Mechanism to correlate the presence of worms in a network

US 20070094730A1
Filed: 10/20/2005
Published: 04/26/2007
Est. Priority Date: 10/20/2005
Status: Active Grant

First Claim

Patent Images

1. A method for preventing a worm attack in a network, the network comprising a plurality of sources and a plurality of destinations, the method comprising:

determining transmitted packets from at least one of the plurality of sources to at least one of the plurality of destinations, each of the transmitted packets comprising a set of characteristics;

determining a number of the transmitted packets;

if the number of the transmitted packets exceeds a predefined first threshold, then storing a signature, the signature corresponding to at least one of the transmitted packets;

if at least one of the plurality of destinations becomes a source of new packets, the new packets being transmitted to at least one of the plurality of destinations;

then comparing the new packets with the stored signature; and

if at least one of the new packets matches the stored signature, then triggering the detection of a worm in the network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and a system for preventing a network attack, the attack being cause by the presence of worms in the network, is provided. The method includes determining the number of packets being transmitted from each source in the network to a plurality of destinations, the packets being transmitted from a source with a set of characteristics. If the number of packets with the set of characteristics, being transmitted from a source, exceeds a predefined first threshold, then the signature of the packets is stored. Subsequently, if at least one of the pluralities of destinations of the packets identified with the source becomes a source of new packets, the new packets being transmitted to more than one destination; then the new packets are compared with the signature. If at least one new packet matches with the signature, then the worm is to be detected.

Citations

19 Claims

1. A method for preventing a worm attack in a network, the network comprising a plurality of sources and a plurality of destinations, the method comprising:
- determining transmitted packets from at least one of the plurality of sources to at least one of the plurality of destinations, each of the transmitted packets comprising a set of characteristics;
  
  determining a number of the transmitted packets;
  
  if the number of the transmitted packets exceeds a predefined first threshold, then storing a signature, the signature corresponding to at least one of the transmitted packets;
  
  if at least one of the plurality of destinations becomes a source of new packets, the new packets being transmitted to at least one of the plurality of destinations;
  
  then comparing the new packets with the stored signature; and
  
  if at least one of the new packets matches the stored signature, then triggering the detection of a worm in the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the set of characteristics includes a protocol.
  - 3. The method of claim 1, wherein triggering the detection of the worm further comprises:
    - dropping worm traffic, the worm traffic corresponding to the detected worm.
  - 4. The method of claim 1, wherein storing the signature corresponding to the at least one of the transmitted packets comprises:
    - caching each of the transmitted packets in a Worm Attack Identification (WAI) cache.
  - 5. The method of claim 4, wherein caching each of the transmitted packets in the WAI cache further comprises:
    - assigning a timer to the WAI cache, the timer deciding a time frame for the storage of the transmitted packets in the WAI cache.
  - 6. The method of claim 4, wherein the caching each of the transmitted packets in the WAI cache further comprises:
    - caching the packets in a Worm Attack Detection (WAD) cache, the caching being performed if the number of the transmitted packets is more than the first threshold; and
      
      if the number of the transmitted packets exceeds a predefined second threshold, the second threshold being less than the first threshold, then caching a signature of the transmitted packets in a Worm Attack Packet Signature (WAPS) cache.
  - 7. The method of claim 5, wherein caching the signature in the WAPS cache comprises:
    - storing at least a first packet, the first packet being one of the transmitted packets that is exchanged between at least one of the plurality of sources and an external host.

8. A method for preventing a worm attack in a network, the network comprising a plurality of sources and a plurality of destinations, the method comprising determining transmitted packets from at least one of the plurality of sources to at least the plurality of destinations, each of the transmitted packets comprising a set of characteristics;
- determining a number of the transmitted packets;
  
  determining that the number of the transmitted packets exceeds a predefined first threshold;
  
  storing a signature, the signature corresponding to at least one of the transmitted packets;
  
  determining that at least one of the plurality of destinations of the transmitted packets, transforms to become a source of new packets;
  
  comparing the new packets with the signature; and
  
  determining that at least one new packet matches with the stored signature for triggering a detection of a worm in the network.

9. A system for preventing a worm attack in a network, the network comprising a plurality of sources and a plurality of destinations, the system comprising a Worm Attack Identification (WAI) cache, the WAI cache caching packets transmitted from at least one of the plurality of sources to at least one of the plurality of destinations, the transmitted packets comprising a set of characteristics;
- a Worm Attack Detection (WAD) cache, the WAD caching the transmitted packets if the number of the transmitted packets is more than a predefined first threshold;
  
  a Worm Attack Packet Signature (WAPS) cache, the WAPS caching a signature corresponding to at least one of the transmitted packets, the caching being performed if the number of the transmitted packets stored in the WAI cache exceeds a predefined second threshold, the second threshold being less than the first threshold; and
  
  a trigger module, the trigger module triggering the detection of a worm in the network, if at least one new packet matches with the stored signature.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The system of claim 9, wherein the WAI cache may be a Content Addressable Memory for Popular Packet Persistence (CAM-PPP).
  - 11. The system of claim 9, wherein the WAI cache may be located in a group of devices, the group of devices comprising:
    - an access layer device and a distribution layer device.
  - 12. The system of claim 9, wherein the WAD cache may be located in a central correlation module.
  - 13. The system claim 9, wherein the WAPS cache may be located in a central correlation module.
  - 14. The system of claim 9, wherein the WAI cache further comprises a timer module, the timer module deciding a time frame of storage of the transmitted packets in the WAI cache.
  - 15. The system of claim 9, wherein the WAI cache comprises:
    - a first comparison module, the first comparison module compares the number of the transmitted packets with a predefined first threshold and a predefined second threshold, the transmitted packets originating from a similar IP source address.
  - 16. The system of claim 9, wherein the system further comprises:
    - a second comparison module, the second comparison module compares the transmitted packets with the signatures that are stored in WAPS cache, the transmitted packets being stored in the WAD cache.
  - 17. The system of claim 9 further comprising:
    - a drop module, the drop module dropping worm traffic, the worm traffic corresponding to the detected worm.

18. A system for preventing a network attack, the attack being due to the presence of worms in the network, the system comprising:
- means for determining transmitted packets from at least one of the plurality of sources to at least one of the plurality of destinations, each of the transmitted packets comprising a set of characteristics;
  
  means for determining a number of the transmitted packets;
  
  means for storing a signature corresponding to at least one of the transmitted packets if the number of the transmitted packets exceeds a predefined first threshold;
  
  means for determining that at least one of the plurality of destinations of the transmitted packets, transforms to become a source of new packets, the new packets being transmitted to at least one of the plurality of destinations;
  
  means for comparing the new packets with the stored signature; and
  
  means for triggering the detection of a worm in the network if at least one of the new packets matches with the stored signature.

19. An apparatus for preventing a network attack, the attack being due to the presence of worms in the network, the apparatus comprising a processing system comprising a processor coupled to a display and user input device;
- a machine-readable medium comprising instructions executable by the processor comprising one or more instructions for determining transmitted packets from at least one of the plurality of sources to at least one of the plurality of destinations, each of the transmitted packets comprising a set of characteristics;
  
  one or more instructions for determining a number of the transmitted packets;
  
  one or more instructions for storing a signature corresponding to at least one of the transmitted packets if the number of the transmitted packets exceeds a predefined first threshold;
  
  one or more instructions for determining that at least one of the plurality of destinations of the transmitted packets, transforms to become a source of new packets, the new packets being transmitted to at least one of the plurality of destinations;
  
  one or more instructions for comparing the new packets with the stored signature; and
  
  one or more instructions for triggering the detection of a worm in the network if at least one of the new packets matches with the stored signature.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Venkat, Balaji, Bhikkaji, Bhargav

Granted Patent

US 7,971,256 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 63/145 the attack involving the pr...

Mechanism to correlate the presence of worms in a network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Mechanism to correlate the presence of worms in a network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links