Hash-based systems and methods for detecting, preventing, and tracing network worms and viruses
First Claim
1. A method for detecting transmission of malicious packets, comprising:
- receiving a plurality of packets;
generating hash values corresponding to the packets;
comparing the generated hash values to hash values corresponding to prior packets; and
determining that one of the packets is a potentially malicious packet when the generated hash value corresponding to the one packet matches one of the hash values corresponding to one of the prior packets and the one prior packet was received within a predetermined amount of time of the one packet.
7 Assignments
0 Petitions
Accused Products
Abstract
A system (126-129) detects transmission of potentially malicious packets. The system (126-129) receives packets and generates hash values corresponding to each of the packets. The system (126-129) may then compare the generated hash values to hash values corresponding to prior packets. The system (126-129) determines that one of the packets is a potentially malicious packet when the generated hash value corresponding to the one packet matches one of the hash values corresponding to one of the prior packets and the one prior packet was received within a predetermined amount of time of the one packet. The system (126-129) may also facilitate the tracing of the path taken by a potentially malicious packet. In this case, the system (126-129) may receive a message that identifies a potentially malicious packet, generate hash values from the potentially malicious packet, and determine whether one or more of the generated hash values match hash values corresponding to previously-received packets. The system (126-129) may then identify the potentially malicious packet as one of the previously-received packets when one or more of the generated hash values match the hash value corresponding to the one previously-received packet.
-
Citations
47 Claims
-
1. A method for detecting transmission of malicious packets, comprising:
-
receiving a plurality of packets;
generating hash values corresponding to the packets;
comparing the generated hash values to hash values corresponding to prior packets; and
determining that one of the packets is a potentially malicious packet when the generated hash value corresponding to the one packet matches one of the hash values corresponding to one of the prior packets and the one prior packet was received within a predetermined amount of time of the one packet. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A system for hampering transmission of a potentially malicious packet, comprising:
-
means for receiving a packet;
means for generating one or more hash values from the packet;
means for comparing the generated one or more hash values to hash values corresponding to prior packets;
means for determining that the packet is a potentially malicious packet when the generated one or more hash values match one or more of the hash values corresponding to at least one of the prior packets and the at least one of the prior packets was received within a predetermined amount of time of the packet; and
means for hampering transmission of the packet when the packet is determined to be a potentially malicious packet.
-
-
17. A system for detecting transmission of potentially malicious packets, comprising:
-
a plurality of input ports configured to receive a plurality of packets;
a plurality of output ports configured to transmit the packets;
a hash processor configured to;
observe each of the packets received at the input ports, generate hash values corresponding to the packets, compare the generated hash values to hash values corresponding to previous packets, and determine that one of the packets is a potentially malicious packet when one or more of the generated hash values corresponding to the one packet matches one or more of the hash values corresponding to one of the previous packets and the one previous packet was received within a predetermined amount of time of the one packet. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
-
-
32. A system for detecting transmission of a potentially malicious packet, comprising:
-
an input port configured to receive a plurality of packets;
an output port configured to transmit at least some of the packets; and
a hash processor configured to;
receive a message identifying a potentially malicious packet, generate a plurality of hash values from the potentially malicious packet, determine whether any of the generated hash values match hash values corresponding to prior packets received at the input port, and identify the potentially malicious packet as one of the prior packets when one or more of the generated hash values match the hash values corresponding to the prior packets. - View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40)
-
-
41. A method for detecting a path taken by a potentially malicious packet, comprising:
-
storing a plurality of hash values corresponding to received packets;
receiving a message identifying a potentially malicious packet;
generating a plurality of hash values from the potentially malicious packet;
comparing the generated hash values to the stored hash values; and
determining that the potentially malicious packet was one of the received packets when one or more of the generated hash values match the stored hash values. - View Dependent Claims (42, 43, 44, 45, 46, 47)
-
Specification