Apparatus, method and program to detect and control deleterious code (virus) in computer network

US 20060021040A1
Filed: 07/22/2004
Published: 01/26/2006
Est. Priority Date: 07/22/2004
Status: Active Grant

First Claim

Patent Images

1. A method to detect harmful packets on a computer network including:

a) providing at least one algorithm that scans received packets; and

b) identifying packets having a predefined format including a single Source Address, (SA), N Destination Addresses (DAs) and M Destination Ports (DPs).

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A detection and response system including a set of algorithms for detection within a stream of normal computer traffic a subset of TCP packets with one IP Source Address (SA), one Destination Port (DP), and a number exceeding a threshold of distinct Destination Addresses (DA). There is efficient use of a lookup mechanism such as a Direct Table and Patricia search tree to record sets of packets with one SA and one DP as well as the set of DA values observed for the given SA, DP combination. The existence of such a subset and the header values including SA, DP, and multiple DAs of the subset are reported to a network administrator. In addition, various administrative responses to reports are provided.

72 Citations

View as Search Results

16 Claims

1. A method to detect harmful packets on a computer network including:
- a) providing at least one algorithm that scans received packets; and
  
  b) identifying packets having a predefined format including a single Source Address, (SA), N Destination Addresses (DAs) and M Destination Ports (DPs).
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 16)
- - 2. The method of claim 1 wherein N>
    - (greater than) M.
  - 3. The method of claim 2 wherein N>
    - 8 and M=1.
  - 4. The method of claim 1 further including reporting said packets to a central administrative authority.
  - 5. The method of claim 4 wherein the central administrative authority takes decisive actions to limit harmful effects of said packets.
  - 6. The method of claim 5 wherein the decisive actions include adding Destination Port, DP, of said packets to a list of Permissive DPs.
  - 7. The method of claim 5 wherein the decisive action includes dropping all subsequent packets having the same SA, DA and DP as the identified packets.
  - 8. The method of claim 5 wherein the decisive action includes rate limiting the set of all subsequent packets with the same SA.
  - 9. The method of claim 1 further including providing a list of Permissible DPs;
    - comparing a DP in an identified packet with the list of Permissible DPs; and
      
      discarding the identified packet having a matching DP.
  - 16. The method of claim 1 wherein the at least one algorithm is executed on a system operatively coupled to said computer network.

10. A system to detect packets containing harmful code in a computer network comprising:
- a Network Processor including memory and at least one processing element;
  
  a data structure including at least one Patricia Tree arrangement storing at least one rule with bit pattern similar to that of a packet carrying harmful code located within said memory;
  
  a computer program deployed on said at least one processing element and if executed causing said processing element to generate keys from predefined fields in predefined packets correlates the key with the rule to identify packets having a single SA (Source Address), a single DP (Destination Port) and many DAs (Destination Addresses).
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The system of claim 10 wherein the SA, DP and many DAs are stored in a leaf of the Patricia Tree arrangement.
  - 12. The system of claim 10 wherein the Patricia Tree arrangement includes a Direct Table.
  - 13. The system of claim 12 wherein the processing element uses a hashed of SA and DP of a predefined packet to index into a slot of said Direct Table.
  - 14. The system of claim 13 wherein if the slot has no entry the processor executes a second program to insert a pointer in said slot.
  - 15. The system of claim 13 wherein if the slot contains information pointing to a single leaf comparing leaf SA, DP with SA, DP in predefined packet and if a match occurs on SA, DP, then the DA in the leaf is compared with the DA in the packet and the packet DA is added to the list of DAs in the leaf if no match occurs.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
X Corp. (f/k/a Twitter, Inc.) (X Holdings Corp.)
Original Assignee
International Business Machines Corporation
Inventors
Jeffries, Clark Debs, Boulanger, Alan David, Himberger, Kevin David, Danford, Robert William

Granted Patent

US 7,669,240 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 43/00   Arrangements for monitoring...

H04L 63/0236   Filtering by address, proto...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Apparatus, method and program to detect and control deleterious code (virus) in computer network

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

72 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus, method and program to detect and control deleterious code (virus) in computer network

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

72 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links