Method and system for reducing the rate of infection of a communications network by a software worm
First Claim
1. In a communications network having at least near real-time constraints, and the network including a plurality of network addresses, a method for reducing the rate of infection of a software worm, the method comprising:
- a. monitoring at least a fraction of messages transmitted from a first network address of a first system;
b. determining by a monitoring system if each monitored message falls within a check class definition;
c. counting the incidence of messages that fall within the check class definition;
d. determining if the incidence of monitored messages falling within the check class definition exceeds a preset rate; and
e. when the preset rate is exceeded, discarding an unreceived message denoted as issued by the first network address that fails to meet a whitelist class definition.
0 Assignments
0 Petitions
Accused Products
Abstract
The methods and systems described herein provide for the detection of a software worm in a computer network, such as the Internet, and/or a limitation of the rate of infection of a software worm within a computer network. In a preferred embodiment, a worm detector software module observes the behavior of, and optionally inspects the electronic messages sent from, a particular computer system, network address, virtual machine, and/or cluster. A worm screen software program edits the flow of traffic from the network address when a possibility of a worm infection achieves a certain level. This editing may include the discarding or rerouting for storage or analysis of messages prepared for transmission by a particular computer system, network address, virtual machine, and/or cluster monitored by the worm screen. The worm screen may be co-located with the worm detector, or comprised within a same software program.
387 Citations
5 Claims
-
1. In a communications network having at least near real-time constraints, and the network including a plurality of network addresses, a method for reducing the rate of infection of a software worm, the method comprising:
-
a. monitoring at least a fraction of messages transmitted from a first network address of a first system;
b. determining by a monitoring system if each monitored message falls within a check class definition;
c. counting the incidence of messages that fall within the check class definition;
d. determining if the incidence of monitored messages falling within the check class definition exceeds a preset rate; and
e. when the preset rate is exceeded, discarding an unreceived message denoted as issued by the first network address that fails to meet a whitelist class definition. - View Dependent Claims (2, 3)
-
-
4. In a communications network having a plurality of network addresses, a method for reducing the rate of infection of a software worm, the method comprising:
-
a. creating a whitelist;
b. detecting a possible worm infection in the network; and
c. discarding a message sent to a first network address where the message does not conform to the whitelist.
-
-
5. In a communications network having a plurality of network addresses, a method for reducing the rate of infection of a software worm, the method comprising:
-
a. detecting a possible worm infection in the network;
b. taking counter measures to reduce the progress of infection;
c. determining if the progress of the worm infection is sufficiently impeded; and
d. when the progress of worm infection is insufficiently impeded, taking additional countermeasures to reduce progress of the worm infection.
-
Specification