System and method for evaluating network threats and usage

US 9,560,066 B2
Filed: 08/03/2015
Issued: 01/31/2017
Est. Priority Date: 01/03/2014
Status: Active Grant

First Claim

Patent Images

1. A system for detecting computer network threats, the system comprising:

one or more computer hardware processors that execute specific code instructions to cause the system to at least;

receive a network address from a first data source, the first data source comprising a computing system connected to a network, the computing system configured to receive network traffic;

determine a threat indicator for the network address, wherein the threat indicator indicates a risk level associated with the network address, and wherein the threat indicator is based at least in part on;

a quantity of occurrences of the network address in the first data source,a cumulative time between respective occurrences of the network address in the first data source and a first time, anda likelihood that a perceived threat of the network address is an actual threat, wherein the likelihood is based at least in part on historical data of past threat events from the first data source; and

provide the threat indicator to an entity device, wherein the entity device is configured to block the network address based at least in part on the threat indicator.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are presented for generating a threat score and a usage score of each of a plurality of IP addresses. The threat score may be determined based on quantity of occurrences and recency of each occurrence of an IP address in network alert datasets, in addition to a weighting factor for each data source indicating the accuracy of the data source.

14 Citations

View as Search Results

20 Claims

1. A system for detecting computer network threats, the system comprising:
- one or more computer hardware processors that execute specific code instructions to cause the system to at least;
  
  receive a network address from a first data source, the first data source comprising a computing system connected to a network, the computing system configured to receive network traffic;
  
  determine a threat indicator for the network address, wherein the threat indicator indicates a risk level associated with the network address, and wherein the threat indicator is based at least in part on;
  
  a quantity of occurrences of the network address in the first data source,a cumulative time between respective occurrences of the network address in the first data source and a first time, anda likelihood that a perceived threat of the network address is an actual threat, wherein the likelihood is based at least in part on historical data of past threat events from the first data source; and
  
  provide the threat indicator to an entity device, wherein the entity device is configured to block the network address based at least in part on the threat indicator.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1, wherein the first data source further comprises at least one of:
    - an internal blacklist, an external blacklist, a firewall, or an intrusion detection system.
  - 3. The system of claim 1, wherein the threat indicator comprises a threat score.
  - 4. The system of claim 1 , wherein the one or more computer hardware processors execute the specific code instructions to further cause the system to at least:
    - determine an updated threat indicator that indicates a higher risk level relative to the threat indicator, wherein the updated threat indicator is based at least in part on one of;
      
      a greater quantity of occurrences of the network address in the first data source, a change in the cumulative time, or a greater likelihood of the actual threat.
  - 5. The system of claim 1, wherein the one or more computer hardware processors execute the specific code instructions to further cause the system to at least:
    - receive the network address from a second data source, wherein receiving the network address from the second data source indicates that the network address was likely involved in a network attack, and wherein respective data source types for the first and second data sources are different; and
      
      in response to receiving the network address from the first data source and the second data source, increasing the likelihood that the perceived threat of the network address is an actual threat.

6. A computer-implemented method comprising:
- receiving a network address from a first data source and a second data source, the first data source comprising a computing system connected to a network, wherein the second data source is different from the first data source;
  
  determining a usage indicator for the network address, wherein the usage indicator indicates a trust level associated with the network address, and wherein the usage indicator is based at least in part on;
  
  a quantity of occurrences of the network address in at least one of the first data source or the second data source,a difference in time between at least one occurrence of the network address in at least one of the first data source or the second data source and at least a first time, wherein a smaller difference in time indicates a higher trust level, anda likelihood that the network address is trustworthy, wherein the likelihood is based at least in part on historical data of activities associated with at least one of the first data source or the second data source; and
  
  providing the usage indicator to an entity device, wherein the entity device is configured to allow the network address based at least in part on the usage indicator.
- View Dependent Claims (7, 8, 9, 10, 11, 12)
- - 7. The computer-implemented method of claim 6, wherein the first data source is associated with at least one of:
    - a Virtual Private Network, a firewall, a proxy server, a whitelist, or a trusted user list.
  - 8. The computer-implemented method of claim 6, further comprising:
    - determining that the network address is associated with at least one of;
      
      a trusted user list, a whitelist, employee data, or a Virtual Private Network list; and
      
      in response to determining the network address'"'"'s association, increasing the likelihood that the network address is trustworthy.
  - 9. The computer-implemented method of claim 8, wherein the network address'"'"'s association is based at least in part on the network address'"'"'s membership in at least one of the:
    - trusted user list, whitelist, employee data, or Virtual Private Network list.
  - 10. The computer-implemented method of claim 6, further comprising:
    - causing presentation of the usage indicator and the network address in a user interface.
  - 11. The computer-implemented method of claim 6, wherein the usage indicator comprises a usage score.
  - 12. The computer-implemented method of claim 11, wherein determining the usage indicator for the network address further comprises increasing the usage score where there is a greater quantity of occurrences of the network address in a plurality of data sources, and wherein the increased usage score indicates a higher trust level associated with the network address.

13. A computer-implemented method comprising:
- receiving a network address from a first data source, the first data source comprising a computing system connected to a network, the computing system configured to receive network traffic;
  
  determining a threat indicator for the network address, wherein the threat indicator indicates a risk level associated with the network address, and wherein the threat indicator is based at least in part on;
  
  a quantity of occurrences of the network address in the first data source,a cumulative time between respective occurrences of the network address in the first data source and a first time, anda likelihood that a perceived threat of the network address is an actual threat, wherein the likelihood is based at least in part on historical data of past threat events from the first data source; and
  
  providing the threat indicator to an entity device, wherein the entity device is configured to block the network address based at least in part on the threat indicator.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The computer-implemented method of claim 13, wherein the threat indicator comprises a threat score.
  - 15. The computer-implemented method of claim 14, further comprising:
    - determining a recency of each occurrence of the network address in the first data source from a second time between respective occurrences and the first time, wherein determining the threat indicator for the network address further comprises increasing the threat score where the recency of each occurrence indicates more recent suspicious activity.
  - 16. The computer-implemented method of claim 14, wherein determining the threat indicator for the network address further comprises increasing the threat score where there is a greater quantity of occurrences of the network address in the first data source, and wherein the increased threat score indicates a higher risk level associated with the network address.
  - 17. The computer-implemented method of claim 14, wherein determining the threat indicator for the network address further comprises increasing the threat score where there is a greater quantity of occurrences of the network address in a plurality of data sources, and wherein the increased threat score indicates a higher risk level associated with the network address.
  - 18. The computer-implemented method of claim 13, further comprising:
    - receiving the network address from a second data source, wherein receiving the network address from the second data source indicates that the network address was likely involved in a network attack; and
      
      in response to receiving the network address from the first data source and the second data source, increasing the likelihood that the perceived threat of the network address is an actual threat.
  - 19. The computer-implemented method of claim 13, further comprising:
    - causing presentation of the threat indicator and the network address in a user interface.
  - 20. The computer-implemented method of claim 13, wherein the first data source further comprises at least one of:
    - an internal blacklist, an external blacklist, a firewall, or an intrusion detection system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palantir Technologies Incorporated
Original Assignee
Palantir Technologies Incorporated
Inventors
Visbal, Alexander
Primary Examiner(s)
DOLLY, KENDALL LYNN

Application Number

US14/816,748
Publication Number

US 20160028759A1
Time in Patent Office

547 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/0236   Filtering by address, proto...

H04L 63/0272   Virtual private networks

H04L 63/101   Access control lists [ACL]

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

System and method for evaluating network threats and usage

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

14 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for evaluating network threats and usage

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links