Defending against worm or virus attacks on networks

US 20060095970A1
Filed: 11/03/2004
Published: 05/04/2006
Est. Priority Date: 11/03/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

periodically conducting risk assessment scans of host resident security agents; and

checking for behavior indicative of a worm between risk assessment scans by monitoring inbound and outbound packet flow.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A combination of more frequent and less frequent security monitoring may be used to defeat worm or virus attacks. At periodic intervals, a risk assessment scan may be implemented to determine whether or not a worm attack has occurred. Prior thereto, an intermediate detection by an anomaly detection agent may determine whether or not a worm attack may have occurred. If a potential worm attack may have occurred, intermediate action, such as throttling of traffic, may occur. Then, at the next risk assessment scan, a determination may be made as to whether the attack is actually occurring and, if so, more effective and performance altering techniques may be utilized to counter the attack.

Citations

39 Claims

1. A method comprising:
- periodically conducting risk assessment scans of host resident security agents; and
  
  checking for behavior indicative of a worm between risk assessment scans by monitoring inbound and outbound packet flow.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein checking includes applying heuristics to determine whether a worm attack may have occurred.
  - 3. The method of claim 2 including taking corrective action to prevent the spread of a worm prior to conducting a risk assessment scan.
  - 4. The method of claim 3 including isolating a host from a network in response to a risk assessment scan indicating that host resident security agents have been altered.
  - 5. The method of claim 1 including, in response to an indication of worm behavior between risk assessment scans, throttling outbound packets.
  - 6. The method of claim 5 including terminating the throttling if a risk assessment scan indicates that a worm attack has not occurred.
  - 7. The method of claim 1 wherein checking for behavior indicative of a worm includes analyzing characteristics of packet headers.
  - 8. The method of claim 7 including storing information related to recent packet flows.
  - 9. The method of claim 1 including checking for behavior indicative of a worm between risk assessment scans more frequently than risk assessment scans are conducted.
  - 10. The method of claim 1 including checking for a virus or worm signature between risk assessment scans.

11. An article comprising a medium storing instructions that, if executed, enable a processor-based system to:
- periodically conduct risk assessment scans for host resident security agents; and
  
  check for behavior indicative of a worm between risk assessment scans by monitoring inbound and outbound packet flow.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The article of claim 11 further storing instructions that, if executed, enable the processor-based system to apply heuristics to determine whether a worm attack may have occurred.
  - 13. The article of claim 12 further storing instructions that, if executed, enable the processor-based system to take corrective action to prevent the spread of a worm prior to conducting a risk assessment scan.
  - 14. The article of claim 13 further storing instructions that, if executed, enable the processor-based system to isolate a host from a network in response to a risk assessment scan indicating that host resident security agents have been altered.
  - 15. The article of claim 11 further storing instructions that, if executed, enable the processor-based system to throttle outbound packets in response to an indication of worm behavior between risk assessment scans.
  - 16. The article of claim 15 further storing instructions that, if executed, enable the processor-based system to terminate the throttling is a risk assessment scan indicates that a worm attack has not occurred.
  - 17. The article of claim 11 further storing instructions that, if executed, enable the processor-based system to analyze characteristics of packet headers.
  - 18. The article of claim 17 further storing instructions that, if executed, enable the processor-based system to store information related to recent packet flows.
  - 19. The article of claim 11 further storing instructions that, if executed, enable the processor-based system to check for behavior indicative of a worm between risk assessment scans more frequently than risk assessment scans are conducted.
  - 20. The article of claim 11 further storing instructions that, if executed, enable the processor-based system to check for a virus or worm signature between risk assessment scans.

21. An apparatus comprising:
- a first agent to periodically conduct risk assessment scans for host resident security agents; and
  
  a second agent to check for behavior indicative of a worm between risk assessment scans by monitoring inbound and outbound packet flow.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 22. The apparatus of claim 21 wherein said first and second agents are part of microcontroller.
  - 23. The apparatus of claim 22 wherein said agents are part of an embedded microcontroller.
  - 24. The apparatus of claim 21 including a device to interface said apparatus to a packet processing device.
  - 25. The apparatus of claim 24 including an interface to a host including host resident security agents.
  - 26. The apparatus of claim 25 including an interface to a network controller.
  - 27. The apparatus of claim 25 wherein said second agent to apply heuristics to determine whether a worm attack may have occurred.
  - 28. The apparatus of claim 27 wherein said second agent to take corrective action to prevent the spread of a worm prior to conducting a risk assessment scan.
  - 29. The apparatus of claim 28 wherein said first agent to isolate a host from a network in response to a risk assessment scan indicating that host resident security agents have been altered.
  - 30. The apparatus of claim 21 including a device to throttle outbound packets in response to an indication of worm behavior between risk assessment scans.
  - 31. The apparatus of claim 21 wherein said second agent to analyze characteristics of packet headers.
  - 32. The apparatus of claim 21 wherein said first agent to conduct risk assessment scans less frequently than said second agent checks for behavior indicative of a worm between risk assessment scans.

33. A system comprising:
- a processor;
  
  a storage storing security agents;
  
  an apparatus coupled to said processor including a first agent to periodically conduct risk assessment scans of said security agents;
  
  a second agent to check for behavior indicative of a worm between risk assessment scans by monitoring inbound and outbound packet flows; and
  
  a network controller coupled to said apparatus.
- View Dependent Claims (34, 35, 36, 37, 38, 39)
- - 34. The system of claim 33 wherein said second agent to apply heuristics to determine whether a worm attack may have occurred.
  - 35. The system of claim 34 wherein said second agent to take corrective action to prevent the spread of a worm prior to conducting a risk assessment scan.
  - 36. The system of claim 35 wherein said first agent to isolate the system from a network in response to a risk assessment scan indicating that the security agents have been altered.
  - 37. The system of claim 33 including a device to throttle outbound packets in response to an indication of worm behavior between risk assessment scans.
  - 38. The system of claim 33 wherein said second agent to analyze characteristics of packet headers.
  - 39. The system of claim 33 wherein said first agent to conduct risk assessment scans less frequently than said second agent checks for behavior indicative of a worm between risk assessment scans.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Rajagopal, Priya, Sahita, Ravi, Durham, David

Granted Patent

US 7,797,749 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

Defending against worm or virus attacks on networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Defending against worm or virus attacks on networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links