US Patent 11895090 Privacy preserving malicious network activity detection and mitigation

A method includes accessing a first intelligence feed including a plurality of cybersecurity incidents. A second intelligence feed is generated including a plurality of technical indicators defined on one or more virtual private network internet point of presence (“VPN internet PoP”) that connects a plurality of VPN tunnels to an internet. The first and second intelligence feeds are compared, a particular incident is determined, and a time frame of the particular incident is determined. Use of a particular VPN internet PoP by a plurality of sources including a plurality of clients is monitored to determine a plurality of time-based behaviors. The plurality of time-based behaviors are compared to the particular incident and to the time frame to determine a match. A particular source is blocked at the particular VPN internet PoP based on the determination of the match.