Detecting and protecting against worm traffic on a network
First Claim
1. A method for processing communication traffic, comprising:
- monitoring the communication traffic that is directed to a group of addresses on a network;
determining respective baseline characteristics of the communication traffic that is directed to each of the addresses in the group;
detecting a deviation from the respective baseline characteristics of the communication traffic directed to at least one of the addresses in the group, such that the deviation is indicative that at least some of the communication traffic may be of malicious origin; and
responsively to detecting the deviation, filtering the communication traffic that is directed to all of the addresses in the group so as to remove at least some of the communication traffic that is of the malicious origin.
4 Assignments
0 Petitions
Accused Products
Abstract
A method for processing communication traffic includes monitoring the communication traffic that is directed to a group of addresses on a network, and determining respective baseline characteristics of the communication traffic that is directed to each of the addresses in the group. Deviations from the respective baseline characteristics of the communication traffic directed to at least one of the addresses in the group are detected, as an indication that at least some of the communication traffic may be of malicious origin. Responsively to detecting the deviation, the communication traffic that is directed to all of the addresses in the group is filtered so as to remove at least some of the communication traffic that is of the malicious origin.
-
Citations
102 Claims
-
1. A method for processing communication traffic, comprising:
-
monitoring the communication traffic that is directed to a group of addresses on a network;
determining respective baseline characteristics of the communication traffic that is directed to each of the addresses in the group;
detecting a deviation from the respective baseline characteristics of the communication traffic directed to at least one of the addresses in the group, such that the deviation is indicative that at least some of the communication traffic may be of malicious origin; and
responsively to detecting the deviation, filtering the communication traffic that is directed to all of the addresses in the group so as to remove at least some of the communication traffic that is of the malicious origin. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A method for processing communication traffic, comprising:
-
monitoring the communication traffic originating from a group of addresses and passing through a selected node on a network;
detecting a pattern in the traffic originating from at least one of the addresses that is indicative of a malicious program running on a computer at the at least one of the addresses; and
tracing a route of the traffic from the selected node back to the at least one of the addresses so as to identify a location of the computer on which the malicious program is running. - View Dependent Claims (26, 27, 28)
-
-
29. A method for processing communication traffic, comprising:
-
monitoring the communication traffic on a network so as to detect packets that are indicative of a communication failure in the network that is characteristic of a worm infection;
detecting an increase in a rate of arrival of the packets that are indicative of the communication failure; and
responsively to the increase, filtering the communication traffic so as to remove at least some of the communication traffic that is generated by the worm infection. - View Dependent Claims (30, 31)
-
-
32. A method for processing communication traffic, comprising:
-
monitoring the communication traffic on a network so as to detect ill-formed packets;
making a determination, responsively to the ill-formed packets, that at least some of the communication traffic has been generated by a worm infection; and
responsively to the determination, filtering the communication traffic so as to remove the at least some of the communication traffic that is generated by the worm infection. - View Dependent Claims (33, 34)
-
- 35. Apparatus for processing communication traffic, comprising a guard device, which is adapted to monitor the communication traffic that is directed to a group of addresses on a network, to determine respective baseline characteristics of the communication traffic that is directed to each of the addresses in the group, to detect a deviation from the respective baseline characteristics of the communication traffic directed to at least one of the addresses in the group, such that the deviation is indicative that at least some of the communication traffic may be of malicious origin, and responsively to detecting the deviation, to filter the communication traffic that is directed to all of the addresses in the group so as to remove at least some of the communication traffic that is of the malicious origin.
- 59. Apparatus for processing communication traffic, comprising a guard device, which is adapted to monitor the communication traffic originating from a group of addresses and passing through a selected node on a network, to detect a pattern in the traffic originating from at least one of the addresses that is indicative of a malicious program running on a computer at the at least one of the addresses, and to trace a route of the traffic from the selected node back to the at least one of the addresses so as to identify a location of the computer on which the malicious program is running.
- 63. Apparatus for processing communication traffic, comprising a guard device, which is adapted to monitor the communication traffic on a network so as to detect packets that are indicative of a communication failure in the network that is characteristic of a worm infection, to detect an increase in a rate of arrival of the packets that are indicative of the communication failure, and responsively to the increase, to filter the communication traffic so as to remove at least some of the communication traffic that is generated by the worm infection.
- 66. Apparatus for processing communication traffic, comprising a guard device, which is adapted to monitor the communication traffic on a network so as to detect ill-formed packets, to make a determination, responsively to the ill-formed packets, that at least some of the communication traffic has been generated by a worm infection, and responsively to the determination, to filter the communication traffic so as to remove the at least some of the communication traffic that is generated by the worm infection.
- 69. A computer software product, comprising a computer-readable medium in which program instructions are stored, which instructions, when read by a computer, cause the computer to monitor communication traffic that is directed to a group of addresses on a network, to determine respective baseline characteristics of the communication traffic that is directed to each of the addresses in the group, to detect a deviation from the respective baseline characteristics of the communication traffic directed to at least one of the addresses in the group, such that the deviation is indicative that at least some of the communication traffic may be of malicious origin, and responsively to detecting the deviation, to filter the communication traffic that is directed to all of the addresses in the group so as to remove at least some of the communication traffic that is of the malicious origin.
- 93. A computer software product, comprising a computer-readable medium in which program instructions are stored, which instructions, when read by a computer, cause the computer to monitor the communication traffic originating from a group of addresses and passing through a selected node on a network, to detect a pattern in the traffic originating from at least one of the addresses that is indicative of a malicious program running on a computer at the at least one of the addresses, and to trace a route of the traffic from the selected node back to the at least one of the addresses so as to identify a location of the computer on which the malicious program is running.
- 97. A computer software product, comprising a computer-readable medium in which program instructions are stored, which instructions, when read by a computer, cause the computer to monitor the communication traffic on a network so as to detect packets that are indicative of a communication failure in the network that is characteristic of a worm infection, to detect an increase in a rate of arrival of the packets that are indicative of the communication failure, and responsively to the increase, to filter the communication traffic so as to remove at least some of the communication traffic that is generated by the worm infection.
- 100. A computer software product, comprising a computer-readable medium in which program instructions are stored, which instructions, when read by a computer, cause the computer to monitor the communication traffic on a network so as to detect ill-formed packets, to make a determination, responsively to the ill-formed packets, that at least some of the communication traffic has been generated by a worm infection, and responsively to the determination, to filter the communication traffic so as to remove the at least some of the communication traffic that is generated by the worm infection.
Specification