Detecting dissemination of malicious programs

US 20030196095A1
Filed: 04/11/2002
Published: 10/16/2003
Est. Priority Date: 04/11/2002
Status: Active Grant

First Claim

Patent Images

1. A method for detecting a dissemination of a malicious program comprising the steps of:

receiving a packet of data to be forwarded to another network;

performing a hash function on one or more fields of said packet of data generating a hash value; and

determining a number of different hash values generated from performing said hash function on said one or more fields of a predetermined number of packets to be forwarded to another network, wherein if said number of different hash values is greater than or equal to a predetermined value then the method further comprises the step of;

determining if said predetermined number of packets is below a threshold, wherein if said predetermined number of packets is at or below said threshold then said dissemination of said malicious program is detected.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system and computer program product for detecting the dissemination of malicious programs. The degree of randomness in the Internet Protocol (IP) destination addresses of received IP packets to be forwarded to an external network may be detected by performing a hash function on the IP destination addresses thereby generating one or more different hash values. If a high number of different hash values were generated for a small number of IP packets examined, then random IP destination addresses may be detected. By detecting random destination IP addresses, the dissemination of a malicious program, e.g., virus, worm program, may be detected.

67 Citations

View as Search Results

30 Claims

1. A method for detecting a dissemination of a malicious program comprising the steps of:
- receiving a packet of data to be forwarded to another network;
  
  performing a hash function on one or more fields of said packet of data generating a hash value; and
  
  determining a number of different hash values generated from performing said hash function on said one or more fields of a predetermined number of packets to be forwarded to another network, wherein if said number of different hash values is greater than or equal to a predetermined value then the method further comprises the step of;
  
  determining if said predetermined number of packets is below a threshold, wherein if said predetermined number of packets is at or below said threshold then said dissemination of said malicious program is detected.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method as recited in claim 1, wherein upon detecting said dissemination of said malicious program, the method further comprises the step of:
    - discarding subsequent packets having a selected set of characteristics corresponding to packets examined in determining said number of different hash values generated.
  - 3. The method as recited in claim 2, wherein upon detecting said dissemination of said malicious program, the method further comprises the step of:
    - transmitting an administrative alert regarding said detection of said dissemination of said malicious program.
  - 4. The method as recited in claim 1, wherein upon detecting said dissemination of said malicious program, the method further comprises the step of:
    - transmitting an administrative alert regarding said detection of said dissemination of said malicious program.
  - 5. The method as recited in claim 1, wherein upon detecting said dissemination of said malicious program, the method further comprises the step of:
    - maintaining an event record regarding said detection of said dissemination of said malicious program.
  - 6. The method as recited in claim 1 further comprising the steps of:
    - indexing into a table using said hash value generated;
      
      marking an entry in said table corresponding to said hash value generated as occupied if not already indicated as occupied; and
      
      incrementing a counter to indicate a number of packets examined.
  - 7. The method as recited in claim 1, wherein if said number of different hash values in said table is less than said predetermined value then the method further comprises the step of:
    - examining a next number of packets to be forwarded to another network, wherein said next number of packets to be examined is determined by;
      
      N(i+1)=K*N(i)+(1−
      
      K)*MAX, wherein i is an index of a number of packets to be examined;
      
      wherein N(i+1) is said next number of packets to be examined;
      
      wherein N(i) is said predetermined number of packets;
      
      wherein K is a constant; and
      
      wherein MAX is a maximum number of packets to be examined.
  - 8. The method as recited in claim 1, wherein if said predetermined number of packets is greater than said threshold then the method further comprises the step of:
    - examining a next number of packets to be forwarded to another network, wherein said next number of packets to be examined is determined by;
      
      N(i+1)=K*N(i), wherein i is an index of a number of packets to be examined;
      
      wherein N(i+1) is said next number of packets to be examined;
      
      wherein N(i) is said predetermined number of packets; and
      
      wherein K is a constant.
  - 9. The method as recited in claim 1, wherein said predetermined value is equal to:
    - F*2{circumflex over (
      
      )}B, wherein F is a predetermined fraction; and
      
      wherein B is a number of bits of said hash value.
  - 10. The method as recited in claim 1, wherein said one or more fields comprises one or more of the following:
    - destination address, source address, source port, destination port, packet length, protocol, type of service and identification.

11. A computer program product embodied in a machine readable medium for detecting a dissemination of a malicious program comprising the programming steps of:
- receiving a packet of data to be forwarded to another network;
  
  performing a hash function on one or more fields of said packet of data generating a hash value; and
  
  determining a number of different hash values generated from performing said hash function on said one or more fields of a predetermined number of packets to be forwarded to another network, wherein if said number of different hash values is greater than or equal to a predetermined value then the method further comprises the step of;
  
  determining if said predetermined number of packets is below a threshold, wherein if said predetermined number of packets is at or below said threshold then said dissemination of said malicious program is detected.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The computer program product as recited in claim 11, wherein upon detecting said dissemination of said malicious program, the computer program product further comprises the programming step of:
    - discarding subsequent packets having a selected set of characteristics corresponding to packets examined in determining said number of different hash values generated.
  - 13. The computer program product as recited in claim 12, wherein upon detecting said dissemination of said malicious program, the computer program product further comprises the programming step of:
    - transmitting an administrative alert regarding said detection of said dissemination of said malicious program.
  - 14. The computer program product as recited in claim 11, wherein upon detecting said dissemination of said malicious program, the computer program product further comprises the programming step of:
    - transmitting an administrative alert regarding said detection of said dissemination of said malicious program.
  - 15. The computer program product as recited in claim 11, wherein upon detecting said dissemination of said malicious program, the computer program product further comprises the programming step of:
    - maintaining an event record regarding said detection of said dissemination of said malicious program.
  - 16. The computer program product as recited in claim 11 further comprising the programming steps of:
    - indexing into a table using said hash value generated;
      
      marking an entry in said table corresponding to said hash value generated as occupied if not already indicated as occupied; and
      
      incrementing a counter to indicate a number of packets examined.
  - 17. The computer program product as recited in claim 11, wherein if said number of different hash values in said table is less than said predetermined value then the computer program product further comprises the programming step of:
    - examining a next number of packets to be forwarded to another network, wherein said next number of packets to be examined is determined by;
      
      N(i+1)=K*N(i)+(1−
      
      K)*MAX, wherein i is an index of a number of packets to be examined;
      
      wherein N(i+1) is said next number of packets to be examined;
      
      wherein N(i) is said predetermined number of packets;
      
      wherein K is a constant; and
      
      wherein MAX is a maximum number of packets to be examined.
  - 18. The computer program product as recited in claim 11, wherein if said predetermined number of packets is greater than said threshold then the computer program product further comprises the programming step of:
    - examining a next number of packets to be forwarded to another network, wherein said next number of packets to be examined is determined by;
      
      N(i+1)=K*N(i), wherein i is an index of a number of packets to be examined;
      
      wherein N(i+1) is said next number of packets to be examined;
      
      wherein N(i) is said predetermined number of packets; and
      
      wherein K is a constant.
  - 19. The computer program product as recited in claim 11, wherein said predetermined value is equal to:
    - F*2{circumflex over (
      
      )}B, wherein F is a predetermined fraction; and
      
      wherein B is a number of bits of said hash value.
  - 20. The computer program product as recited in claim 11, wherein said one or more fields comprises one or more of the following:
    - destination address, source address, source port, destination port, packet length, protocol, type of service and identification.

21. A system, comprising:
- a memory unit operable for storing a computer program operable for detecting a dissemination of a malicious program; and
  
  a processor coupled to said memory unit, wherein said processor, responsive to said computer program, comprises;
  
  circuitry operable for receiving a packet of data to be forwarded to another network;
  
  circuitry operable for performing a hash function on a destination address of said packet of data generating a hash value; and
  
  circuitry operable for determining a number of different hash values generated from performing said hash function on destination addresses of a predetermined number of packets to be forwarded to another network, wherein if said number of different hash values is greater than or equal to a predetermined value then said processor further comprises;
  
  circuitry operable for determining if said predetermined number of packets is below a threshold, wherein if said predetermined number of packets is at or below said threshold then said dissemination of said malicious program is detected.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The system as recited in claim 21, wherein upon detecting said dissemination of said malicious program, said processor further comprises:
    - circuitry operable for discarding subsequent packets having a selected set of characteristics corresponding to packets examined in determining said number of different hash values generated.
  - 23. The system as recited in claim 22, wherein upon detecting said dissemination of said malicious program, said processor further comprises:
    - circuitry operable for transmitting an administrative alert regarding said detection of said dissemination of said malicious program.
  - 24. The system as recited in claim 21, wherein upon detecting said dissemination of said malicious program, said processor further comprises:
    - circuitry operable for transmitting an administrative alert regarding said detection of said dissemination of said malicious program.
  - 25. The system as recited in claim 21, wherein upon detecting said dissemination of said malicious program, said processor further comprises:
    - circuitry operable for maintaining an event record regarding said detection of said dissemination of said malicious program.
  - 26. The system as recited in claim 21, wherein said processor further comprises:
    - circuitry operable for indexing into a table using said hash value generated;
      
      circuitry operable for marking an entry in said table corresponding to said hash value generated as occupied if not already indicated as occupied; and
      
      circuitry operable for incrementing a counter to indicate a number of packets examined.
  - 27. The system as recited in claim 21, wherein if said number of different hash values in said table is less than said predetermined value then said processor further comprises:
    - circuitry operable for examining a next number of packets to be forwarded to another network, wherein said next number of packets to be examined is determined by;
      
      N(i+1)=K*N(i)+(1−
      
      K)*MAX, wherein i is an index of a number of packets to be examined;
      
      wherein N(i+1) is said next number of packets to be examined;
      
      wherein N(i) is said predetermined number of packets;
      
      wherein K is a constant; and
      
      wherein MAX is a maximum number of packets to be examined.
  - 28. The system as recited in claim 21, wherein if said predetermined number of packets is greater than said threshold then said processor further comprises:
    - circuitry operable for examining a next number of packets to be forwarded to another network, wherein said next number of packets to be examined is determined by;
      
      N(i+1)=K*N(i), wherein i is an index of a number of packets to be examined;
      
      wherein N(i+1) is said next number of packets to be examined;
      
      wherein N(i) is said predetermined number of packets; and
      
      wherein K is a constant.
  - 29. The system as recited in claim 21, wherein said predetermined value is equal to:
    - F*2{circumflex over (
      
      )}B, wherein F is a predetermined fraction; and
      
      wherein B is a number of bits of said hash value.
  - 30. The system as recited in claim 21, wherein said one or more fields comprises one or more of the following:
    - destination address, source address, source port, destination port, packet length, protocol, type of service and identification.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Finjan Blue, Inc. (SoftBank Group Corp.)
Original Assignee
International Business Machines Corporation
Inventors
Jeffries, Clark Debs, Lingafelt, Charles Steven, Strole, Norman Clark

Granted Patent

US 7,140,041 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/181
CPC Class Codes

G06F 21/51   at application loading time...

H04L 63/1408   by monitoring network traff...

H04L 63/145   the attack involving the pr...

Detecting dissemination of malicious programs

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

67 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting dissemination of malicious programs

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

67 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links