	US 12,132,745 B2
	Composite threat score
Andrew J. Thomas, Oxfordshire (GB); Mangal Rakesh Vankadaru, Didcot (GB); Prakash Kumar Talreja, Twickenham (GB); Timothy Rayment, Abingdon (GB); and Biju Balakrishnan Nair, Bangalore (IN)
Assigned to Sophos Limited, Abingdon (GB)
Filed by Sophos Limited, Abingdon (GB)
Filed on May 26, 2022, as Appl. No. 17/825,098.
Application 17/825,098 is a continuation of application No. PCT/US2022/030859, filed on May 25, 2022.
Claims priority of provisional application 63/254,368, filed on Oct. 11, 2021.
Prior Publication US 2023/0111304 A1, Apr. 13, 2023
Int. Cl. H04L 9/40 (2022.01); G06F 21/53 (2013.01); G06F 21/56 (2013.01)

CPC H04L 63/1408 (2013.01) [G06F 21/53 (2013.01); G06F 21/567 (2013.01); H04L 63/1416 (2013.01); H04L 63/1425 (2013.01); H04L 63/1433 (2013.01); H04L 63/1441 (2013.01); H04L 63/145 (2013.01); H04L 63/20 (2013.01)]

20 Claims

1. A computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, causes the one or more computing devices to perform the steps of:

receiving, at a threat management facility, a local threat indication from a local security agent on a compute instance, the local threat indication identifying a category of malicious activity associated with one or more events detected on the compute instance;

calculating, with the threat management facility, a contextual threat score for the compute instance based at least in part on geolocation data retrieved from a third-party service for a suspected threat detected on the compute instance;

receiving cloud resource data based on an action associated with the compute instance at a cloud service;

determining a composite threat score indicative of a threat risk for the compute instance based on at least the local threat indication, the contextual threat score, and the cloud resource data; and

displaying the composite threat score in a user interface.