Method and system for reducing the rate of infection of a communications network by a software worm

US 20040111531A1
Filed: 12/06/2002
Published: 06/10/2004
Est. Priority Date: 12/06/2002
Status: Abandoned Application

First Claim

Patent Images

1. In a communications network having at least near real-time constraints, and the network including a plurality of network addresses, a method for reducing the rate of infection of a software worm, the method comprising:

a. monitoring at least a fraction of messages transmitted from a first network address of a first system;

b. determining by a monitoring system if each monitored message falls within a check class definition;

c. counting the incidence of messages that fall within the check class definition;

d. determining if the incidence of monitored messages falling within the check class definition exceeds a preset rate; and

e. when the preset rate is exceeded, discarding an unreceived message denoted as issued by the first network address that fails to meet a whitelist class definition.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The methods and systems described herein provide for the detection of a software worm in a computer network, such as the Internet, and/or a limitation of the rate of infection of a software worm within a computer network. In a preferred embodiment, a worm detector software module observes the behavior of, and optionally inspects the electronic messages sent from, a particular computer system, network address, virtual machine, and/or cluster. A worm screen software program edits the flow of traffic from the network address when a possibility of a worm infection achieves a certain level. This editing may include the discarding or rerouting for storage or analysis of messages prepared for transmission by a particular computer system, network address, virtual machine, and/or cluster monitored by the worm screen. The worm screen may be co-located with the worm detector, or comprised within a same software program.

387 Citations

5 Claims

1. In a communications network having at least near real-time constraints, and the network including a plurality of network addresses, a method for reducing the rate of infection of a software worm, the method comprising:
- a. monitoring at least a fraction of messages transmitted from a first network address of a first system;
  
  b. determining by a monitoring system if each monitored message falls within a check class definition;
  
  c. counting the incidence of messages that fall within the check class definition;
  
  d. determining if the incidence of monitored messages falling within the check class definition exceeds a preset rate; and
  
  e. when the preset rate is exceeded, discarding an unreceived message denoted as issued by the first network address that fails to meet a whitelist class definition.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, wherein the method further comprises simulating a computer software worm infection, comprising:
    - f. establish a check class definition;
      
      g. monitoring the communications network by a plurality of monitoring systems, each monitoring system inspecting messages at a separate monitoring location within the network;
      
      h. setting an incidence threshold of messages falling within the check class definition that when exceeded at at least one monitoring location triggers an issuance of a worm alert by at least one monitoring system;
      
      i. identifying a host list of vulnerable network addresses;
      
      j. identifying a source network address as infected by a software worm;
      
      k. run a spreading algorithm from the source network address;
      
      l. monitoring the vulnerable network addresses for signs of a simulated infection by the spreading algorithm; and
      
      m. continuing the running of the spreading algorithm until all network addresses identified on the host list are determined to be infected by the spreading algorithm.
  - 3. The method of claim 2, the method further comprising ceasing the running of the spreading algorithm when until all network addresses identified on the host list are determined to be in a state selected from the group consisting of (1) infected by the spreading algorithm and (2) entered on a blacklist.

4. In a communications network having a plurality of network addresses, a method for reducing the rate of infection of a software worm, the method comprising:
- a. creating a whitelist;
  
  b. detecting a possible worm infection in the network; and
  
  c. discarding a message sent to a first network address where the message does not conform to the whitelist.

5. In a communications network having a plurality of network addresses, a method for reducing the rate of infection of a software worm, the method comprising:
- a. detecting a possible worm infection in the network;
  
  b. taking counter measures to reduce the progress of infection;
  
  c. determining if the progress of the worm infection is sufficiently impeded; and
  
  d. when the progress of worm infection is insufficiently impeded, taking additional countermeasures to reduce progress of the worm infection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Christopher Jason Coit, Clifford Kahn, Nicholas C. Weaver, Roel Jonkman, Stuart Staniford
Original Assignee
Christopher Jason Coit, Clifford Kahn, Nicholas C. Weaver, Roel Jonkman, Stuart Staniford
Inventors
Staniford, Stuart, Jonkman, Roel, Weaver, Nicholas C., Kahn, Clifford, Coit, Christopher Jason

Application Number

US10/313,623
Publication Number

US 20040111531A1
Time in Patent Office

Days
Field of Search
US Class Current

709/246
CPC Class Codes

H04L 63/1408   by monitoring network traff...

H04L 63/145   the attack involving the pr...

H04L 67/63   Routing a service request d...

H04L 69/329   in the application layer [O...

H04L 9/40   Network security protocols

Method and system for reducing the rate of infection of a communications network by a software worm

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

387 Citations

5 Claims

Specification

Use Cases

Quick Links

Others

Method and system for reducing the rate of infection of a communications network by a software worm

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

387 Citations

5 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others