with the IP address as a function of; the risk confidence level stored in the memory device, and timing information stored in the memory device comprising; a number of instances the risk confidence level has exceeded the risk category acceptance level during a first time interval, and a second time interval representing the elapsed time since the risk confidence level previously exceeded the risk category acceptance level; storing the risk category value in the memory device; and blocking, by the processing device, communications from the computing device associated with the IP address when the risk category value is equal to or greater than the risk category acceptance level.
-
-
2. A system for protecting a network from a security threat in real-time, the system comprising:
-
a memory for storing the plurality of Internet Protocol (IP) addresses, timing information associated with each of the plurality of IP addresses, a risk category associated with each of the plurality of IP addresses, a risk confidence level associated with each of the plurality of IP addresses, and a plurality of threat information, the threat information including a determination of geographic proximity characteristics associated with each IP address in relation to geographic proximity characteristics associated with one or more other IP addresses having risk confidence levels exceeding the threshold level; a graphical user interface (GUI) for displaying a plurality of risk categories associated with the plurality of IP addresses on a display, and for receiving input from a user, the input including a risk acceptance level for each of the plurality of risk categories; a non-transitory computer-readable storage media having stored thereon computer processor-executable instructions; a computer processor for executing the computer-executable instructions, said instructions comprising; receiving a plurality of IP addresses associated with a particular risk category from one or more internet risk intelligence providers (IRIPs); determining if the one or more received IP addresses are associated with more than one risk category; determining source characteristics for each of the received IP addresses for a category; assigning a weighting factor to each of the source characteristics for each category; determining a risk value associated with each IP address as a function of a geographic weighting factor corresponding to the geographic proximity characteristics associated with the IP address, wherein the geographic weighting factor increases the risk value; adjusting a confidence level for each of the received IP addresses by using a mathematical transform based on the weighting factors for each category; determining an aggregate risk score for all the IP addresses based on the adjusted confidence levels; storing the aggregate risk score in a memory device; receiving an acceptable risk level from a user for each category, wherein the aggregate risk score is a function of a number of instances the risk confidence level for each of the received IP addresses has exceeded the acceptable risk level during a time interval based on the timing information associated therewith; comparing the stored aggregate risk score with the received acceptable risk level from the user; and allowing communications from any IP addresses having an acceptable risk level to pass through the network'"'"'s firewall.
-
-
3. A method of sorting a plurality of internet protocol (IP) addresses and filtering packets over a network connection based on the sorted IP addresses, each IP address having a numeric value within a range of numeric values, the method comprising:
- network appliance for connection to a first network, the appliance comprising;
receiving a data packet from the first network via at least one input coupled to the first network, the data packet including an IP address; storing data in a memory device, the data including; a plurality of pages storing a plurality of excepted IP addresses, the excepted IP addresses each having a numeric value within a range of numeric values, the range divided into a plurality of clusters representing a plurality of contiguous sub-ranges, each page including one or more of the excepted IP addresses assigned to at least one of the clusters associated with the sub-range that includes the numeric value of said IP address within one or more of the sub-ranges associated with that page, each page having a page size defined by a maximum number of IP addresses that can be assigned to that page, the IP addresses in each cluster assigned to each page are ordered by numeric value; storing a plurality of threat information in the memory device, the threat information including a determination of geographic proximity characteristics associated with the IP address in relation to geographic proximity characteristics associated with one or more other IP addresses; identifying the IP address of the packet from the first network; identifying a target page that will include the IP address if the IP address is one of the plurality of excepted IP addresses, wherein the excepted IP addresses include a plurality of allowable IP addresses and a plurality of blocked IP addresses; searching the target page to determine if the IP address is one of the excepted IP addresses in the target page; processing the packet from the first network according to whether the IP address is an excepted IP address in the target page; and determining whether to allow the packet from the first network to proceed based on if the IP address is an allowable IP address in the target page and to deny the packet from the first network from proceeding if the IP address is a blocked IP address in the target page.
- network appliance for connection to a first network, the appliance comprising;
Specification