Protecting against malicious traffic
First Claim
Patent Images
1. A method for screening packet-based communication traffic, comprising:
- receiving at least a first data packet sent over a network from a source address to a destination address;
making a determination, by analyzing the first data packet, that the first data packet was generated by a worm; and
in response to the determination, blocking a second data packet sent over the network from the source address.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for screening packet-based communication traffic. At least a first data packet, sent over a network from a source address to a destination address, is received. A determination is made, by analyzing the first data packet, that the first data packet was generated by a worm. In response to the determination, a second data packet sent over the network from the source address is blocked.
189 Citations
114 Claims
-
1. A method for screening packet-based communication traffic, comprising:
-
receiving at least a first data packet sent over a network from a source address to a destination address;
making a determination, by analyzing the first data packet, that the first data packet was generated by a worm; and
in response to the determination, blocking a second data packet sent over the network from the source address. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A method for analyzing packet-based communication traffic, comprising:
-
receiving multiple data packets sent over a network from a source address and addressed to a plurality of respective destination addresses;
determining a rate of sending the data packets to the plurality of destination addresses from the source address; and
in response to the rate, designating the source address as a source of malicious traffic. - View Dependent Claims (25, 26, 27, 28)
-
-
29. A method for analyzing packet-based communication traffic, comprising:
-
designating one or more network addresses as trap addresses;
receiving a data packet sent over the network from a source address to one of the trap addresses; and
in response to receiving the packet, designating the source address as a source of malicious traffic. - View Dependent Claims (30, 31)
-
-
32. A method for analyzing packet-based communication traffic, comprising:
-
designating one or more network addresses as trap addresses;
receiving a data packet sent over the network to one of the trap addresses; and
in response to receiving the packet, initiating diversion of further data packets sent over the network from sources outside a protected area of the network, so as to prevent malicious traffic from reaching the protected area of the network. - View Dependent Claims (33, 34, 35)
-
-
36. A method for analyzing packet-based communication traffic, comprising:
-
receiving a data packet sent over a network from a source address to a destination address;
comparing an attribute of the data packet with a set of attributes of known worm-generated packets; and
designating the source address as a source of worm-generated traffic when the attribute of the packet is found to match one of the attributes in the set. - View Dependent Claims (37, 38)
-
- 39. Apparatus for screening packet-based communication traffic, comprising a guard device, which is adapted to receive at least a first data packet sent over a network from a source address to a destination address, to make a determination, by analyzing the first data packet, that the first data packet was generated by a worm, and, in response to the determination, to block a second data packet sent over the network from the source address.
- 62. Apparatus for analyzing packet-based communication traffic, comprising a guard device, which is adapted to receive multiple data packets sent over a network from a source address and addressed to a plurality of respective destination addresses, to determine a rate of sending the data packets to the plurality of destination addresses from the source address, and, in response to the rate, to designate the source address as a source of malicious traffic.
- 67. Apparatus for analyzing packet-based communication traffic, comprising a guard device, which is adapted to designate one or more network addresses as trap addresses, to receive a data packet sent over the network from a source address to one of the trap addresses, and, in response to receiving the packet, to designate the source address as a source of malicious traffic.
- 70. Apparatus for analyzing packet-based communication traffic, comprising a guard device, which is adapted to designate one or more network addresses as trap addresses, to receive a data packet sent over the network to one of the trap addresses, and, in response to receiving the packet, to initiate diversion of further data packets sent over the network from sources outside a protected area of the network, so as to prevent malicious traffic from reaching the protected area of the network.
- 74. Apparatus for analyzing packet-based communication traffic, comprising a guard device, which is adapted to receive a data packet sent over a network from a source address to a destination address, to compare an attribute of the data packet with a set of attributes of known worm-generated packets, and to designate the source address as a source of worm-generated traffic when the attribute of the packet is found to match one of the attributes in the set.
- 77. A computer software product for screening packet-based communication traffic, the product comprising a computer-readable medium in which program instructions are stored, which instructions, when read by a computer, cause the computer to receive at least a first data packet sent over a network from a source address to a destination address, to make a determination, by analyzing the first data packet, that the first data packet was generated by a worm, and, in response to the determination, to block a second data packet sent over the network from the source address.
- 100. A computer software product for analyzing packet-based communication traffic, the product comprising a computer-readable medium in which program instructions are stored, which instructions, when read by a computer, cause the computer to receive multiple data packets sent over a network from a source address and addressed to a plurality of respective destination addresses, to determine a rate of sending the data packets to the plurality of destination addresses from the source address, and, in response to the rate, to designate the source address as a source of malicious traffic.
- 105. A computer software product for analyzing packet-based communication traffic, the product comprising a computer-readable medium in which program instructions are stored, which instructions, when read by a computer, cause the computer to designate one or more network addresses as trap addresses, to receive a data packet sent over the network from a source address to one of the trap addresses, and, in response to receiving the packet, to designate the source address as a source of malicious traffic.
- 108. A computer software product for analyzing packet-based communication traffic, the product comprising a computer-readable medium in which program instructions are stored, which instructions, when read by a computer, cause the computer to designate one or more network addresses as trap addresses, to receive a data packet sent over the network to one of the trap addresses, and, in response to receiving the packet, to initiate diversion of further data packets sent over the network from sources outside a protected area of the network, so as to prevent malicious traffic from reaching the protected area of the network.
- 112. A computer software product for analyzing packet-based communication traffic, the product comprising a computer-readable medium in which program instructions are stored, which instructions, when read by a computer, cause the computer to receive a data packet sent over a network from a source address to a destination address, to compare an attribute of the data packet with a set of attributes of known worm-generated packets, and to designate the source address as a source of worm-generated traffic when the attribute of the packet is found to match one of the attributes in the set.
Specification