Handling information security incidents
First Claim
1. A computing device, comprising:
- at least one processor; and
memory storing computer readable instructions that, when executed by the at least one processor, cause the computing device to;
receive information indicating that a network address is associated with an information security incident;
monitor activity associated with the network address, wherein the network address is located in a first net block, and wherein the first net block comprises a group of internet protocol (IP) addresses associated with a particular network service provider;
determine, based on the monitoring, whether the network address associated with the information security incident represents an information security threat, wherein the determining whether the network address represents the information security threat includes evaluating one or more remediation criteria, and wherein the evaluating the one or more remediation criteria includes analyzing network activity for multiple other network addresses that are located within the first net block; and
cause one or more remediation actions to be performed in response to determining that the network address represents the information security threat,wherein the monitored activity associated with the network address is compiled with the network activity for the multiple other network addresses that are located within the first net block to determine whether aggregate activity associated with the first net block represents the information security threat,wherein the monitoring the activity associated with the network address includes periodically updating records for network activity associated with the network address over a period of time, andwherein the determining whether the network address represents the information security threat includes periodically evaluating the records for the network activity associated with the network address during the period of time.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, systems, computer-readable media, and apparatuses for handling information security incidents are presented. In some embodiments, a computing device may receive information indicating that a network address is associated with an information security incident. Subsequently, the computing device may monitor activity associated with the network address. Based on the monitoring, the computing device may determine whether the network address represents an information security threat. In response to determining that the network address represents an information security threat, the computing device may cause one or more remediation actions to be performed. In some arrangements, the information security incident may be a denial of service attack. In additional or alternative arrangements, the network address may be located in a particular net block, and the computing device may evaluate one or more remediation criteria, which may include analyzing network activity for one or more other addresses that are located within the net block.
45 Citations
18 Claims
-
1. A computing device, comprising:
-
at least one processor; and memory storing computer readable instructions that, when executed by the at least one processor, cause the computing device to; receive information indicating that a network address is associated with an information security incident; monitor activity associated with the network address, wherein the network address is located in a first net block, and wherein the first net block comprises a group of internet protocol (IP) addresses associated with a particular network service provider; determine, based on the monitoring, whether the network address associated with the information security incident represents an information security threat, wherein the determining whether the network address represents the information security threat includes evaluating one or more remediation criteria, and wherein the evaluating the one or more remediation criteria includes analyzing network activity for multiple other network addresses that are located within the first net block; and cause one or more remediation actions to be performed in response to determining that the network address represents the information security threat, wherein the monitored activity associated with the network address is compiled with the network activity for the multiple other network addresses that are located within the first net block to determine whether aggregate activity associated with the first net block represents the information security threat, wherein the monitoring the activity associated with the network address includes periodically updating records for network activity associated with the network address over a period of time, and wherein the determining whether the network address represents the information security threat includes periodically evaluating the records for the network activity associated with the network address during the period of time. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method, comprising:
-
receiving, by a computing device, information indicating that a network address is associated with an information security incident; monitoring, by the computing device, activity associated with the network address, wherein the network address is located in a first net block, and wherein the first net block comprises a group of internet protocol (IP) addresses associated with a particular network service provider; determining, by the computing device, based on the monitoring, whether the network address associated with the information security incident represents an information security threat, wherein the determining whether the network address represents the information security threat includes evaluating one or more remediation criteria, and wherein the evaluating the one or more remediation criteria includes analyzing network activity for multiple other network addresses that are located within the first net block; and in response to determining that the network address represents the information security threat, causing, by the computing device, one or more remediation actions to be performed, wherein the monitored activity associated with the network address is compiled with the network activity for the multiple other network addresses that are located within the first net block to determine whether aggregate activity associated with the first net block represents the information security threat, wherein the monitoring the activity associated with the network address includes periodically updating records for network activity associated with the network address over a period of time, and wherein the determining whether the network address represents the information security threat includes periodically evaluating the records for the network activity associated with the network address during the period of time. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. One or more non-transitory computer-readable media having computer-executable instructions stored thereon that, when executed by a computing device, cause the computing device to:
-
receive information indicating that a network address is associated with an information security incident; monitor activity associated with the network address, wherein the network address is located in a first net block, and wherein the first net block comprises a group of Internet protocol (IP) addresses associated with a particular network service provider; determine, based on the monitoring, whether the network address associated with the information security incident represents an information security threat, wherein the determining whether the network address represents the information security threat includes evaluating one or more remediation criteria, and wherein the evaluating the one or more remediation criteria includes analyzing network activity for multiple other network addresses that are located within the first net block; and cause one or more remediation actions to be performed in response to determining that the network address represents the information security threat, wherein the monitored activity associated with the network address is compiled with the network activity for the multiple other network addresses that are located within the first net block to determine whether aggregate activity associated with the first net block represents the information security threat, wherein the monitoring the activity associated with the network address includes periodically updating records for network activity associated with the network address over a period of time, and wherein the determining whether the network address represents the information security threat includes periodically evaluating the records for the network activity associated with the network address during the period of time. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification