Methods for identifying self-replicating threats using historical data

US 20070089172A1
Filed: 10/14/2005
Published: 04/19/2007
Est. Priority Date: 10/14/2005
Status: Abandoned Application

First Claim

Patent Images

1. A computer-implemented method of ascertaining an infected node in a network of nodes, comprising:

providing a repository for storing network flow data among at least a plurality of said nodes, said repository being operatively coupled to said network to permit said repository to acquire said network flow data;

storing at said repository first network flow data among said at least a plurality of nodes, said first network flow data including a plurality of source addresses and corresponding destination addresses for a plurality of data flows; and

analyzing said first network flow data at said repository to ascertain communication abnormalities that indicate whether any of said plurality of nodes is infected.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method of ascertaining an infected node in a network of nodes. The computer-implemented method includes providing a repository for storing network flow data among at least a plurality of the nodes. The repository is operatively coupled to the network to permit the repository to acquire the network flow data. The computer-implemented method also includes storing at the repository first network flow data among the at least a plurality of nodes. The first network flow data includes a plurality of source addresses and corresponding destination addresses for a plurality of data flows. The computer-implemented method further includes analyzing the first network flow data at the repository to ascertain communication abnormalities that indicate whether any of the plurality of nodes is infected.

Citations

28 Claims

1. A computer-implemented method of ascertaining an infected node in a network of nodes, comprising:
- providing a repository for storing network flow data among at least a plurality of said nodes, said repository being operatively coupled to said network to permit said repository to acquire said network flow data;
  
  storing at said repository first network flow data among said at least a plurality of nodes, said first network flow data including a plurality of source addresses and corresponding destination addresses for a plurality of data flows; and
  
  analyzing said first network flow data at said repository to ascertain communication abnormalities that indicate whether any of said plurality of nodes is infected.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The computer-implemented method of claim 1 wherein said storing is performed for different blocks of first network flow data at different periods of time.
  - 3. The computer-implemented method of claim 2 wherein said different blocks of first network flow data are received periodically.
  - 4. The computer-implemented method of claim 1 further comprising ascertaining a first node as an infected node, wherein said analyzing includes performing forward forensic analysis through said first network flow data at said repository from said first node to examine whether nodes that received communication from said first node are also infected.
  - 5. The computer-implemented method of claim 1 further comprising ascertaining a first node as an infected node, wherein said analyzing includes performing backward forensic analysis through said first network flow data at said repository from said first node to examine whether nodes that transmitted information to said first node are also infected.
  - 6. The computer-implemented method of claim 1 wherein said analyzing is performed recursively to follow an affected trail from a given infected node.
  - 7. The computer-implemented method of claim 1 further comprising performing a corrective action upon ascertaining, responsive to said analyzing, that a given node of said plurality of nodes is infected.
  - 8. The computer-implemented method of claim 7 wherein said corrective action includes quarantining said given node.
  - 9. The computer-implemented method of claim 7 wherein said corrective action includes notifying a network operator pertaining to said given node being infected.
  - 10. The computer-implemented method of claim 7 wherein said corrective action includes removing a source of infection in said given node.
  - 11. The computer-implemented method of claim 1 wherein said first network flow data represents a filtered portion of said network flow data.
  - 12. The computer-implemented method of claim 11 wherein said first network flow data represents a subset of said network flow data that has been filtered to remove duplicate entries.
  - 13. The computer-implemented method of claim 1 wherein said network of nodes represents a packet-based network.
  - 14. The computer-implemented method of claim 1 wherein said infected node represents a node that is infected with a self-replicating threat.
  - 15. The computer-implemented method of claim 1 wherein said first network flow data is acquired by said repository.
  - 16. The computer-implemented method of claim 1 wherein said first network flow data is sent to said repository by said at least plurality of nodes.

17. An article of manufacture comprising a program storage medium having computer readable code embodied therein, said computer readable code being configured to ascertain an infected node in a network of nodes, comprising:
- computer readable code for storing at a repository first network flow data among said at least a plurality of nodes, said first network flow data including a plurality of source addresses and corresponding destination addresses for a plurality of data flows; and
  
  computer readable code for analyzing said first network flow data at said repository to ascertain communication abnormalities that indicate whether any of said plurality of nodes is infected.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The article of manufacture of claim 17 further comprising computer readable code for performing forward forensic analysis through said first network flow data at said repository starting from a first node to examine whether nodes that received communication from said first node are also infected.
  - 19. The article of manufacture of claim 17 further comprising computer readable code for performing backward forensic analysis through said first network flow data at said repository starting from a first node to examine whether nodes that transmitted information to said first node are also infected.
  - 20. The article of manufacture of claim of claim 17 wherein said computer readable code for analyzing includes recursion code to follow an affected trail from a given infected node.
  - 21. The article of manufacture of claim of claim 17 further comprising computer readable code for performing a corrective action upon ascertaining, responsive to said analyzing, that a given node of said plurality of nodes is infected.
  - 22. The article of manufacture of claim of claim 17 wherein said network of nodes represents a packet-based network.
  - 23. The article of manufacture of claim of claim 17 wherein said infected node represents a node that is infected with a self-replicating threat.

24. A network of nodes having threat diagnostic capability for ascertaining an infected node in said network of nodes, comprising:
- a repository operatively coupled to said network to permit said repository to acquire said network flow data;
  
  logic circuitry for storing at said repository first network flow data among at least a plurality of nodes of said nodes, said first network flow data including a plurality of source addresses and corresponding destination addresses for a plurality of data flows; and
  
  logic circuitry for analyzing said first network flow data at said repository to ascertain communication abnormalities that indicate whether any of said plurality of nodes is infected.
- View Dependent Claims (25, 26, 27, 28)
- - 25. The network claim 24 further comprising logic circuitry for performing forward forensic analysis through said first network flow data at said repository starting from a first node to examine whether nodes that received communication from said first node are also infected.
  - 26. The network claim 24 further comprising logic circuitry for performing for performing backward forensic analysis through said first network flow data at said repository starting from a first node to examine whether nodes that transmitted information to said first node are also infected.
  - 27. The network claim 24 wherein said network of nodes represents a packet-based network.
  - 28. The network claim 24 wherein said infected node represents a node that is infected with a self-replicating threat.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Bare, Ballard, Ford, Daniel

Application Number

US11/250,664
Publication Number

US 20070089172A1
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/56   Computer malware detection ...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/1416   Event detection, e.g. attac...

Methods for identifying self-replicating threats using historical data

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Methods for identifying self-replicating threats using historical data

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links