Apparatus, method and program to detect and control deleterious code (virus) in computer network
First Claim
1. A method to detect harmful packets on a computer network including:
- a) providing at least one algorithm that scans received packets; and
b) identifying packets having a predefined format including a single Source Address, (SA), N Destination Addresses (DAs) and M Destination Ports (DPs).
5 Assignments
0 Petitions
Accused Products
Abstract
A detection and response system including a set of algorithms for detection within a stream of normal computer traffic a subset of TCP packets with one IP Source Address (SA), one Destination Port (DP), and a number exceeding a threshold of distinct Destination Addresses (DA). There is efficient use of a lookup mechanism such as a Direct Table and Patricia search tree to record sets of packets with one SA and one DP as well as the set of DA values observed for the given SA, DP combination. The existence of such a subset and the header values including SA, DP, and multiple DAs of the subset are reported to a network administrator. In addition, various administrative responses to reports are provided.
72 Citations
16 Claims
-
1. A method to detect harmful packets on a computer network including:
-
a) providing at least one algorithm that scans received packets; and
b) identifying packets having a predefined format including a single Source Address, (SA), N Destination Addresses (DAs) and M Destination Ports (DPs). - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 16)
-
-
10. A system to detect packets containing harmful code in a computer network comprising:
-
a Network Processor including memory and at least one processing element;
a data structure including at least one Patricia Tree arrangement storing at least one rule with bit pattern similar to that of a packet carrying harmful code located within said memory;
a computer program deployed on said at least one processing element and if executed causing said processing element to generate keys from predefined fields in predefined packets correlates the key with the rule to identify packets having a single SA (Source Address), a single DP (Destination Port) and many DAs (Destination Addresses). - View Dependent Claims (11, 12, 13, 14, 15)
-
Specification