Intrusion detection with automatic signature generation

US 20050262560A1
Filed: 05/18/2005
Published: 11/24/2005
Est. Priority Date: 05/20/2004
Status: Active Grant

First Claim

Patent Images

1. A method for detecting malicious programs within a computer network comprising:

monitoring at least one first packet of data communicated over said network;

analyzing said at least one first packet of data to detect the presence of a malicious program;

generating a signature of said at least one first packet of data when a malicious program is detected;

monitoring at least one second packet of data communicated over said network; and

detecting evidence of said malicious program in said at least one second packet of data utilizing said generated signature.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for detecting malicious programs within a computer network includes monitoring at least one first packet of data communicated over the network, analyzing the at least one first packet of data to detect the presence of a malicious program, generating a signature of the at least one first packet of data when a malicious program is detected, monitoring at least one second packet of data communicated over the network and detecting evidence of the malicious program in the at least one second packet of data utilizing the generated signature.

61 Citations

View as Search Results

40 Claims

1. A method for detecting malicious programs within a computer network comprising:
- monitoring at least one first packet of data communicated over said network;
  
  analyzing said at least one first packet of data to detect the presence of a malicious program;
  
  generating a signature of said at least one first packet of data when a malicious program is detected;
  
  monitoring at least one second packet of data communicated over said network; and
  
  detecting evidence of said malicious program in said at least one second packet of data utilizing said generated signature.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein said at least one first packet of data is selected at random from among a plurality of packets of data that are communicated over said network.
  - 3. The method of claim 1, wherein said at least one first packet of data is selected at a set interval from among a plurality of packets of data that are communicated over said network.
  - 4. The method of claim 1, wherein said at least one second packet of data that evidences said malicious program is prevented from being delivered to its destination address.
  - 5. The method of claim 1, wherein instances of detected evidence of said malicious program in said at least one second packet of data are logged.
  - 6. The method of claim 1, wherein one or more supplied signatures are used along with said generated signatures to detect evidence of said malicious program in said at least one second packet of data.
  - 7. The method of claim 1, wherein analyzing said at least one first packet of data to detect the presence of a malicious program comprises watching for a proliferation of similar packets among said at least one first packet of data.
  - 8. The method of claim 1, wherein:
    - monitoring of said at least one first packet of data communicated over said network is performed by one or more agents located at one or more agent addresses respectively;
      
      monitoring of said at least one second packet of data communicated over said network is performed by said one or more agents located at one or more addresses respectfully; and
      
      said generated signatures are sent to said one or more agents located at one or more agent addresses respectively.
  - 9. The method of claim 8, wherein an agent address database is created by recording said agent addresses when analyzing said at least one first packet of data to detect the presence of a malicious program and said agent address database is used to send said generated signatures to said one or more agents located at said one or more agent addresses respectively.
  - 10. The method of claim 1, wherein said at least one first packet of data and said at least one second packet of data are sub-packets.

11. A system for detecting malicious programs within a computer network comprising:
- a first-packet-monitoring unit for monitoring at least one first packet of data communicated over said network;
  
  an analyzing unit for analyzing said at least one first packet of data to detect the presence of a malicious program;
  
  a generating unit for generating a signature of said at least one first packet of data when a malicious program is detected;
  
  a second-packet-monitoring unit for monitoring at least one second packet of data communicated over said network; and
  
  a detecting unit for detecting evidence of said malicious program in said at least one second packet of data utilizing said generated signature.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein said at least one first packet of data is selected at random from among a plurality of packets of data that are communicated over said network.
  - 13. The system of claim 11, wherein said at least one first packet of data is selected at a set interval from among a plurality of packets of data that are communicated over said network.
  - 14. The system of claim 11, wherein said at least one second packet of data that evidences said malicious program is prevented from being delivered to a destination address.
  - 15. The system of claim 11, wherein instances of detected evidence of said malicious program in said at least one second packet of data are logged.
  - 16. The system of claim 11, wherein one or more supplied signatures are used along with said generated signatures to detect evidence of said malicious program in said at least one second packet of data.
  - 17. The system of claim 11, wherein analyzing said at least one first packet of data comprises watching for a proliferation of similar packets among said at least first packet of data.
  - 18. The system of claim 11, wherein:
    - monitoring of said at least one first packet of data is performed by one or more agents located at one or more agent addresses respectively;
      
      monitoring of said at least one second packet of data communicated over said network is performed by said one or more agents located at one or more addresses respectfully; and
      
      said generated signatures are sent to said one or more agents located at one or more agent addresses respectively.
  - 19. The system of claim 18, wherein an agent address database is created by recording said agent addresses when analyzing said at least one first packet of data to detect the presence of a malicious program and said agent address database is used to send said generated signatures to said one or more agents located at said one or more agent addresses respectively.
  - 20. The system of claim 11, wherein said at least one first packet of data and said at least one second packet of data are sub-packets.

21. A computer system comprising:
- a processor; and
  
  a computer recording medium including computer executable code executable by the processor for detecting malicious programs within a computer network, the computer executable code comprising;
  
  code for monitoring at least one first packet of data communicated over said network;
  
  code for analyzing said at least one first packet of data to detect the presence of a malicious program;
  
  code for generating a signature of said at least one first packet of data when a malicious program is detected;
  
  code for monitoring at least one second packet of data communicated over said network; and
  
  code for detecting evidence of said malicious program in said at least one second packet of data utilizing said generated signature.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The computer system of claim 21, wherein said at least one first packet of data is selected at random from among a plurality of packets of data that are communicated over said network.
  - 23. The computer system of claim 21, wherein said at least one first packet of data is selected at a set interval from among a plurality of packets of data that are communicated over said network.
  - 24. The computer system of claim 21, wherein said at least one second packet of data that evidence said malicious program is prevented from being delivered to a destination address.
  - 25. The computer system of claim 21, wherein instances of detected evidence of said malicious program in said at least one second packet of data are logged.
  - 26. The computer system of claim 21, wherein one or more supplied signatures are used along with said generated signatures to detect evidence of said malicious program in said at least one second packet of data.
  - 27. The computer system of claim 21, wherein analyzing said at least one first packet of data to detect the presence of a malicious program comprises watching for a proliferation of similar packets among said at least one first packet of data.
  - 28. The computer system of claim 21, wherein:
    - monitoring of said at least one first packet of data communicated over said network is performed by one or more agents located at one or more agent addresses respectively;
      
      monitoring of said at least one second packet of data communicated over said network is performed by said one or more agents located at one or more addresses respectfully; and
      
      said generated signatures are sent to said one or more agents located at one or more agent addresses respectively.
  - 29. The computer system of claim 28, wherein an agent address database is created by recording said agent addresses when analyzing said at least one first packet of data to detect the presence of a malicious program and said agent address database is used to send said generated signatures to said one or more agents located at said one or more agent addresses respectively.
  - 30. The computer system of claim 21, wherein said at least one first packet of data and said at least one second packet of data are sub-packets.

31. A computer recording medium including computer executable code executable by a processor for detecting malicious programs within a computer network, the computer executable code comprising:
- code for monitoring at least one first packet of data communicated over said network;
  
  code for analyzing said at least one first packet of data to detect the presence of a malicious program;
  
  code for generating a signature of said at least one first packet of data when a malicious program is detected;
  
  code for monitoring at least one second packet of data communicated over said network; and
  
  code for detecting evidence of said malicious program in said at least one second packet of data utilizing said generated signature.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 32. The computer recording medium of claim 31, wherein said at least one first packet of data is selected at random from among a plurality of packets of data that are communicated over said network.
  - 33. The computer recording medium of claim 31, wherein said at least one first packet of data is selected at a set interval from among a plurality of packets of data that are communicated over said network.
  - 34. The computer recording medium of claim 31, wherein said at least one second packet of data is prevented from being delivered to a destination address.
  - 35. The computer recording medium of claim 31, wherein instances of detected evidence of said malicious program in said at least one second packet of data are logged.
  - 36. The computer recording medium of claim 31, wherein one or more supplied signatures are used along with said generated signatures to detect evidence of said malicious program in said at least one second packet of data.
  - 37. The computer recording medium of claim 31, wherein analyzing said at least one first packet of data to detect the presence of a malicious program comprises watching for a proliferation of similar packets among said at least one first packet of data.
  - 38. The computer recording medium of claim 31, wherein:
    - monitoring of said at least one first packet of data communicated over said network is performed by one or more agents located at one or more agent addresses respectively;
      
      monitoring of said at least one second packet of data communicated over said network is performed by said one or more agents located at one or more addresses respectfully; and
      
      said generated signatures are sent to said one or more agents located at one or more agent addresses respectively.
  - 39. The computer recording medium of claim 38, wherein an agent address database is created by recording said agent addresses when analyzing said at least one first packet of data to detect the presence of a malicious program and said agent address database is used to send said generated signatures to detect evidence of said malicious program in said at least one second packets of data.
  - 40. The computer recording medium of claim 31, wherein said at least one first packet of data and said at least one second packet of data are sub-packets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Computer Associates Think Inc. (Broadcom, Inc.)
Inventors
Gassoway, Paul

Granted Patent

US 7,761,919 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 63/145 the attack involving the pr...

Intrusion detection with automatic signature generation

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

61 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Intrusion detection with automatic signature generation

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

61 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links