Automatic client responses to worm or hacker attacks

US 20040117640A1
Filed: 12/17/2002
Published: 06/17/2004
Est. Priority Date: 12/17/2002
Status: Active Grant

First Claim

Patent Images

1. A method of responding to a suspected attack of a computing device on a network, the method comprising:

responsive to receiving notification information indicative of the suspected attack, automatically evaluating the notification information;

selecting at least one response based upon the evaluation; and

executing at least one of the selected responses to reduce consequences of the attack

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system in which a networked device automatically evaluates hacker attack notification information and, based thereon, selects and executes responses to the attack. The notification may include information such as the address of the infected system, identification of the specific worm, and a list of vulnerable applications and operating systems. The evaluation is based on factors including criticality and vulnerability of applications running on the system and connectivity of the device. A variety of automatic responses can be selected, including notification of network administration, shutdown of the device or services running on the device, updating and activation of anti-virus software, and selective handling of data sent from the address of the suspect network device. The selection of responses can occur automatically based on rules input during setup or by intervention of network administration.

Citations

28 Claims

1. A method of responding to a suspected attack of a computing device on a network, the method comprising:
- responsive to receiving notification information indicative of the suspected attack, automatically evaluating the notification information;
  
  selecting at least one response based upon the evaluation; and
  
  executing at least one of the selected responses to reduce consequences of the attack
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 wherein the notification information contains information selected from:
    - at least one network address of a system on the network suspected of being compromised;
      
      an identification of specific software associated with the attack; and
      
      a list of vulnerable applications and operating systems.
  - 3. The method of claim 1, wherein evaluating the notification information is influenced by factors selected from the group of:
    - a criticality of the applications running on the evaluating device;
      
      vulnerability of the applications running on the individual device to the attack;
      
      connectivity of the device to the network and other individual devices; and
      
      the operating system of the individual network device.
  - 4. The method of claim 1, wherein the automatic client responses for the network device selected comprise actions selected from the group comprising:
    - notifying network administration;
      
      immediately shutting down said device;
      
      staged shutdown of said device;
      
      shutdown of selected services running on said device;
      
      updating of anti-virus software;
      
      activation of anti-virus software; and
      
      selective handling of data sent from an address associated with the network device identified as compromised.
  - 5. The method of claim 4, wherein the selection of responses occurs automatically based on rules input by network administration during a setup process.
  - 6. The method of claim 4 wherein the selection of responses is performed by network administration interacting with the device.
  - 7. The method of claim 4 wherein the updating of anti-virus software includes a request to another device on the network on which network anti-virus software resides for updating virus definitions.
  - 8. The method of claim 4 wherein the updating of anti-virus software includes a request to a device outside of a local area network on which resides updated virus definitions and anti-virus software.
  - 9. The method of claim 4 wherein the selective handling of data sent from the address of the network device identified as compromised is an action selected from:
    - removal of all data sent from the address of the device identified as compromised;
      
      quarantine of all data sent from the address of the device identified as compromised; and
      
      filtering of all data sent from the address of the device identified as compromised.
  - 10. The method of claim 1, wherein executing of the selected responses occurs immediately upon selection.
  - 11. The method of claim 1 wherein execution of the selected responses occurs at predetermined intervals of time.

12. A computer program stored on a storage medium for storing computer executable management agent program code, capable of invoking an automatic client response to worm and hacker attacks within a local area network, comprising:
- program code means for evaluating a notification of a worm or hacker attack;
  
  program code means for selecting an automatic client response to reduce the vulnerability of the network device to the worm or hacker attack; and
  
  program code means for executing selected automatic responses by the network device.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The computer program product of claim 12, wherein the notification information to be evaluated by the program code contains information selected from:
    - at least one network address of a system on the network suspected of being compromised;
      
      an identification of specific software associated with the attack; and
      
      a list of vulnerable applications and operating systems.
  - 14. The computer program product of claim 12, wherein the code means for evaluating the notification is based at least in part by factors selected from:
    - a criticality of the applications running on the evaluating device;
      
      vulnerability of the applications running on the individual device to a given type of attack;
      
      connectivity of the device to the network and other individual devices; and
      
      the operating system of the individual network device.
  - 15. The computer program product of claim 12, wherein the code means for selecting one or more automatic client responses include program code means selected from:
    - program code means for notifying of network administration;
      
      program code means for immediately shutting down said device;
      
      program code means for staged shutdown of said device;
      
      program code means for shutdown of selected services running on said device;
      
      program code means for updating anti-virus software on said device;
      
      program code means for activation of anti-virus software; and
      
      program code means for selective handling of data sent from an address of a network device identified as compromised.
  - 16. The computer program product of claim 15, wherein the program code means for selecting executes automatically based on rules input by network administration during a setup process.
  - 17. The computer program product of claim 15, further comprising program code means for updating of anti-virus software by a request to a server on the network, on which network anti-virus software for updated virus definitions resides.
  - 18. The computer program product of claim 15, wherein the code means for selective handling of data sent from an address of the network device identified as compromised includes code means selected from:
    - code means for removing data sent from the address of the device identified as compromised;
      
      code means for quarantining data sent from the address of the device identified as compromised; and
      
      code means for filtering data sent from the address of the device identified as compromised.
  - 19. The computer program product of claim 12, wherein the code means for executing selected responses executes immediately upon selection.

20. A computer network, comprising one or more network devices wherein at least one of said network devices, comprises:
- means for evaluating attack notification information received from another device on the network;
  
  means for selecting an automatic client response to reduce or eliminate the device'"'"'s vulnerability to the attack; and
  
  means for executing the selected automatic response.
- View Dependent Claims (21, 22, 24, 25, 26, 27, 28)
- - 21. The computer network of claim 20 wherein the notification information to be evaluated by at least one device on the network contains information selected from:
    - at least one network addresses of a system on the network suspected of being compromised;
      
      an identification of the specific worm software; and
      
      a list of vulnerable applications and operating systems.
  - 22. The computer network of claim 20 wherein the network device evaluates the notification based at least in part on factors selected from:
    - a criticality of the applications running on the evaluating device;
      
      vulnerability of the applications running on the individual device to a given type of attack;
      
      connectivity of the device to the network and other individual devices; and
      
      the operating system of the individual network device.
  - 24. The computer network of claim 20, wherein the automatic responses selected by the network device comprise actions selected from the group comprising:
    - notifying network administration;
      
      immediately shutting down said device;
      
      staged shutdown of said device;
      
      shutdown of selected services running on said device;
      
      updating of anti-virus software;
      
      activation of anti-virus software; and
      
      selective handling of data sent from an address associated with the network device identified as compromised.
  - 25. The computer network of claim 24, wherein the network device selects a response automatically based on rules input by network administration during a setup process.
  - 26. The computer network of claim 24, wherein the network device updates anti-virus software by a request to another device on the network, such as a server, on which may reside network anti-virus software for updated virus definitions.
  - 27. The computer network of claim 24, wherein the network device updates anti-virus software by a request to a device outside of the local area network on which resides updated virus definitions and anti-virus software.
  - 28. The computer network of claim 24, wherein the selective handling by the network device of data sent from the address of the network device identified as compromised is an action selected from a list comprised of:
    - removing data sent from the address of the device identified as compromised;
      
      quarantining data sent from the address of the device identified as compromised; and
      
      filtering data sent from the address of the device identified as compromised.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
International Business Machines Corporation
Inventors
Hunter, Steven W., Chu, Simon C., Piazza, William Joseph, Pruett, Gregory Brian

Granted Patent

US 7,418,730 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/188
CPC Class Codes

G06F 21/554 involving event detection a...

H04L 63/145 the attack involving the pr...

Automatic client responses to worm or hacker attacks

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Automatic client responses to worm or hacker attacks

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links