Patent attributes
Systems for providing a threat intelligence system differentiate between network activity that is a mass scan, or is an accidental or otherwise benign abnormality, or is a directed attack. All of the network activity of a computing resource service provider is logged, and the logs are parsed to include the activity of a particular activity source. The activity is stored in an activity profile, and is updated on a rolling window basis. The systems then use the activity profiles of activity sources that have communicated with a user's computing resources to determine whether the activity and/or activity source is a potential threat against the user's virtual computing environment(s) and/or the computing resources executing therein. The system computes a threat level score based on parameters identified in the activity profiles.