Heuristic detection and termination of fast spreading network worm attacks

US 20040083408A1
Filed: 10/24/2002
Published: 04/29/2004
Est. Priority Date: 10/24/2002
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting a worm infection on a set of sources coupled to a network, the method comprising the steps of:

observing a plurality of failed network connection attempts, each failed network connection attempt originating from one of the sources and directed to a destination network address; and

responsive to a source'"'"'s failed network connection attempts during a period of time meeting at least one of a set of threshold criteria, declaring a presence of a worm.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparati, and computer program products for detecting and responding to fast-spreading network worm attacks include a network monitoring module (110), which observes (205) failed network connection attempts from multiple sources. A logging module (120) logs (220) the failed connection attempts. An analysis module (150) uses the logged data on the failed connection attempts to determine (225) whether a sources is infected with a worm using a set of threshold criteria. The threshold criteria indicate whether a source'"'"'s failed connection attempts are non-normal. In one embodiment, a response module (160) responds (240) to the computer worm by, e.g., alerting a user or system administrator, terminating an infected process (20), or terminating the infected source'"'"'s network access.

Citations

39 Claims

1. A computer-implemented method for detecting a worm infection on a set of sources coupled to a network, the method comprising the steps of:
- observing a plurality of failed network connection attempts, each failed network connection attempt originating from one of the sources and directed to a destination network address; and
  
  responsive to a source'"'"'s failed network connection attempts during a period of time meeting at least one of a set of threshold criteria, declaring a presence of a worm.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein at least one source is a process running on a network device.
  - 3. The method of claim 2, further comprising the step of:
    - responsive to a declaration of a worm, terminating the process associated with the declared worm.
  - 4. The method of claim 1, wherein at least one source is a network device coupled to a network.
  - 5. The method of claim 4, further comprising the step of:
    - responsive to a declaration of a worm, terminating network access of the network device associated with the declared worm.
  - 6. The method of claim 1, further comprising the step of:
    - responsive to a declaration of a worm, alerting a user.
  - 7. The method of claim 1, further comprising the step of:
    - responsive to a declaration of a worm, alerting a system administrator.
  - 8. The method of claim 1, wherein the threshold criteria comprise:
    - a number of failed network connection attempts; and
      
      a diversity of destination network addresses associated with the failed network connection attempts.
  - 9. The method of claim 1, wherein the threshold criteria comprise a correlation with a prior DNS lookup having not been performed before an associated failed network connection attempt.
  - 10. The method of claim 1, wherein the threshold criteria comprise a weighting associated with at least one of the failed network connection attempts according to an attribute thereof.
  - 11. The method of claim 1, wherein a threshold criterion applied to a source depends on the source, and different threshold criteria are used for different sources.
  - 12. The method of claim 1, wherein the step of declaring a worm comprises excluding a source from the threshold criteria, whereby the source'"'"'s failed network connection attempts do not cause a presence of a worm to be declared.

13. A computer-implemented method for detecting a worm on a network device, the method comprising the steps of:
- monitoring attempts to connect to a destination network address by any of a set of processes running on the network device;
  
  logging the process and the destination network address associated with a set of failed connection attempts; and
  
  responsive to the failed connection attempts associated with a process being determined non-normal, declaring a presence of a worm.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The method of claim 13, further comprising the step of:
    - responsive to a declaration of a worm, terminating the process associated with the non-normal failed connection attempts.
  - 15. The method of claim 13, further comprising the step of:
    - responsive to a declaration of a worm, terminating network access of the network device.
  - 16. The method of claim 13, wherein the determination of non-normalcy is based at least in part on:
    - a number of failed network connection attempts; and
      
      a diversity of destination network addresses associated with the failed network connection attempts.
  - 17. The method of claim 13, wherein the determination of non-normalcy is based at least in part on a correlation with a prior DNS lookup having not been performed before an associated failed network connection attempt.

18. A computer-implemented method for detecting a worm on a network, the method comprising the steps of:
- monitoring attempts to connect to a destination network address by any of a set of network devices coupled to the network;
  
  logging the network device and the destination network address associated with a set of failed connection attempts; and
  
  responsive to the failed connection attempts associated with a network device being determined non-normal, declaring a presence of a worm.
- View Dependent Claims (19, 20, 21)
- - 19. The method of claim 18, further comprising the step of:
    - responsive to a declaration of a worm, terminating network access of the network device.
  - 20. The method of claim 18, wherein the determination of non-normalcy is based at least in part on:
    - a number of failed network connection attempts; and
      
      a diversity of destination network addresses associated with the failed network connection attempts.
  - 21. The method of claim 18, wherein the determination of non-normalcy is based at least in part on a correlation with a prior DNS lookup having not been performed before an associated failed network connection attempt.

22. A computer program product comprising a computer-readable medium containing computer program code for detecting a worm infection on a set of sources coupled to a network, the computer program code comprising instructions for performing the steps of:
- observing a plurality of failed network connection attempts, each failed network connection attempt originating from one of the sources and directed to a destination network address; and
  
  responsive to a source'"'"'s failed network connection attempts during a period of time meeting at least one of a set of threshold criteria, declaring a presence of a worm.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. The computer program product of claim 22, wherein at least one source is a process running on a network device.
  - 24. The computer program product of claim 23, the instructions for further performing the step of:
    - responsive to a declaration of a worm, terminating the process associated with the declared worm.
  - 25. The computer program product of claim 22, wherein at least one source is a network device coupled to a network.
  - 26. The computer program product of claim 25, the instructions for further performing the step of:
    - responsive to a declaration of a worm, terminating network access of the network device associated with the declared worm.
  - 27. The computer program product of claim 22, wherein the threshold criteria comprise:
    - a number of failed network connection attempts; and
      
      a diversity of destination network addresses associated with the failed network connection attempts.
  - 28. The computer program product of claim 22, wherein the threshold criteria comprise a correlation with a prior DNS lookup having not been performed before an associated failed network connection attempt.

29. A computer program product comprising a computer-readable medium containing computer program code for detecting a worm on a network device, the computer program code comprising instructions for performing the steps of:
- monitoring attempts to connect to a destination network address by any of a set of processes running on the network device;
  
  logging the process and the destination network address associated with a set of failed connection attempts; and
  
  responsive to the failed connection attempts associated with a process being determined non-normal, declaring a presence of a worm.

30. A computer program product comprising a computer-readable medium containing computer program code for detecting a worm on a network, the computer program code comprising instructions for performing the steps of:
- monitoring attempts to connect to a destination network address by any of a set of network devices coupled to the network;
  
  logging the network device and the destination network address associated with a set of failed connection attempts; and
  
  responsive to the failed connection attempts associated with a network device being determined non-normal, declaring a presence of a worm.

31. A system for detecting a worm, the system comprising:
- a network monitoring module configured to observe a plurality of failed network connection attempts, each failed network connection attempt originating from any of a set of sources and directed to a destination network address;
  
  a logging module coupled to the network monitoring module for logging the failed attempts; and
  
  an analysis module coupled to the logging module for declaring a presence of a worm responsive to a source'"'"'s failed network connection attempts during a period of time meeting at least one of a set of threshold criteria.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39)
- - 32. The system of claim 31, wherein the threshold criteria comprise:
    - a number of failed network connection attempts; and
      
      a diversity of destination network addresses associated with the failed network connection attempts.
  - 33. The system of claim 31, wherein the threshold criteria comprise a correlation with a prior DNS lookup having not been performed before an associated failed network connection attempt.
  - 34. The system of claim 31, wherein the threshold criteria comprise a weighting associated with at least one of the failed network connection attempts according to an attribute thereof.
  - 35. The system of claim 31, further comprising:
    - a response module coupled to the analysis module, the response module configured to respond to the worm upon a declaration thereof.
  - 36. The system of claim 35, wherein the response module is configured to alert a user of a declared worm.
  - 37. The system of claim 31, wherein at least one source is a process running on a network device, and the response module is configured to terminate the process associated with a declared worm.
  - 38. The system of claim 31, wherein at least one source is a network device coupled to a network, and the response module is configured to terminate network access of the network device associated with a declared worm.
  - 39. The system of claim 31, wherein the analysis module is configured to exclude a source from the threshold criteria, whereby the source'"'"'s failed network connection attempts do not cause the analysis module to declare a worm.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
McCorkendale, Bruce, Spiegel, Mark, Sobel, William

Granted Patent

US 7,159,149 B2
Time in Patent Office

Days
Field of Search
US Class Current

714/43
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

H04L 63/145 the attack involving the pr...

Heuristic detection and termination of fast spreading network worm attacks

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Heuristic detection and termination of fast spreading network worm attacks

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links