Methods and systems for deceptively trapping electronic worms

US 20060137012A1
Filed: 12/16/2004
Published: 06/22/2006
Est. Priority Date: 12/16/2004
Status: Active Grant

First Claim

Patent Images

1. A method of trapping an electronic worm, the method comprising:

detecting the electronic worm in an infected computer;

trapping the electronic worm; and

then communicating with the trapped electronic worm.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods of trapping electronic worms are provided. Pursuant to these methods, an electronic worm may be “trapped” such that its ability to spread is reduced or eliminated, while at the same time the worm is deceived such that it does not realize it has been trapped. In this manner, the probability that the worm enacts countermeasures that are harmful to the data and/or equipment of the infected computing devices may be reduced. Corresponding systems of trapping electronic worms are also provided.

66 Citations

View as Search Results

20 Claims

1. A method of trapping an electronic worm, the method comprising:
- detecting the electronic worm in an infected computer;
  
  trapping the electronic worm; and
  
  then communicating with the trapped electronic worm.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein communicating with the trapped electronic worm comprises sending one or more responses to respective communications sent by the trapped electronic worm.
  - 3. The method of claim 1, further comprising:
    - collecting information on the actions of the electronic worm; and
      
      correlating the collected information with a data repository of information on the actions of known electronic worms.
  - 4. The method of claim 3, further comprising:
    - identifying the electronic worm as one of a known type of electronic worm based on the correlation of the collected information with the information in the data repository.
  - 5. The method of claim 3, further comprising updating the data repository to include at least some of the collected information on the actions of the electronic worm.
  - 6. The method of claim 1, wherein trapping the electronic worm comprises blocking at least some of a plurality of messages that are sent to the electronic worm in response to respective communications sent by the electronic worm.
  - 7. The method of claim 1, wherein trapping the electronic worm comprises intercepting at least some of a plurality of communications sent by the electronic worm.
  - 8. The method of claim 7, wherein communicating with the trapped electronic worm comprises:
    - forming at least one response to one of the plurality of intercepted communications sent by the electronic worm; and
      
      sending the response to the electronic worm.
  - 9. The method of claim 8, wherein information regarding a probing pattern of the electronic worm is used to select a format for the at least one response.
  - 10. The method of claim 7 further comprising forwarding at least some of the plurality of intercepted communications including an original source address and an original destination address of each forwarded communication to a first location that is remote from one or more second locations where each forwarded communication was intercepted.
  - 11. The method of claim 1, further comprising:
    - receiving a plurality of communications from the electronic worm;
      
      analyzing the received communications; and
      
      identifying the electronic worm based on the analysis of the received communications.

12. A method of blocking a communications from an electronic worm, the method comprising:
- detecting a probe sent by the electronic worm;
  
  blocking the probe from reaching an intended destination;
  
  generating or formulating a response to the probe; and
  
  forwarding the response to the probe to the electronic worm.
- View Dependent Claims (13, 14, 15)
- - 13. The method of claim 12, wherein the response is configured to mimic a communication that the electronic worm expects to receive in response to the probe.
  - 14. The method of claim 12, further comprising:
    - intercepting a plurality of additional probes from the electronic worm;
      
      correlating the intercepted probes with a database of information regarding probing characteristics of a plurality of known worms; and
      
      identifying the type of worm based on the correlation.
  - 15. The method of claim 12, further comprising intercepting a plurality of additional probes from the electronic worm;
    - correlating the intercepted probes with a database of information regarding probing characteristics of a plurality of known worms; and
      
      entering a new entry in the database of information that includes probing characteristics ascertained from the intercepted plurality of additional probes if the correlation does not identify the worm as one of the types of worms contained in the database of information.

16. A system for trapping an electronic worm, comprising:
- a probe detector that is configured to detect a probe from the electronic worm;
  
  a database containing information on probe characteristics of a plurality of known types of worms;
  
  a probe analyzer that is coupled to the probe detector and to the database;
  
  a worm communications interceptor that is responsive to the probe analyzer and that is configured to intercept the probe to prevent it from reaching an intended destination; and
  
  a deceptive-responder that is responsive to the worm communications interceptor.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16, wherein the probe analyzer comprises:
    - software and/or hardware that examines a probe to identify one or more characteristics of the probe; and
      
      software and/or hardware that is configured to identify a worm type based on the identified characteristics of the probe.
  - 18. The system of claim 16, further comprising a central correlator that is configured to receive information from the worm communications interceptor regarding a probe sent by the electronic worm and to correlate the received information with information on probe characteristics of a plurality of known types of worms contained in a central database.
  - 19. The system of claim 16, wherein the deceptive-responder comprises software and/or hardware that is configured to form a response to a probe from the electronic worm wherein the response is configured to mimic a communication that the electronic worm expects to receive in response to the probe.
  - 20. The system of claim 16, further comprising a computer-readable storage medium, wherein the probe detector, the probe analyzer, the database, the worm communications interceptor and the deceptive responder each comprise computer-readable program code that is embodied in the computer-readable storage medium.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bellsouth Intellectual Property Corporation (AT&T, Inc.)
Original Assignee
Bellsouth Intellectual Property Corporation (AT&T, Inc.)
Inventors
Aaron, Jeffrey A.

Granted Patent

US 7,810,158 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/564   by virus signature recognition

H04L 63/1408   by monitoring network traff...

H04L 63/145   the attack involving the pr...

Methods and systems for deceptively trapping electronic worms

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

66 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for deceptively trapping electronic worms

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

66 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links