INTERNET PROTOCOL THREAT PREVENTION

US 20140283085A1
Filed: 03/13/2014
Published: 09/18/2014
Est. Priority Date: 03/14/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of assessing a risk associated with an Internet Protocol (IP) address for a risk category, the method comprising:

storing a plurality of threat information in a memory device, the threat information including the IP address, a risk category associated with the IP address, and a risk confidence level associated with the IP address;

storing a risk category acceptance level in the memory device;

determining a risk category value associated with the IP address as a function of;

the risk confidence level, andtiming information, said timing information comprising;

a number of instances the risk confidence level has exceeded the risk category acceptance level during a first time interval, anda second time interval representing the elapsed time since the risk confidence level previously exceeded the risk category acceptance level;

storing the risk category value in the memory device; and

determining an action associated with the IP address for the risk category as a function of the risk category value and the risk category acceptance level.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Blocking high-risk IP connections in real-time while allowing tailoring of an acceptable risk profile to match the security requirements of network resources. By acquiring IP threat information about IP addresses, including risk confidence levels, assigning weighting factor values corresponding to various characteristics of the IP addresses, and mathematically transforming the risk confidence levels using the weighting factor values, traffic from IP addresses posing unacceptable levels of risk is blocked. Further, mathematically transforming risk confidence level to a user-defined acceptable risk level permits allowing traffic from the IP addresses having an acceptable level of risk.

32 Citations

View as Search Results

21 Claims

1. A computer-implemented method of assessing a risk associated with an Internet Protocol (IP) address for a risk category, the method comprising:
- storing a plurality of threat information in a memory device, the threat information including the IP address, a risk category associated with the IP address, and a risk confidence level associated with the IP address;
  
  storing a risk category acceptance level in the memory device;
  
  determining a risk category value associated with the IP address as a function of;
  
  the risk confidence level, andtiming information, said timing information comprising;
  
  a number of instances the risk confidence level has exceeded the risk category acceptance level during a first time interval, anda second time interval representing the elapsed time since the risk confidence level previously exceeded the risk category acceptance level;
  
  storing the risk category value in the memory device; and
  
  determining an action associated with the IP address for the risk category as a function of the risk category value and the risk category acceptance level.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising receiving the risk category acceptance level from a user via a graphical user interface and comparing the risk category value to the risk category acceptance level, wherein the determined action comprises allowing communications with a computing device associated with the IP address when the risk category value is less than the risk category acceptance level.
  - 3. The method of claim 1, further comprising:
    - acquiring the plurality of threat information from one or more internet risk intelligence providers (IRIPs) via a computer communications network; and
      
      storing a timestamp corresponding to the acquisition of the plurality of threat information in the memory device, wherein the timing information is determined based on the timestamp.
  - 4. The method of claim 3, further comprising:
    - storing the plurality of threat information in the memory device, the threat information further including a determination of whether the IP address is acquired from more than one IRIP;
      
      determining the risk value associated with the IP address as a further function of a multiple IRIP weighting factor when the IP address is acquired from more than one IRIP, wherein the multiple IRIP weighting factor increases the risk value.
  - 5. The method of claim 1, further comprising:
    - storing the plurality of threat information in the memory device, the threat information further including a determination of whether the IP address is associated with more than one risk category;
      
      determining the risk value associated with the IP address as a further function of a multiple category weighting factor when the IP address is associated with more than one risk category, wherein the multiple category weighting factor increases the risk value.
  - 6. The method of claim 1, further comprising:
    - storing the plurality of threat information in the memory device, the threat information further including a determination of source characteristics and destination characteristics associated with the IP address;
      
      determining the risk value associated with the IP address as a further function of a source/destination weighting factor corresponding to the source characteristics and the destination characteristics, wherein the source/destination weighting factor increases the risk value.
  - 7. The method of claim 6 wherein the source characteristics and the destination characteristics comprise at least one of:
    - a geographic area, a country, a business sector, an industrial sector, and a political region.
  - 8. The method of claim 1, further comprising:
    - storing the plurality of threat information in the memory device, the threat information further including a determination of Internet Service Provider (ISP) characteristics associated with the IP address;
      
      determining the risk value associated with the IP address as a further function of an ISP weighting factor corresponding to the ISP characteristics, wherein the ISP weighting factor increases the risk value.
  - 9. The method of claim 1, further comprising:
    - storing the plurality of threat information in the memory device, the threat information further including a determination of geographic proximity characteristics associated with the IP address in relation to geographic proximity characteristics associated with one or more other IP addresses having risk confidence levels exceeding the threshold level;
      
      determining the risk value associated with the IP address as a further function of a geographic weighting factor corresponding to the geographic proximity characteristics associated with the IP address, wherein the geographic weighting factor increases the risk value.

10. A processor-implemented method of determining an aggregate risk score for a plurality of Internet Protocol (IP) addresses, the method comprising:
- receiving a plurality of IP addresses from one or more internet risk intelligence providers (IRIPs) for a particular category via a computer communications network;
  
  processing instructions for determining a plurality of source characteristics associated with each of the plurality of received IP addresses;
  
  processing instructions for assigning one or more weighting factors to each of the plurality of source characteristics;
  
  processing instructions for mathematically transforming each of the plurality of weighted source characteristics to adjust a risk confidence level for each of the plurality of received IP addresses;
  
  processing instructions for determining an aggregate risk score for the plurality of received IP addresses as a function of the adjusted confidence levels for each of the plurality of received IP addresses; and
  
  processing instructions for allowing computer network communication with computing devices associated with each of the plurality of received IP addresses having an acceptable level of risk compared to the aggregate risk score.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method of claim 10, further comprising:
    - processing instructions for determining whether each of the plurality of received IP addresses is received from more than one IRIP; and
      
      processing instructions for assigning one or more additional weighting factors to each of the plurality of received IP addresses received from more than one IRIP.
  - 12. The method of claim 10, wherein the aggregate risk score is a function of a number of instances the risk confidence level for each of the received IP addresses has exceeded the acceptance level during a time interval.
  - 13. The method of claim 10, wherein at least one of the source characteristics comprises a source/destination characteristic associated with each of the plurality of received IP addresses and further comprising processing instructions for determining a risk value associated with each of the received IP addresses as a function of a source/destination weighting factor corresponding to the source/destination characteristic, wherein the source/destination weighting factor increases the risk value.
  - 14. The method of claim 13 wherein the source/destination characteristic comprises at least one of:
    - a geographic area, a country, a business sector, an industrial sector, and a political region.
  - 15. The method of claim 10, wherein at least one of the source characteristics comprises an Internet Service Provider (ISP) characteristic associated with each of the plurality of received IP addresses and further comprising processing instructions for determining a risk value associated with each of the received IP addresses as a function of an ISP weighting factor corresponding to the ISP characteristic, wherein the ISP weighting factor increases the risk value.
  - 16. The method of claim 10, further comprising processing instructions for generating a graphical user interface (GUI) for displaying a plurality of risk categories associated with the plurality of IP addresses and for receiving input from a user, the input including a risk acceptance level for each of the plurality of risk categories.

17. A system for determining risk for a plurality of Internet Protocol (IP) addresses received in real-time from a plurality of sources, the system comprising:
- a memory for storing the plurality of IP addresses, a timestamp associated with each of the plurality of IP addresses, a risk category associated with each of the plurality of IP addresses, and a risk confidence level associated with each of the plurality of IP addresses;
  
  a graphical user interface (GUI) for displaying a plurality of risk categories associated with the plurality of IP addresses on a display, and for receiving input from a user, the input including a risk acceptance level for each of the plurality of risk categories;
  
  a computer-readable storage media having stored thereon computer processor-executable instructions;
  
  a computer processor for executing the computer-executable instructions, said instructions comprising;
  
  receiving a plurality of IP addresses associated with a particular risk category from one or more internet risk intelligence providers (IRIPs);
  
  determining if the one or more received IP addresses are associated with more than one risk category;
  
  determining source characteristics for each of the received IP addresses for a category;
  
  assigning a weighting factor to each of the source characteristics for each category;
  
  adjusting a confidence level for each of the received IP addresses by using a mathematical transform based on the weighting factors for each category;
  
  determining an aggregate risk score for all the IP addresses based on the adjusted confidence levels;
  
  receiving an acceptable risk level from a user for each category;
  
  comparing the aggregate risk score with the received acceptable risk level from the user; and
  
  allowing any IP addresses having an acceptable risk level to pass through the network'"'"'s firewall.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, wherein at least one of the source characteristics comprises a source/destination characteristic associated with each of the plurality of received IP addresses and wherein the computer-executable instructions comprise determining a risk value associated with each of the received IP addresses as a function of a source/destination weighting factor corresponding to the source/destination characteristic, wherein the source/destination weighting factor increases the risk value.
  - 19. The system of claim 17, wherein at least one of the source characteristics comprises an Internet Service Provider (ISP) characteristic associated with each of the plurality of received IP addresses and wherein the computer-executable instructions comprise determining a risk value associated with each of the received IP addresses as a function of an ISP weighting factor corresponding to the ISP characteristic, wherein the ISP weighting factor increases the risk value.
  - 20. The system of claim 17, wherein the aggregate risk score is a function of a number of instances the risk confidence level for each of the received IP addresses has exceeded the acceptance risk level during a time interval based on the timestamp associated therewith.

21. A computer network firewall system, comprising:
- at least one tangible, non-transitory a computer-readable medium storing processor-executable instructions;
  
  a threat assessment processor programmed to execute the instructions, wherein the instructions, when executed by the processor;
  
  store a plurality of threat information on the computer-readable medium, the threat information including an IP address, a risk category associated with the IP address, and a risk confidence level associated with the IP address;
  
  store a risk acceptance level;
  
  determine a risk value associated with the IP address as a function of;
  
  the risk confidence level,a number of instances the risk confidence level has exceeded a threshold level during a first time interval, anda second time interval representing the elapsed time since the risk confidence level previously exceeded the threshold level;
  
  compare the risk value with the risk acceptance level; and
  
  block computer network communications with a computing device associated with the IP address when the risk value is greater than or equal to the risk acceptance level.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Threater Incorporated
Original Assignee
TechGuard Security LLC
Inventors
Maestas, David Edward

Granted Patent

US 9,342,691 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2119   Authenticating web pages, e...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

INTERNET PROTOCOL THREAT PREVENTION

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

32 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

INTERNET PROTOCOL THREAT PREVENTION

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links