The approaches described in this section could be pursued but are not necessarily approaches that have previously been conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section.
Within a modern threat protection system, a policy can be defined using Internet Protocol (IP) addresses to identify nodes to protect or block, or nodes against which a further policy can be executed. In general, the basis for the protection policy is defined statically by a user and then manually applied. The challenge, however, is that because service providing systems are dynamic with the state of services, clients, and servers in constant flux and, therefore, static policies can only be effective for a short period of time. Events within a service providing system can constantly change the state of the service providing system. User authentication, changes in reputation, mobile device roaming, and IP address lease expiration are all examples of events which negate the usefulness of a static policy.
As static policies lose their relevance, threat protection systems attempt to automatically ascertain the correct policy through active challenges and passive observation of flows. However, selecting the correct policy is a resource-intensive process that amounts to marginally effective “guess work” by the threat protection systems.