Heuristic detection and termination of fast spreading network worm attacks
First Claim
1. A computer-implemented method for detecting a worm infection on a set of sources coupled to a network, the method comprising the steps of:
- observing a plurality of failed network connection attempts, each failed network connection attempt originating from one of the sources and directed to a destination network address; and
responsive to a source'"'"'s failed network connection attempts during a period of time meeting at least one of a set of threshold criteria, declaring a presence of a worm.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods, apparati, and computer program products for detecting and responding to fast-spreading network worm attacks include a network monitoring module (110), which observes (205) failed network connection attempts from multiple sources. A logging module (120) logs (220) the failed connection attempts. An analysis module (150) uses the logged data on the failed connection attempts to determine (225) whether a sources is infected with a worm using a set of threshold criteria. The threshold criteria indicate whether a source'"'"'s failed connection attempts are non-normal. In one embodiment, a response module (160) responds (240) to the computer worm by, e.g., alerting a user or system administrator, terminating an infected process (20), or terminating the infected source'"'"'s network access.
-
Citations
39 Claims
-
1. A computer-implemented method for detecting a worm infection on a set of sources coupled to a network, the method comprising the steps of:
-
observing a plurality of failed network connection attempts, each failed network connection attempt originating from one of the sources and directed to a destination network address; and
responsive to a source'"'"'s failed network connection attempts during a period of time meeting at least one of a set of threshold criteria, declaring a presence of a worm. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A computer-implemented method for detecting a worm on a network device, the method comprising the steps of:
-
monitoring attempts to connect to a destination network address by any of a set of processes running on the network device;
logging the process and the destination network address associated with a set of failed connection attempts; and
responsive to the failed connection attempts associated with a process being determined non-normal, declaring a presence of a worm. - View Dependent Claims (14, 15, 16, 17)
-
-
18. A computer-implemented method for detecting a worm on a network, the method comprising the steps of:
-
monitoring attempts to connect to a destination network address by any of a set of network devices coupled to the network;
logging the network device and the destination network address associated with a set of failed connection attempts; and
responsive to the failed connection attempts associated with a network device being determined non-normal, declaring a presence of a worm. - View Dependent Claims (19, 20, 21)
-
-
22. A computer program product comprising a computer-readable medium containing computer program code for detecting a worm infection on a set of sources coupled to a network, the computer program code comprising instructions for performing the steps of:
-
observing a plurality of failed network connection attempts, each failed network connection attempt originating from one of the sources and directed to a destination network address; and
responsive to a source'"'"'s failed network connection attempts during a period of time meeting at least one of a set of threshold criteria, declaring a presence of a worm. - View Dependent Claims (23, 24, 25, 26, 27, 28)
-
-
29. A computer program product comprising a computer-readable medium containing computer program code for detecting a worm on a network device, the computer program code comprising instructions for performing the steps of:
-
monitoring attempts to connect to a destination network address by any of a set of processes running on the network device;
logging the process and the destination network address associated with a set of failed connection attempts; and
responsive to the failed connection attempts associated with a process being determined non-normal, declaring a presence of a worm.
-
-
30. A computer program product comprising a computer-readable medium containing computer program code for detecting a worm on a network, the computer program code comprising instructions for performing the steps of:
-
monitoring attempts to connect to a destination network address by any of a set of network devices coupled to the network;
logging the network device and the destination network address associated with a set of failed connection attempts; and
responsive to the failed connection attempts associated with a network device being determined non-normal, declaring a presence of a worm.
-
-
31. A system for detecting a worm, the system comprising:
-
a network monitoring module configured to observe a plurality of failed network connection attempts, each failed network connection attempt originating from any of a set of sources and directed to a destination network address;
a logging module coupled to the network monitoring module for logging the failed attempts; and
an analysis module coupled to the logging module for declaring a presence of a worm responsive to a source'"'"'s failed network connection attempts during a period of time meeting at least one of a set of threshold criteria. - View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39)
-
Specification