Systems and methods are presented for generating a threat score and a usage score of each of a plurality of IP addresses. The threat score may be determined based on quantity of occurrences and recency of each occurrence of an IP address in network alert datasets, in addition to a weighting factor f
Systems and methods are presented for generating a threat score and a usage score of each of a plurality of IP addresses. The threat score may be determined based on quantity of occurrences and recency of each occurrence of an IP address in network alert datasets, in addition to a weighting factor for each data source indicating the accuracy of the data source.
대표청구항▼
1. A computer system comprising: one or more computer processors; anda tangible storage device storing one or more modules configured for execution by the one or more computer processors in order to cause the computer system to: determine an IP address for which a threat score is to be determined;ac
1. A computer system comprising: one or more computer processors; anda tangible storage device storing one or more modules configured for execution by the one or more computer processors in order to cause the computer system to: determine an IP address for which a threat score is to be determined;access network alert datasets from each of one or more data sources, the data source comprising a computing system connected to a network and the data source has access to originating IP addresses that correspond to a communication protocol of the network, and wherein the network alert datasets comprise: a plurality of recorded network threat events, date and time of each of the plurality of recorded network threat events, an originating IP address for each of the plurality of recorded network threat events, and an event type of each of the plurality of recorded network threat events;determine which of the network alert datasets includes one or more occurrences of the IP address, wherein each occurrence indicates a threat by the IP address;for each of the data sources for which the IP address is a member of the corresponding network alert dataset: determine a quantity of occurrences of the IP address in the network alert dataset;determine a recency of each occurrence of the IP address in the network alert dataset, wherein recency is determined based at least in part on an amount of time between respective occurrences of the IP address in the network alert dataset and a current time, and wherein recency is further determined based at least in part on a cumulative calculation of the amount of time between respective occurrences of the IP address in the network alert dataset and the current time;determine a weighting factor for each of the data sources indicating a likelihood that a perceived threat of the IP address in the network alert dataset is an actual threat, wherein the likelihood is based at least in part on historical data of past threat events for the respective data source of the IP address in the network alert dataset; anddetermine the threat score for the IP address based at least on the determined quantity of occurrences, the recency of occurrences, and the weighting factor for each of the data sources. 2. The computer system of claim 1, wherein determining the threat score for the IP address further comprises adjusting the threat score based on the event type of each of the plurality of recorded network threat events. 3. The computer system of claim 2, wherein the event type comprises at least one of malicious attack, advertising, peer-to-peer communication, illegal activity, or spying activity. 4. The computer system of claim 1, wherein the weighting factors are further determined based at least in part on at least one of a quantity or a percentage of network threat events previously provided by a data source that were determined to be actual network threats. 5. The computer system of claim 4, wherein a particular network threat event reported by a first data source is determined to be an actual network threat based on threat data received from one or more other data sources. 6. The computer system of claim 1, wherein each of the data sources comprises at least one of a proprietary network monitoring system, a firewall, a network device access log, a mobile hotspot log, or a Virtual Private Network access log. 7. The computer system of claim 1, wherein the recency of each occurrence of the IP address is further determined based at least in part on a function of the amount of time between the date and time of respective occurrences. 8. The computer system of claim 7, wherein the function is at least one of an exponential decay function, a constant decay function, a step decay function, a linear decay function, a weibull decay function, a hill decay function, or a smooth-compact decay function. 9. The computer system of claim 1, further comprising one or more modules stored on the tangible storage device, the one or more modules configured for execution by the one or more computer processors in order to cause the computer system to: present a report comprising the threat score for the IP address. 10. A computer system comprising: one or more computer processors; anda tangible storage device storing one or more modules configured for execution by the one or more computer processors in order to cause the computer system to: determine an IP address for which a usage score is to be determined;access network usage datasets from each of one or more data sources, the data source comprising a computing system connected to a network and the data source has access to originating IP addresses that correspond to a communication protocol of the network, and wherein the network usage datasets comprise: a plurality of recorded network usage events, date and time of each of the plurality of recorded network usage events, an originating IP address for each of the plurality of recorded network usage events, and an event type of each of the plurality of recorded network usage events;determine which of the network usage datasets includes one or more occurrences of the IP address, wherein each occurrence indicates a usage by the IP address;for each of the data sources for which the IP address is a member of the corresponding network usage dataset: determine a quantity of occurrences of the IP address in the network alert dataset;determine a recency of each occurrence of the IP address in the network usage dataset, wherein recency is determined based at least in part on an amount of time between date and time of respective occurrences of the IP address in the network alert dataset and a current time, and wherein recency is further determined based at least in part on a cumulative calculation of the amount of time between respective occurrences of the IP address in the network usage dataset and the current time;determine a weighting factor for each of the data sources indicating a likelihood that a perceived threat of the IP address in the network usage dataset is an actual threat, wherein the likelihood is based at least in part on historical data of activities associated with each of the respective data sources; anddetermine an usage score for the IP address based at least on the determined quantity of occurrences, the recency of occurrences, and the weighting factor for each of the data sources. 11. The computer system of claim 10, wherein determining the usage score for the IP address further comprises adjusting the usage score to constrain the usage score to a value between 0 and 1. 12. The computer system of claim 10, wherein the recency of each occurrence of the IP address is further determined based at least in part on a function of the amount of time between the date and time of respective occurrences. 13. The computer system of claim 12, wherein the function is at least one of an exponential decay function, a constant decay function, a step decay function, a linear decay function, a weibull decay function, a hill decay function, or a smooth-compact decay function. 14. The computer system of claim 10, wherein the event type comprises at least one of VPN connection, proxy server connection, or authorized account log in. 15. A non-transitory computer-readable storage medium storing computer-executable instructions configured to direct a computing system to: determine an IP address for which a threat score is to be determined;access network alert datasets from each of one or more data sources, the data source comprising a computing system connected to a network and the data source has access to originating IP addresses that correspond to a communication protocol of the network, and wherein the network alert datasets comprising: a plurality of recorded network threat events, date and time of each of the plurality of recorded network threat events, an originating IP address for each of the plurality of recorded network threat events, and an event type of each of the plurality of recorded network threat events;determine which of the network alert datasets includes one or more occurrences of the IP address, wherein each occurrence indicates a threat by the IP address;for each of the data sources for which the IP address is a member of the corresponding network alert dataset: determine a quantity of occurrences of the IP address in the network alert dataset;determine a recency of each occurrence of the IP address in the network alert dataset, wherein recency is determined based at least in part on an amount of time between respective occurrences of the IP address in the network alert dataset and a current time, and wherein recency is further determined based at least in part on a cumulative calculation of the amount of time between respective occurrences of the IP address in the network alert dataset and the current time;determine a weighting factor for each of the data sources indicating a likelihood that a perceived threat of the IP address in the network alert dataset is an actual threat, wherein the likelihood is based at least in part on historical data of past threat events for the respective data source of the IP address in the network alert dataset; anddetermine the threat score for the IP address based at least on the determined quantity of occurrences, the recency of occurrences, and the weighting factor for each of the data sources. 16. The non-transitory computer-readable storage medium of claim 15, wherein determining the threat score for the IP address further comprises adjusting the threat score based on the event type of each of the plurality of recorded network threat events. 17. The non-transitory computer-readable storage medium of claim 16, wherein the event type comprises at least one of malicious attack, advertising, peer-to-peer communication, illegal activity, or spying activity. 18. The non-transitory computer-readable storage medium of claim 15, wherein the weighting factors are determined based at least in part on at least one of a quantity or a percentage of network threat events previously provided by a data source that were determined to be actual network threats. 19. The non-transitory computer-readable storage medium of claim 15, wherein a particular network threat event reported by a first data source is determined to be an actual network threat based on threat data received from one or more other data sources. 20. The non-transitory computer-readable storage medium of claim 15, wherein each of the data sources comprises at least one of a proprietary network monitoring system, a firewall, a network device access log, a mobile hotspot log, or a Virtual Private Network access log.
연구과제 타임라인
LOADING...
LOADING...
LOADING...
LOADING...
LOADING...
이 특허에 인용된 특허 (2)
Aymeloglu, Andrew; Tan, Garry; Simler, Kevin; Miyake, Nick, Generating dynamic date sets that represent market conditions.
Kantrowitz, Mark, Method and apparatus for efficient identification of duplicate and near-duplicate documents and text spans using high-discriminability text fragments.
Thomson, Allan; Coleman, Christopher D., Apparatuses, methods and systems for a cyber threat confidence rating visualization and editing user interface.
Rambo, Douglas C.; Trudeau, Steven M.; Hughes, Titanya; Colehouse, Michael; Calabro, Timothy J.; Nguyen, Vincent N.; Brenden, Ben D., Enterprise security measures.
Ahn, David K.; George, Keith A.; Geremia, Peter P.; Mallett, III, Pierre; Moore, Sean; Perry, Robert T.; Rogers, Jonathan R., Rule-based network-threat detection.
Ahn, David K.; George, Keith A.; Geremia, Peter P.; Mallett, III, Pierre; Moore, Sean; Perry, Robert T.; Rogers, Jonathan R., Rule-based network-threat detection.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.