| 摘要 |
An approach is provided for determining a likelihood of an attack on a first computer system of a first business. Characteristics of the first business and a second business are determined. The second business has a second computer system currently or recently under attack. The characteristics include respective industries, sizes, geographical locations, types of sensitive data, and security vulnerabilities associated with the first and second businesses or first and second computer systems, an address of traffic through a device in the first computer system, and an address of an entity responsible for the attack on the second computer system. Based on a similarity between the characteristics of the first and second businesses, a likelihood that the entity responsible for the attack on the second computer system will attack the first computer system of the first business is determined. |
| 主权项 |
1. A method of determining a likelihood of an attack on a first computer system of a first business, the method comprising the steps of:
determining, by a hardware processor of a computer, a plurality of characteristics of the first business, the characteristics including an industry, a size, and a geographical location of the first business, a type of sensitive data managed by the first computer system, a security vulnerability in the first computer system, and an address of a source or a destination of data traffic through a security device in the first computer system; selecting, by the computer, an Internet Protocol (IP) address from a list of suspicious IP addresses, the selected IP address being an address of one of a plurality of entities responsible for current or recent attacks on computer systems of respective businesses included in a plurality of businesses other than the first business; determining, by the computer, target businesses within the plurality of businesses as businesses having respective target computer systems, each target computer system currently experiencing or having recently experienced an attack by the one entity whose IP address was selected; determining, by the computer, characteristics of the target businesses, the characteristics of the target businesses including respective industries, sizes, and geographical locations of the target businesses, respective types of sensitive data managed by the target computer systems, and respective security vulnerabilities in the target computer systems; determining, by the computer, a plurality of percentages of the target businesses, the percentages being associated with respective characteristics of the target businesses including the industries, sizes, and geographical locations of the target businesses, the types of sensitive data managed by the target computer systems, and the security vulnerabilities in the target computer systems, each percentage indicating a percentage of the target businesses whose associated characteristic matches a corresponding characteristic included in the plurality of characteristics of the first business, and the percentages associated with respective threshold amounts; determining, by the computer, whether each of the plurality of percentages exceeds the associated threshold amount, and incrementing, by the computer, a score by a predetermined amount for each percentage in the plurality of percentages that is determined to exceed the associated threshold amount, the score having been initialized to zero prior to being incremented; determining, by the computer, whether the selected IP address matches the address of the source or destination of data traffic through the security device in the first computer system, and incrementing the score by twice the predetermined amount if the selected IP address is determined to match the address of the source or destination of data traffic through the security device in the first computer system; determining, by the computer, whether the score exceeds twice the predetermined amount which indicates a likelihood that the one entity whose IP address was selected will attack the first computer system of the first business, and if the score exceeds twice the predetermined amount, generating, by the computer, a recommendation to change a security policy for the first computer system of the first business; and subsequent to the step of determining whether the score exceeds twice the predetermined amount, selecting, by the computer, a next IP address from the list of suspicious IP addresses and repeating, by the computer, steps in the method that had been performed after the step of selecting the IP address and prior to the step of selecting the next IP address until no IP address in the list of suspicious IP addresses remains unselected. |
