Handling information security incidents

US 8,973,140 B2
Filed: 03/14/2013
Issued: 03/03/2015
Est. Priority Date: 03/14/2013
Status: Active Grant

First Claim

Patent Images

1. A computing device, comprising:

at least one processor; and

memory storing computer readable instructions that, when executed by the at least one processor, cause the computing device to;

receive information indicating that a network address is associated with an information security incident;

monitor activity associated with the network address, wherein the network address is located in a first net block, and wherein the first net block comprises a group of internet protocol (IP) addresses associated with a particular network service provider;

determine, based on the monitoring, whether the network address associated with the information security incident represents an information security threat, wherein the determining whether the network address represents the information security threat includes evaluating one or more remediation criteria, and wherein the evaluating the one or more remediation criteria includes analyzing network activity for multiple other network addresses that are located within the first net block; and

cause one or more remediation actions to be performed in response to determining that the network address represents the information security threat,wherein the monitored activity associated with the network address is compiled with the network activity for the multiple other network addresses that are located within the first net block to determine whether aggregate activity associated with the first net block represents the information security threat,wherein the monitoring the activity associated with the network address includes periodically updating records for network activity associated with the network address over a period of time, andwherein the determining whether the network address represents the information security threat includes periodically evaluating the records for the network activity associated with the network address during the period of time.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, computer-readable media, and apparatuses for handling information security incidents are presented. In some embodiments, a computing device may receive information indicating that a network address is associated with an information security incident. Subsequently, the computing device may monitor activity associated with the network address. Based on the monitoring, the computing device may determine whether the network address represents an information security threat. In response to determining that the network address represents an information security threat, the computing device may cause one or more remediation actions to be performed. In some arrangements, the information security incident may be a denial of service attack. In additional or alternative arrangements, the network address may be located in a particular net block, and the computing device may evaluate one or more remediation criteria, which may include analyzing network activity for one or more other addresses that are located within the net block.

45 Citations

View as Search Results

18 Claims

1. A computing device, comprising:
- at least one processor; and
  
  memory storing computer readable instructions that, when executed by the at least one processor, cause the computing device to;
  
  receive information indicating that a network address is associated with an information security incident;
  
  monitor activity associated with the network address, wherein the network address is located in a first net block, and wherein the first net block comprises a group of internet protocol (IP) addresses associated with a particular network service provider;
  
  determine, based on the monitoring, whether the network address associated with the information security incident represents an information security threat, wherein the determining whether the network address represents the information security threat includes evaluating one or more remediation criteria, and wherein the evaluating the one or more remediation criteria includes analyzing network activity for multiple other network addresses that are located within the first net block; and
  
  cause one or more remediation actions to be performed in response to determining that the network address represents the information security threat,wherein the monitored activity associated with the network address is compiled with the network activity for the multiple other network addresses that are located within the first net block to determine whether aggregate activity associated with the first net block represents the information security threat,wherein the monitoring the activity associated with the network address includes periodically updating records for network activity associated with the network address over a period of time, andwherein the determining whether the network address represents the information security threat includes periodically evaluating the records for the network activity associated with the network address during the period of time.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computing device of claim 1, wherein the information security incident is a denial of service attack.
  - 3. The computing device of claim 1, wherein the determining whether the network address represents the information security threat includes reevaluating the one or more remediation criteria after the period of time.
  - 4. The computing device of claim 1, wherein the causing the one or more remediation actions to be performed includes:
    - selecting a notification template based on provider information associated with the network address;
      
      generating a notification based on the notification template and the provider information;
      
      sending the notification to a provider associated with the network address;
      
      after sending the notification, determining whether the network address still represents the information security threat; and
      
      in response to determining that the network address still represents the information security threat;
      
      selecting a second notification template based on the provider information;
      
      generating a second notification based on the notification template and the provider information; and
      
      sending the second notification to the provider.
  - 5. The computing device of claim 1, wherein the network activity for the multiple other network addresses that are located within the first net block is monitored during a time period in which the activity associated with the network address is monitored.
  - 6. The computing device of claim 1, wherein the network activity for the multiple other network addresses that are located within the first net block is monitored during a different time period than a time period in which the activity associated with the network address is monitored.

7. A method, comprising:
- receiving, by a computing device, information indicating that a network address is associated with an information security incident;
  
  monitoring, by the computing device, activity associated with the network address, wherein the network address is located in a first net block, and wherein the first net block comprises a group of internet protocol (IP) addresses associated with a particular network service provider;
  
  determining, by the computing device, based on the monitoring, whether the network address associated with the information security incident represents an information security threat, wherein the determining whether the network address represents the information security threat includes evaluating one or more remediation criteria, and wherein the evaluating the one or more remediation criteria includes analyzing network activity for multiple other network addresses that are located within the first net block; and
  
  in response to determining that the network address represents the information security threat, causing, by the computing device, one or more remediation actions to be performed,wherein the monitored activity associated with the network address is compiled with the network activity for the multiple other network addresses that are located within the first net block to determine whether aggregate activity associated with the first net block represents the information security threat,wherein the monitoring the activity associated with the network address includes periodically updating records for network activity associated with the network address over a period of time, andwherein the determining whether the network address represents the information security threat includes periodically evaluating the records for the network activity associated with the network address during the period of time.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, wherein the information security incident is a denial of service attack.
  - 9. The method of claim 8, wherein the determining whether the network address represents the information security threat includes reevaluating the one or more remediation criteria after the period of time.
  - 10. The method of claim 7, wherein the causing the one or more remediation actions to be performed includes:
    - selecting a notification template based on provider information associated with the network address;
      
      generating a notification based on the notification template and the provider information;
      
      sending the notification to a provider associated with the network address;
      
      after sending the notification, determining whether the network address still represents the information security threat; and
      
      in response to determining that the network address still represents the information security threat;
      
      selecting a second notification template based on the provider information;
      
      generating a second notification based on the notification template and the provider information; and
      
      sending the second notification to the provider.
  - 11. The method of claim 7, wherein the network activity for the multiple other network addresses that are located within the first net block is monitored during a time period in which the activity associated with the network address is monitored.
  - 12. The method of claim 7, wherein the network activity for the multiple other network addresses that are located within the first net block is monitored during a different time period than a time period in which the activity associated with the network address is monitored.

13. One or more non-transitory computer-readable media having computer-executable instructions stored thereon that, when executed by a computing device, cause the computing device to:
- receive information indicating that a network address is associated with an information security incident;
  
  monitor activity associated with the network address, wherein the network address is located in a first net block, and wherein the first net block comprises a group of Internet protocol (IP) addresses associated with a particular network service provider;
  
  determine, based on the monitoring, whether the network address associated with the information security incident represents an information security threat, wherein the determining whether the network address represents the information security threat includes evaluating one or more remediation criteria, and wherein the evaluating the one or more remediation criteria includes analyzing network activity for multiple other network addresses that are located within the first net block; and
  
  cause one or more remediation actions to be performed in response to determining that the network address represents the information security threat,wherein the monitored activity associated with the network address is compiled with the network activity for the multiple other network addresses that are located within the first net block to determine whether aggregate activity associated with the first net block represents the information security threat,wherein the monitoring the activity associated with the network address includes periodically updating records for network activity associated with the network address over a period of time, andwherein the determining whether the network address represents the information security threat includes periodically evaluating the records for the network activity associated with the network address during the period of time.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The one or more non-transitory computer-readable media of claim 13, wherein the information security incident is a denial of service attack.
  - 15. The one or more non-transitory computer-readable media of claim 13, wherein the determining whether the network address represents the information security threat includes reevaluating the one or more remediation criteria after the period of time.
  - 16. The one or more non-transitory computer-readable media of claim 13, wherein the causing the one or more remediation actions to be performed includes:
    - selecting a notification template based on provider information associated with the network address;
      
      generating a notification based on the notification template and the provider information;
      
      sending the notification to a provider associated with the network address;
      
      after sending the notification, determining whether the network address still represents the information security threat; and
      
      in response to determining that the network address still represents the information security threat;
      
      selecting a second notification template based on the provider information;
      
      generating a second notification based on the notification template and the provider information; and
      
      sending the second notification to the provider.
  - 17. The one or more non-transitory computer-readable media of claim 13, wherein the network activity for the multiple other network addresses that are located within the first net block is monitored during a time period in which the activity associated with the network address is monitored.
  - 18. The one or more non-transitory computer-readable media of claim 13, wherein the network activity for the multiple other network addresses that are located within the first net block is monitored during a different time period than a time period in which the activity associated with the network address is monitored.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Shnowske, Daniel P., Demirmen, Okan, Ramcharran, Ronald, Metzger, Timothy C.
Primary Examiner(s)
Patel, Nirav B

Application Number

US13/827,200
Publication Number

US 20140283049A1
Time in Patent Office

719 Days
Field of Search

726 22- 25, 726 11- 15
US Class Current

726/23
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 63/1441 Countermeasures against mal...

Handling information security incidents

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

45 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Handling information security incidents

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

45 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links