Computing devices connected to the Internet face constant security risks. Computer services connected to the Internet, especially public-facing services, face attacks designed to deprive access to the resource (i.e., denial of service), disrupt access to the resource (e.g., to make political statements), or provide illegal access to the resource (e.g., for monetary reasons). Internet-connected devices inside the firewall of a protected network are at risk when communicating with resources outside the firewall. These devices inside the firewall may become infected with malware that attempts to enlist them in a bot-net or that attempts to send personal and/or financial information to unauthorized entities on the Internet.
At one time, adding access rules into a firewall to restrict inbound or outbound Internet connections addressed this problem. However, today's hackers and cyber-criminals are much more sophisticated and are able to hide their identities by connecting through proxies, anonymizers, and computers that have been enlisted into a bot-net controlled by the attacker. Simply blocking an Internet Protocol (IP) address is insufficient to prevent attacks because the IP addresses used by attackers can change daily, hourly, and sometimes even more frequently. Further, having only two options (i.e., blocked or not blocked) does not provide adequate flexibility for assessing threats. And creating exceptions is manually intensive.
An Internet Risk Intelligence Provider (IRIP) is an entity that monitors Internet network nodes for signs of malicious activity and provides access to its findings. Upon detecting possibly malicious activity, an IRIP adds the IP address associated with the activity to a downloadable list or a real-time feed. Along with the IP address, the IRIP includes the risk category of the potential risk and a confidence score, which indicates the probability that the detected IP address is actually a risk. A typical IRIP is capable of monitoring millions of IP addresses and, thus, a typical list of IP addresses may number in the millions. Unfortunately, conventional firewalls and routers normally used to stop high-risk IP addresses from connecting into or out of a network are capable of blocking only a small percentage of the IP addresses. (e.g., 10,000 up to 100,000 IP addresses). In addition to the disadvantages described above, firewalls and routers also require the access rules that determine which IP addresses will be blocked (i.e., risk blocking) to be constantly updated in real-time as the threat environment changes. What is needed is a practical way to block high-risk IP connections in real-time while allowing users to tailor their acceptable risk profiles to match the security requirements of their network resources.