| 摘要 |
An approach is provided for determining a likelihood of an attack on a first computer system of a first business. Characteristics of the first business and a second business are determined. The second business has a second computer system currently or recently under attack. The characteristics include respective industries, sizes, geographical locations, types of sensitive data, and security vulnerabilities associated with the first and second businesses or first and second computer systems, an address of traffic through a device in the first computer system, and an address of an entity responsible for the attack on the second computer system. Based on a similarity between the characteristics of the first and second businesses, a likelihood that the entity responsible for the attack on the second computer system will attack the first computer system of the first business is determined. |
| 主权项 |
1. A method of determining a likelihood of an attack on a first computer system of a first business, the method comprising the steps of:
a hardware computer determining characteristics of the first business, the characteristics including an industry, a size, and a geographical location of the first business, a type of sensitive data managed by the first computer system, a security vulnerability in the first computer system, and an address of a source or a destination of data traffic through a security device in the first computer system; the computer determining characteristics of a second business which has a second computer system currently or recently under attack, the characteristics of the second business including an industry, a size, and a geographical location of the second business, a type of sensitive data managed by the second computer system, a security vulnerability in the second computer system, and an address of an entity responsible for the current or recent attack on the second computer system; the computer determining a similarity between the characteristics of the first and second businesses; based on the similarity, the computer determining a likelihood that the entity responsible for the current or recent attack on the second computer system will attack the first computer system of the first business; the computer selecting an Internet Protocol (IP) address from a list of suspicious IP addresses, the selected IP address being the address of the entity that is responsible for current or recent attacks on computer systems of respective businesses including the second business; the computer determining an initial value of a score that indicates a likelihood that the entity will attack the first computer system of the first business; the computer determining characteristics of the businesses, the characteristics of the businesses including respective industries, sizes, and geographical locations of the businesses, respective types of sensitive data managed by the computer systems of the businesses, and respective security vulnerabilities in the computer systems; the computer determining a first percentage of the businesses whose respective industries match the industry of the first business; the computer determining a second percentage of the businesses whose respective sizes match the size of the first business; the computer determining a third percentage of the businesses whose respective geographical locations match the geographical location of the first business; the computer determining a fourth percentage of the businesses whose respective computer systems manage types of sensitive data that matches the type of sensitive data managed by the first computer system of the first business; the computer determining a fifth percentage of the businesses whose respective computer systems have security vulnerabilities that match the security vulnerability of the first computer system of the first business; the computer determining whether the selected IP address is a source or a destination of data traffic flowing in a network in the first computer system of the first business; if the first percentage exceeds a first threshold amount, the computer incrementing the score by a first predetermined amount; if the second percentage exceeds a second threshold amount, the computer incrementing the score by a second predetermined amount; if the third percentage exceeds a third threshold amount, the computer incrementing the score by a third predetermined amount; if the fourth percentage exceeds a fourth threshold amount, the computer incrementing the score by a fourth predetermined amount; if the fifth percentage exceeds a fifth threshold amount, the computer incrementing the score by a fifth predetermined amount; if the selected IP address is the source or destination of the data traffic flowing in the network in the first computer system of the first business, the computer incrementing the score by a sixth predetermined amount; and the computer determining whether the score exceeds a second threshold amount which indicates a likelihood that the entity responsible for the current or recent attacks on the computer systems will attack the first computer system of the first business. |
