Propagation of viruses through an information technology network

US 20040218615A1
Filed: 04/28/2004
Published: 11/04/2004
Est. Priority Date: 04/29/2003
Status: Active Grant

First Claim

Patent Images

1. A method of operating a first host within a network of a plurality of hosts comprising the steps of:

over the course of a first time interval, monitoring requests received at the first host from a second host to send data to destination hosts;

comparing destination hosts identified in requests monitored during the first time interval with destination host identities in a record; and

at least one of;

storing in a buffer data relating to requests which identify a destination host not in the record;

or limiting passage of data from the second host to destination hosts within the network over the course of the first time interval, so that during the first time interval the second host is unable to send data via the first host to more than a predetermined number of destination hosts not in the record.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of operating a first host within a network of a plurality of hosts. Over the course of a first time interval, requests received at the first host from a second host to send data to destination hosts are monitored. Identities of destination hosts monitored during the first time interval are compared with destination host identities in a record. Then, either data relating to requests which identify a destination host not in the record are stored in a storage buffer. Or the passage of data from the second host to the destination host within the network is limited over the course of the first time interval, so that during the first time interval the second host is unable to send data to more than a predetermined number of hosts not in the record.

83 Citations

View as Search Results

35 Claims

1. A method of operating a first host within a network of a plurality of hosts comprising the steps of:
- over the course of a first time interval, monitoring requests received at the first host from a second host to send data to destination hosts;
  
  comparing destination hosts identified in requests monitored during the first time interval with destination host identities in a record; and
  
  at least one of;
  
  storing in a buffer data relating to requests which identify a destination host not in the record;
  
  or limiting passage of data from the second host to destination hosts within the network over the course of the first time interval, so that during the first time interval the second host is unable to send data via the first host to more than a predetermined number of destination hosts not in the record.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 35)
- - 2. A method as claimed in claim 1, wherein the first host is at least one of:
    - a router, a switch, a SOCKS server, or a proxy.
  - 3. A method according to claim 1, further comprising the step of establishing the record by monitoring the identities of hosts to whom data has been sent by the second host over the course of a further time interval which precedes the first time interval.
  - 4. A method according to claim 3, further comprising the step of updating the record to include the identity of at least one destination host to whom data was sent by the second host during the first time interval and which was not in the record during the first time interval.
  - 5. A method according to claim 1, further comprising the steps of:
    - diverting requests to contact destination hosts not in the record to a delay buffer; and
      
      transmitting the predetermined number of requests from the delay buffer at the end of the first time interval.
  - 6. A method according to claim 5, further comprising the step of monitoring the size of the delay buffer, and in the event that the delay buffer exceeds a predetermined size, generating a warning.
  - 7. A method as claimed in claim 1, further comprising the step of transmitting from the first host all requests to send data.
  - 8. A method as claimed in claim 1, further comprising the step of monitoring the size of the buffer, and in the event that the buffer exceeds a predetermined size, generating a warning.
  - 9. A method as claimed in claim 8, further comprising the step of preventing the transmission of data from the second host to destination hosts if a warning is generated.
  - 10. A method as claimed in claim 9, wherein the transmission of data to destination hosts is prevented at the first host.
  - 11. A method as claimed in claim 9, wherein the transmission of data to destination hosts is prevented by the second host receiving the warning, and the second host stopping sending requests to send data to the destination hosts.
  - 12. A memory storing a computer program for causing a computer to perform the method as claimed in claim 1.
  - 13. A computer readable medium storing the computer program claimed in claim 12.
  - 35. A method as claimed in claim 6, further comprising the step of preventing the transmission of data from the second host to destination hosts if a warning is generated.

14. A method of operating a host within a network which receives requests from an originating host to direct data to a destination host, the method comprising the steps of:
- monitoring requests to direct data to destination hosts over the course of successive time intervals; and
  
  for each interval of time and for each originating host, creating a dispatch record for requests which have occurred within the scope of a policy, and a buffer record for request which have occurred outside the scope of the policy.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 15. A method according to claim 14, wherein each originating host is identified by a layer two network address.
  - 16. A method according to claim 14 wherein the layer two network address is a MAC address of the originating host.
  - 17. A method according to claim 14 wherein each dispatch record for an originating host includes data entries identifying destination hosts to whom data has been directed, and the policy defines a maximum number of entries the dispatch record may contain.
  - 18. A method according to claim 17 wherein the dispatch record for an originating host is updated at the end of each time interval to indicate identities of destination hosts to whom data has most recently been directed in accordance with the policy.
  - 19. A method according to claim 18 wherein in each time interval the policy permits data to be directed to a predetermined number of destination hosts which are not identified in the dispatch record.
  - 20. A method according to claim 19 wherein after updating, the dispatch record identifies a predetermined number of destination hosts to whom data has most recently been sent in accordance with the policy.
  - 21. A method according to claim 20 wherein updating the dispatch record includes the step of deleting an entry identifying a destination host from the dispatch record and replacing the deleted entry with an entry identifying a destination host to whom data has more recently been directed.
  - 22. A method according to claim 14 wherein each buffer record for an originating host includes a plurality of entries, each identifying a request to direct data to destination hosts which are not identified in the dispatch record, each entry in the buffer record identifying the destination hosts in respect of which the request was made.
  - 23. A method according to claim 22 wherein buffer records are periodically updated at a predetermined time intervals.
  - 24. A method according to claim 23 further comprising the steps of:
    - upon receipt of a request to direct data to a destination host, comparing the destination host'"'"'s identity with destination hosts identified in the dispatch record of the originating host;
      
      if the dispatch record does not identify the destination host, adding an entry to the buffer of the originating host identifying the aforesaid request.
  - 25. A method according to claim 24 further comprising the step, at the end of a time interval, of removing a number of entries from the buffer record of an originating host in accordance with the policy, the buffer record of the originating host thereby providing, following the removal step, a record of requests to direct data which are outside the scope of the policy.
  - 26. A method according to claim 25 wherein the policy specifies removal of a predetermined number of entries on a first in, first out basis.
  - 27. A method according to claim 25 further comprising the step of determining whether the aforesaid number is above or below a threshold defining viral infection of the originating host by monitoring the number of entries identified in the buffer record for an originating host.
  - 28. A method according to claim 25 further comprising the step of monitoring a rate of increase of the number of entries identified in the buffer record, and in the event that the rate of increase of the buffer record exceeds a threshold value, generating a warning.
  - 29. A method according to claim 22 further comprising the step of inhibiting transmission of any request for which an entry exists in the buffer.
  - 30. A method according to claim 29 further comprising the step of transmitting requests upon removal of their entry in the buffer record at the end of a time interval and in accordance with the policy.
  - 31. A method according to claim 21 further comprising the step of transmitting all requests in the buffer.
  - 32. A method according to claim 14 wherein the buffer record is provided by a buffer to which requests are diverted.

33. A computing entity which operates to receive data from an originating host and direct the received data to a destination host, the computing entity being adapted to:
- monitor requests to direct data to destination hosts over the course of successive time intervals; and
  
  for each interval of time and for each originating host, create a dispatch record for requests which have occurred within the scope of a policy, and a buffer record for request which have occurred outside the scope of the policy.
- View Dependent Claims (34)
- - 34. A computing entity according to claim 33, wherein the entity is selected from the group consisting of:
    - a router, a switch, a SOCKS server, or a proxy server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Edwards, Aled Justin, Griffin, Jonathan, Norman, Andrew Patrick, Williamson, Matthew Murray

Granted Patent

US 7,796,515 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/401
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 63/145 the attack involving the pr...

Propagation of viruses through an information technology network

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

83 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Propagation of viruses through an information technology network

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

83 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links