| CPC H04L 63/1425 (2013.01) [H04L 63/0263 (2013.01); H04L 63/1433 (2013.01)] | 20 Claims |
|
1. A method comprising:
obtaining a plurality of network traffic logs for a domain;
correlating the plurality of network traffic logs with a plurality of threat data feeds to identify a plurality of malicious indicators and a plurality of host identifiers communicating with the plurality of malicious indicators, the plurality of host identifiers identifying a plurality of hosts of the domain;
mapping a flow of network traffic between the plurality of malicious indicators and the plurality of host identifiers from the plurality of network traffic logs;
determining an exposed set of host identifiers from among the plurality of host identifiers having inbound traffic from at least one malicious indicator from the plurality of malicious indicators based on the mapping, the exposed set of host identifiers identifying hosts that form an attack surface of the domain;
determining host attributes and indicator attributes associated with each host identifier in the exposed set of host identifiers;
providing the exposed set of host identifiers and the associated host attributes and indicator attributes as input to a prioritization model;
receiving one or more prioritization scores associated with each host identifier in the exposed set of host identifiers as output from the prioritization model; and
generating a prioritized attack surface data structure based on the one or more prioritization scores associated with each host identifier, wherein an interface is configured to modify a display based at least in part on the prioritized attack surface data structure.
|