System, method and program for identifying and preventing malicious intrusions

US 20060294588A1
Filed: 06/24/2005
Published: 12/28/2006
Est. Priority Date: 06/24/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method for identifying a malicious intrusion, said method comprising the steps of:

determining a first number of different destination IP addresses, a second number of different destination ports and a third number of different signatures of messages, from a source IP address during a predetermined period; and

determining that in one or more other such predetermined periods said source IP address sent messages having said first number of different destination IP addresses, said second number of different destination ports and said third number of different signatures.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Computer system, method and program product for identifying a malicious intrusion. A first number of different destination IP addresses, a second number of different destination ports and a third number of different signatures of messages, are identified from a source IP address during a predetermined period. A determination is made that in one or more other such predetermined periods the source IP address sent messages having the first number of different destination IP addresses, the second number of different destination ports and the third number of different signatures. Based on the determination that in the one or more other such predetermined periods the source IP address sent messages having the first number of different destination IP addresses, the second number of different destination ports and the third number of different signatures, a determination is made that the messages are characteristic of a malicious intrusion.

117 Citations

9 Claims

1. A method for identifying a malicious intrusion, said method comprising the steps of:
- determining a first number of different destination IP addresses, a second number of different destination ports and a third number of different signatures of messages, from a source IP address during a predetermined period; and
  
  determining that in one or more other such predetermined periods said source IP address sent messages having said first number of different destination IP addresses, said second number of different destination ports and said third number of different signatures.
- View Dependent Claims (2, 3)
- - 2. A method as set forth in claim 1 further comprising the steps of:
    - based on the step of determining that in one or more other such predetermined periods said source IP address sent messages having said first number of different destination IP addresses, said second number of different destination ports and said third number of different signatures, determining that said messages are characteristic of a malicious intrusion.
  - 3. A method as set forth in claim 2 further comprising the steps of:
    - determining that in another such predetermined period said source IP address sent messages having said first number of different destination IP addresses, said second number of different destination ports and said third number of different signatures; and
      
      based on the steps of determining that in said one or more other such predetermined periods and said another such predetermined period said source IP address sent messages having said first number of different destination IP addresses, said second number of different destination ports and said third number of different signatures, determining that said messages are characteristic of a malicious intrusion.

4. A system for identifying a malicious intrusion, said system comprising:
- means for determining a first number of different destination IP addresses, a second number of different destination ports and a third number of different signatures of messages, from a source IP address during a predetermined period; and
  
  means for determining that in one or more other such predetermined periods said source IP address sent messages having said first number of different destination IP addresses, said second number of different destination ports and said third number of different signatures.
- View Dependent Claims (5, 6)
- - 5. A system as set forth in claim 4 further comprising:
    - means, responsive to the means for determining that in one or more other such predetermined periods said source IP address sent messages having said first number of different destination IP addresses, said second number of different destination ports and said third number of different signatures, for determining that said messages are characteristic of a malicious intrusion.
  - 6. A method as set forth in claim 5 further comprising:
    - means for determining that in another such predetermined period said source IP address sent messages having said first number of different destination IP addresses, said second number of different destination ports and said third number of different signatures; and
      
      means, responsive to the means for determining that in said one or more other such predetermined periods and said another such predetermined period said source IP address sent messages having said first number of different destination IP addresses, said second number of different destination ports and said third number of different signatures, for determining that said messages are characteristic of a malicious intrusion.

7. A computer program product for identifying a malicious intrusion, said computer program product comprising:
- a computer readable medium;
  
  first program instructions to determine a first number of different destination IP addresses, a second number of different destination ports and a third number of different signatures of messages, from a source IP address during a predetermined period; and
  
  second program instructions to determine that in one or more other such predetermined periods said source IP address sent messages having said first number of different destination IP addresses, said second number of different destination ports and said third number of different signatures; and
  
  wherein said first and second program instructions are stored on said medium.
- View Dependent Claims (8, 9)
- - 8. A computer program product as set forth in claim 7 further comprising:
    - third program instructions, responsive to the second program instructions determining that in one or more other such predetermined periods said source IP address sent messages having said first number of different destination IP addresses, said second number of different destination ports and said third number of different signatures, to determine that said messages are characteristic of a malicious intrusion; and
      
      wherein said third program instructions are stored on said medium.
  - 9. A computer program product as set forth in claim 8 further comprising:
    - fourth program instructions to determine that in another such predetermined period said source IP address sent messages having said first number of different destination IP addresses, said second number of different destination ports and said third number of different signatures; and
      
      fifth program instructions, responsive to the third and fourth program instructions determining that in said one or more other such predetermined periods and said another such predetermined period said source IP address sent messages having said first number of different destination IP addresses, said second number of different destination ports and said third number of different signatures, to determine that said messages are characteristic of a malicious intrusion; and
      
      wherein said fourth and fifth program instructions are stored on said medium.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Walter, Michael A., Thiele, Frederic Gaige, Lahann, Jeffrey Scott

Application Number

US11/166,550
Publication Number

US 20060294588A1
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/56 Computer malware detection ...

H04L 63/1416 Event detection, e.g. attac...

System, method and program for identifying and preventing malicious intrusions

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

117 Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

System, method and program for identifying and preventing malicious intrusions

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

117 Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links