System and method for evaluating network threats and usage
First Claim
Patent Images
1. A system for detecting computer network threats, the system comprising:
- one or more computer hardware processors that execute specific code instructions to cause the system to at least;
receive a network address from a first data source, the first data source comprising a computing system connected to a network, the computing system configured to receive network traffic;
determine a threat indicator for the network address, wherein the threat indicator indicates a risk level associated with the network address, and wherein the threat indicator is based at least in part on;
a quantity of occurrences of the network address in the first data source,a cumulative time between respective occurrences of the network address in the first data source and a first time, anda likelihood that a perceived threat of the network address is an actual threat, wherein the likelihood is based at least in part on historical data of past threat events from the first data source; and
provide the threat indicator to an entity device, wherein the entity device is configured to block the network address based at least in part on the threat indicator.
8 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods are presented for generating a threat score and a usage score of each of a plurality of IP addresses. The threat score may be determined based on quantity of occurrences and recency of each occurrence of an IP address in network alert datasets, in addition to a weighting factor for each data source indicating the accuracy of the data source.
14 Citations
20 Claims
-
1. A system for detecting computer network threats, the system comprising:
one or more computer hardware processors that execute specific code instructions to cause the system to at least; receive a network address from a first data source, the first data source comprising a computing system connected to a network, the computing system configured to receive network traffic; determine a threat indicator for the network address, wherein the threat indicator indicates a risk level associated with the network address, and wherein the threat indicator is based at least in part on; a quantity of occurrences of the network address in the first data source, a cumulative time between respective occurrences of the network address in the first data source and a first time, and a likelihood that a perceived threat of the network address is an actual threat, wherein the likelihood is based at least in part on historical data of past threat events from the first data source; and provide the threat indicator to an entity device, wherein the entity device is configured to block the network address based at least in part on the threat indicator. - View Dependent Claims (2, 3, 4, 5)
-
6. A computer-implemented method comprising:
-
receiving a network address from a first data source and a second data source, the first data source comprising a computing system connected to a network, wherein the second data source is different from the first data source; determining a usage indicator for the network address, wherein the usage indicator indicates a trust level associated with the network address, and wherein the usage indicator is based at least in part on; a quantity of occurrences of the network address in at least one of the first data source or the second data source, a difference in time between at least one occurrence of the network address in at least one of the first data source or the second data source and at least a first time, wherein a smaller difference in time indicates a higher trust level, and a likelihood that the network address is trustworthy, wherein the likelihood is based at least in part on historical data of activities associated with at least one of the first data source or the second data source; and providing the usage indicator to an entity device, wherein the entity device is configured to allow the network address based at least in part on the usage indicator. - View Dependent Claims (7, 8, 9, 10, 11, 12)
-
-
13. A computer-implemented method comprising:
-
receiving a network address from a first data source, the first data source comprising a computing system connected to a network, the computing system configured to receive network traffic; determining a threat indicator for the network address, wherein the threat indicator indicates a risk level associated with the network address, and wherein the threat indicator is based at least in part on; a quantity of occurrences of the network address in the first data source, a cumulative time between respective occurrences of the network address in the first data source and a first time, and a likelihood that a perceived threat of the network address is an actual threat, wherein the likelihood is based at least in part on historical data of past threat events from the first data source; and providing the threat indicator to an entity device, wherein the entity device is configured to block the network address based at least in part on the threat indicator. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
Specification