Hash-based systems and methods for detecting and preventing transmission of polymorphic network worms and viruses
First Claim
Patent Images
1. A method for detecting transmission of potentially malicious packets, comprising:
- receiving a plurality of packets;
generating hash values, as generated hash values, based on variable-sized blocks of the plurality of packets;
comparing the generated hash values to hash values associated with prior packets; and
determining that one of the plurality of packets is a potentially malicious packet when one or more of the generated hash values associated with the one of the plurality of packets match one or more of the hash values associated with the prior packets.
5 Assignments
0 Petitions
Accused Products
Abstract
A system (200) detects transmission of potentially malicious packets. The system (200) receives, or otherwise observes, packets and generates hash values based on variable-sized blocks of the packets. The system (200) then compares the generated hash values to hash values associated with prior packets. The system (200) determines that one of the received packets is a potentially malicious packet when one or more of the generated hash values associated with the received packet match one or more of the hash values associated with the prior packets.
-
Citations
37 Claims
-
1. A method for detecting transmission of potentially malicious packets, comprising:
-
receiving a plurality of packets;
generating hash values, as generated hash values, based on variable-sized blocks of the plurality of packets;
comparing the generated hash values to hash values associated with prior packets; and
determining that one of the plurality of packets is a potentially malicious packet when one or more of the generated hash values associated with the one of the plurality of packets match one or more of the hash values associated with the prior packets. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A system for hampering transmission of potentially malicious packets, comprising:
-
means for observing a plurality of packets;
means for generating hash values, as generated hash values, based on variable-sized blocks of the plurality of packets;
means for comparing the generated hash values to hash values corresponding to prior packets;
means for identifying one of the plurality of packets as a potentially malicious packet when the generated hash values corresponding to the one of the plurality of packets match the hash values corresponding to the prior packets; and
means for at least one of hampering transmission of the one of the plurality of packets and capturing a copy of the one of the plurality of packets for analysis when the one of the plurality of packets is identified as a potentially malicious packet.
-
-
17. A device for detecting transmission of malicious packets, comprising:
-
a hash memory configured to store information associated with a plurality of hash values corresponding to a plurality of prior packets; and
a hash processor configured to;
observe a packet, generate one or more hash values, as one or more generated hash values, based on variable-sized blocks of the packet, compare the one or more generated hash values to the hash values corresponding to the plurality of prior packets, and identify the packet as a potentially malicious packet when a predetermined number of the one or more generated hash values match the hash values corresponding to the plurality of prior packets. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
-
-
35. A method for detecting transmission of a potentially malicious packet, comprising:
-
receiving a packet;
selecting blocks of the received packet of random block sizes;
performing a plurality of different hash functions on each of the blocks to generate a plurality of hash values, as generated hash values;
comparing the generated hash values to hash values associated with prior packets; and
identifying the received packet as a potentially malicious packet when one or more of the generated hash values correspond to one or more of the hash values associated with the prior packets.
-
-
36. A method for detecting transmission of a potentially malicious packet, comprising:
-
receiving a packet;
selecting a plurality of blocks of the received packet of different block sizes;
performing a different hash function on each of the blocks to generate a plurality of hash values, as generated hash values;
comparing the generated hash values to hash values associated with prior packets; and
identifying the received packet as a potentially malicious packet when one or more of the generated hash values correspond to one or more of the hash values associated with the prior packets.
-
-
37. A method for detecting files suspected of containing a virus or worm on a computer, comprising:
-
receiving one or more first hash values associated with the virus or worm;
hashing one or more variable-sized portions of the files to generate second hash values;
comparing the second hash values to the one or more first hash values; and
identifying one of the files as a file suspected of containing the virus or worm when one or more of the second hash values correspond to at least one of the one or more first hash values.
-
Specification