Internet protocol threat prevention
First Claim
1. A computer-implemented method of protecting a computer network from a computing device associated with an Internet Protocol (IP) address, the method comprising:
- acquiring a plurality of threat information from one or more internet risk intelligence providers (IRIPs) via a computer communications network;
storing the plurality of threat information in a memory device, the threat information including the IP address, a risk category associated with the IP address, and a risk confidence level associated with the IP address;
storing a risk category acceptance level in the memory device;
storing a timestamp corresponding to the acquisition of the plurality of threat information in the memory device;
determining, by a processing device coupled to the memory device, a risk category value associated with the IP address as a function of;
the risk confidence level stored in the memory device, andtiming information stored in the memory device, said timing information being determined based on the timestamp and comprising;
a number of instances the risk confidence level has exceeded the risk category acceptance level during a first time interval, anda second time interval representing the elapsed time since the risk confidence level previously exceeded the risk category acceptance level;
storing the risk category value in the memory device; and
blocking, by the processing device, communications from the computing device associated with the IP address when the risk category value is equal to or greater than the risk category acceptance level.
6 Assignments
0 Petitions
Accused Products
Abstract
Blocking high-risk IP connections in real-time while allowing tailoring of an acceptable risk profile to match the security requirements of network resources. By acquiring IP threat information about IP addresses, including risk confidence levels, assigning weighting factor values corresponding to various characteristics of the IP addresses, and mathematically transforming the risk confidence levels using the weighting factor values, traffic from IP addresses posing unacceptable levels of risk is blocked. Further, mathematically transforming risk confidence level to a user-defined acceptable risk level permits allowing traffic from the IP addresses having an acceptable level of risk.
-
Citations
19 Claims
-
1. A computer-implemented method of protecting a computer network from a computing device associated with an Internet Protocol (IP) address, the method comprising:
-
acquiring a plurality of threat information from one or more internet risk intelligence providers (IRIPs) via a computer communications network; storing the plurality of threat information in a memory device, the threat information including the IP address, a risk category associated with the IP address, and a risk confidence level associated with the IP address; storing a risk category acceptance level in the memory device; storing a timestamp corresponding to the acquisition of the plurality of threat information in the memory device; determining, by a processing device coupled to the memory device, a risk category value associated with the IP address as a function of; the risk confidence level stored in the memory device, and timing information stored in the memory device, said timing information being determined based on the timestamp and comprising; a number of instances the risk confidence level has exceeded the risk category acceptance level during a first time interval, and a second time interval representing the elapsed time since the risk confidence level previously exceeded the risk category acceptance level; storing the risk category value in the memory device; and blocking, by the processing device, communications from the computing device associated with the IP address when the risk category value is equal to or greater than the risk category acceptance level. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A processor-implemented method of using an aggregate risk score for a plurality of Internet Protocol (IP) addresses to monitor communications in a computer network, the method comprising:
-
receiving a plurality of IP addresses from one or more internet risk intelligence providers (IRIPs) for a particular category via a computer communications network; processing instructions for determining a plurality of source characteristics associated with each of the plurality of received IP addresses; processing instructions for assigning one or more weighting factors to each of the plurality of source characteristics; processing instructions for mathematically transforming each of the plurality of weighted source characteristics to adjust a risk confidence level for each of the plurality of received IP addresses, wherein the mathematical transformation is at least one of a linear transformation, an exponential transformation, and a logarithmic transformation; processing instructions for determining an aggregate risk score for the plurality of received IP addresses as a function of the adjusted confidence levels for each of the plurality of received IP addresses, wherein the aggregate risk score is a function of a number of instances the risk confidence level for each of the received IP addresses has exceeded an acceptable level during a time interval; storing the aggregate risk score in a memory device; and processing instructions for allowing computer network communication with computing devices associated with each of the plurality of received IP addresses having the acceptable level of risk compared to the stored aggregate risk score. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A system for protecting a network from a security threat in real-time, the system comprising:
-
a memory for storing the plurality of Internet Protocol (IP) addresses, a timestamp associated with each of the plurality of IP addresses, a risk category associated with each of the plurality of IP addresses, and a risk confidence level associated with each of the plurality of IP addresses; a graphical user interface (GUI) for displaying a plurality of risk categories associated with the plurality of IP addresses on a display, and for receiving input from a user, the input including a risk acceptance level for each of the plurality of risk categories; a non-transitory computer-readable storage media having stored thereon computer processor-executable instructions; a computer processor for executing the computer-executable instructions, said instructions comprising; receiving a plurality of IP addresses associated with a particular risk category from one or more internet risk intelligence providers (IRIPs); determining if the one or more received IP addresses are associated with more than one risk category; determining source characteristics for each of the received IP addresses for a category; assigning a weighting factor to each of the source characteristics for each category; adjusting a confidence level for each of the received IP addresses by using a mathematical transform based on the weighting factors for each category; determining an aggregate risk score for all the IP addresses based on the adjusted confidence levels; storing the aggregate risk score in a memory device; receiving an acceptable risk level from a user for each category, wherein the aggregate risk score is a function of a number of instances the risk confidence level for each of the received IP addresses has exceeded the acceptable risk level during a time interval based on the timestamp associated therewith; comparing the stored aggregate risk score with the received acceptable risk level from the user; and allowing communications from any IP addresses having an acceptable risk level to pass through the network'"'"'s firewall. - View Dependent Claims (16, 17)
-
-
18. A computer network firewall system, comprising:
-
at least one tangible, non-transitory a computer-readable medium storing processor-executable instructions; a threat assessment processor programmed to execute the instructions, wherein the instructions, when executed by the processor; acquire a plurality of threat information from one or more internet risk intelligence providers (IRIPs) via a computer communications network; store the plurality of threat information on the computer-readable medium, the threat information including an IP address, a risk category associated with the IP address, and a risk confidence level associated with the IP address; store a risk acceptance level; store a timestamp corresponding to the acquisition of the plurality of threat information on the computer-readable medium; determine a risk value associated with the IP address as a function of; the risk confidence level, a number of instances the risk confidence level has exceeded a threshold level during a first time interval, and a second time interval representing the elapsed time since the risk confidence level previously exceeded the threshold level; compare the risk value with the risk acceptance level; and block computer network communications with a computing device associated with the IP address when the risk value is greater than or equal to the risk acceptance level.
-
-
19. A computer network firewall system, comprising:
-
at least one tangible, non-transitory a computer-readable medium storing processor-executable instructions; a threat assessment processor programmed to execute the instructions, wherein the instructions, when executed by the processor; store a plurality of threat information on the computer-readable medium, the threat information including an IP address, a risk category associated with the IP address, a risk confidence level associated with the IP address, and a determination of geographic proximity characteristics associated with the IP address in relation to geographic proximity characteristics associated with one or more other IP addresses having risk confidence levels exceeding a threshold level; store a risk acceptance level; determine a risk value associated with the IP address as a function of; the risk confidence level, a number of instances the risk confidence level has exceeded the threshold level during a first time interval, a second time interval representing the elapsed time since the risk confidence level previously exceeded the threshold level, and a geographic weighting factor corresponding to the geographic proximity characteristics associated with the IP address, wherein the geographic weighting factor increases the risk value; compare the risk value with the risk acceptance level; and block computer network communications with a computing device associated with the IP address when the risk value is greater than or equal to the risk acceptance level.
-
Specification