System and method for evaluating network threats and usage

US 10,230,746 B2
Filed: 01/30/2017
Issued: 03/12/2019
Est. Priority Date: 01/03/2014
Status: Active Grant

First Claim

Patent Images

1. A system for detecting computer network threats, the system comprising one or more computer hardware processors that execute specific code instructions to cause the system to at least:

receive a network address of a computing system connected to a network attempting or requesting to access a first server connected to the network;

determine a threat indicator for the network address, wherein the threat indicator indicates a risk level associated with the network address, and wherein the threat indicator is based at least in part on;

a recency of historical activity associated with the network address, wherein the recency is determined by the system based at least in part on;

a time associated with an activity of the network address, wherein the time is determined by the system based on at least one of the following;

an amount of time between an occurrence of the network address and a current time, oran amount of time between a first occurrence of the network address and a second occurrence of the network address; and

a determination regarding reliability of a data source providing some or all of the historical activity data, wherein the reliability of the data source indicates a history of the data source in previously identifying a perceived threat; and

in response to determining the threat indicator, initiate an action based at least in part on the threat indicator to perform one or more of;

blocking the network address, allowing the network address, or modifying a network address list.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are presented for generating a threat score and a usage score of each of a plurality of IP addresses. The threat score may be determined based on quantity of occurrences and recency of each occurrence of an IP address in network alert datasets, in addition to a weighting factor for each data source indicating the accuracy of the data source.

786 Citations

19 Claims

1. A system for detecting computer network threats, the system comprising one or more computer hardware processors that execute specific code instructions to cause the system to at least:
- receive a network address of a computing system connected to a network attempting or requesting to access a first server connected to the network;
  
  determine a threat indicator for the network address, wherein the threat indicator indicates a risk level associated with the network address, and wherein the threat indicator is based at least in part on;
  
  a recency of historical activity associated with the network address, wherein the recency is determined by the system based at least in part on;
  
  a time associated with an activity of the network address, wherein the time is determined by the system based on at least one of the following;
  
  an amount of time between an occurrence of the network address and a current time, oran amount of time between a first occurrence of the network address and a second occurrence of the network address; and
  
  a determination regarding reliability of a data source providing some or all of the historical activity data, wherein the reliability of the data source indicates a history of the data source in previously identifying a perceived threat; and
  
  in response to determining the threat indicator, initiate an action based at least in part on the threat indicator to perform one or more of;
  
  blocking the network address, allowing the network address, or modifying a network address list.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the threat indicator for the network address is further based on a quantity of occurrences of the network address in the activity of the network address.
  - 3. The system of claim 1, wherein the reliability of the data source indicates a history of the data source in previously identifying a perceived threat that later was confirmed to be an actual threat.
  - 4. The system of claim 1, wherein the threat indicator for the network address is further based on a quantity of occurrences of network addresses associated with the network address in the activity of the network address.
  - 5. The system of claim 1, wherein the threat indicator for the network address comprises a threat score.
  - 6. The system of claim 5, wherein determining the threat indicator for the network address further comprises increasing the threat score in response to increases in a quantity of occurrences of the network address in the activity of the network address and wherein the increased threat score indicates a higher risk level associated with the network address.
  - 7. The system of claim 3, wherein the one or more computer hardware processors is further programmed, via executable code instructions, to receive the network address from a second data source, wherein receiving the network address from the second data source indicates that the network address was likely involved in a network attack;
    - andin response to receiving the network address from the computing system connected to the network and the second data source, increasing the likelihood that the perceived threat of the network address is an actual threat.

8. A computer-implemented method comprising:
- receiving, at a computing device, a network address of a computing system connected to a network attempting or requesting to access a first server connected to the network;
  
  determining a threat indicator for the network address, wherein the threat indicator indicates a risk level associated with the network address, and wherein the threat indicator is based at least in part on;
  
  a recency of activity of the network address based on historic activity associated with the network address, wherein the recency is determined by the system based at least in part on;
  
  a time associated with an activity of the network address, wherein the time is determined by the system based on at least one of the following;
  
  an amount of time between an occurrence of the network address and a current time, oran amount of time between a first occurrence of the network address and a second occurrence of the network address; and
  
  a determination regarding reliability of a data source providing some or all of the historical activity data, wherein the reliability of the data source indicates a history of the data source in previously identifying a perceived threat; and
  
  in response to determining the threat indicator, initiate an action based at least in part on the threat indicator to perform one or more of;
  
  blocking the network address, allowing the network address, or modifying a network address list.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
- - 9. The computer-implemented method of claim 8, wherein the threat indicator is further based at least in part on a quantity of occurrences of the network address in the historic activity.
  - 10. The computer-implemented method of claim 8, wherein the threat indicator is further based at least in part on a likelihood that the network address is trustworthy, wherein the likelihood is based at least in part on records of trustworthy activity in the historical activity.
  - 11. The computer-implemented method of claim 8, wherein the historic activity is determined through records associated with at least one of:
    - a Virtual Private Network, a firewall, or a proxy server.
  - 12. The computer-implemented method of claim 8, further comprising:
    - identifying a network address match that at least partially matches the network address in at least one of;
      
      a trusted user list, a whitelist, employee data, or a Virtual Private Network list; and
      
      in response to identifying the network address match, decreasing the threat indicator.
  - 13. The computer-implemented method of claim 12, wherein the network address match is determined based at least in part on the network address'"'"'s presence in at least one of the:
    - a trusted user list, a whitelist, employee data, or a Virtual Private Network list.
  - 14. The computer-implemented method of claim 8, further comprising:
    - causing presentation of the threat indicator and the network address in a user interface.
  - 15. The computer-implemented method of claim 8, wherein the threat indicator comprises a threat score.
  - 16. The computer-implemented method of claim 8, wherein determining the threat indicator for the network address further comprises assigning a weight to a threat score based at least in part on the reliability of the data source.

17. A non-transitory computer-readable storage medium storing computer-executable instructions that, when executed by one or more processors, cause the processors to:
- receive a network address of a computing system connected to a network attempting or requesting to access a first server connected to the network;
  
  determine a threat indicator for the network address, wherein the threat indicator indicates a risk level associated with the network address, and wherein the threat indicator is based at least in part on;
  
  a recency of activity of the network address based on historic activity associated with the network address, wherein the recency is determined by the system based at least in part on;
  
  a time associated with an activity of the network address, wherein the time is determined by the system based on at least one of the following;
  
  an amount of time between an occurrence of the network address and a current time, oran amount of time between a first occurrence of the network address and a second occurrence of the network address; and
  
  a determination regarding reliability of a data source providing some or all of the historical activity data, wherein the reliability of the data source indicates a history of the data source in previously identifying a perceived threat; and
  
  in response to determining the threat indicator, initiate an action based at least in part on the determined threat indicator to perform one or more of;
  
  blocking the network address, allowing the network address, or modifying a network address list.
- View Dependent Claims (18, 19)
- - 18. The non-transitory computer-readable storage medium of claim 17, wherein the threat indicator is further based at least in part on a quantity of occurrences of the network address in the activity of the network address.
  - 19. The non-transitory computer-readable storage medium of claim 17, wherein the threat indicator is further based at least in part on a likelihood that the network address is trustworthy, wherein the likelihood is based at least in part on historical data of activities associated with the activity of the network address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palantir Technologies Incorporated
Original Assignee
Palantir Technologies Incorporated
Inventors
Visbal, Alexander
Primary Examiner(s)
Dolly, Kendall

Application Number

US15/419,718
Publication Number

US 20170237755A1
Time in Patent Office

771 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/0236   Filtering by address, proto...

H04L 63/0272   Virtual private networks

H04L 63/101   Access control lists [ACL]

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

System and method for evaluating network threats and usage

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

786 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for evaluating network threats and usage

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

786 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links