Mechanism to correlate the presence of worms in a network
First Claim
1. A method for preventing a worm attack in a network, the network comprising a plurality of sources and a plurality of destinations, the method comprising:
- determining transmitted packets from at least one of the plurality of sources to at least one of the plurality of destinations, each of the transmitted packets comprising a set of characteristics;
determining a number of the transmitted packets;
if the number of the transmitted packets exceeds a predefined first threshold, then storing a signature, the signature corresponding to at least one of the transmitted packets;
if at least one of the plurality of destinations becomes a source of new packets, the new packets being transmitted to at least one of the plurality of destinations;
then comparing the new packets with the stored signature; and
if at least one of the new packets matches the stored signature, then triggering the detection of a worm in the network.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and a system for preventing a network attack, the attack being cause by the presence of worms in the network, is provided. The method includes determining the number of packets being transmitted from each source in the network to a plurality of destinations, the packets being transmitted from a source with a set of characteristics. If the number of packets with the set of characteristics, being transmitted from a source, exceeds a predefined first threshold, then the signature of the packets is stored. Subsequently, if at least one of the pluralities of destinations of the packets identified with the source becomes a source of new packets, the new packets being transmitted to more than one destination; then the new packets are compared with the signature. If at least one new packet matches with the signature, then the worm is to be detected.
-
Citations
19 Claims
-
1. A method for preventing a worm attack in a network, the network comprising a plurality of sources and a plurality of destinations, the method comprising:
-
determining transmitted packets from at least one of the plurality of sources to at least one of the plurality of destinations, each of the transmitted packets comprising a set of characteristics;
determining a number of the transmitted packets;
if the number of the transmitted packets exceeds a predefined first threshold, then storing a signature, the signature corresponding to at least one of the transmitted packets;
if at least one of the plurality of destinations becomes a source of new packets, the new packets being transmitted to at least one of the plurality of destinations;
then comparing the new packets with the stored signature; and
if at least one of the new packets matches the stored signature, then triggering the detection of a worm in the network. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for preventing a worm attack in a network, the network comprising a plurality of sources and a plurality of destinations, the method comprising
determining transmitted packets from at least one of the plurality of sources to at least the plurality of destinations, each of the transmitted packets comprising a set of characteristics; -
determining a number of the transmitted packets;
determining that the number of the transmitted packets exceeds a predefined first threshold;
storing a signature, the signature corresponding to at least one of the transmitted packets;
determining that at least one of the plurality of destinations of the transmitted packets, transforms to become a source of new packets;
comparing the new packets with the signature; and
determining that at least one new packet matches with the stored signature for triggering a detection of a worm in the network.
-
-
9. A system for preventing a worm attack in a network, the network comprising a plurality of sources and a plurality of destinations, the system comprising
a Worm Attack Identification (WAI) cache, the WAI cache caching packets transmitted from at least one of the plurality of sources to at least one of the plurality of destinations, the transmitted packets comprising a set of characteristics; -
a Worm Attack Detection (WAD) cache, the WAD caching the transmitted packets if the number of the transmitted packets is more than a predefined first threshold;
a Worm Attack Packet Signature (WAPS) cache, the WAPS caching a signature corresponding to at least one of the transmitted packets, the caching being performed if the number of the transmitted packets stored in the WAI cache exceeds a predefined second threshold, the second threshold being less than the first threshold; and
a trigger module, the trigger module triggering the detection of a worm in the network, if at least one new packet matches with the stored signature. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A system for preventing a network attack, the attack being due to the presence of worms in the network, the system comprising:
-
means for determining transmitted packets from at least one of the plurality of sources to at least one of the plurality of destinations, each of the transmitted packets comprising a set of characteristics;
means for determining a number of the transmitted packets;
means for storing a signature corresponding to at least one of the transmitted packets if the number of the transmitted packets exceeds a predefined first threshold;
means for determining that at least one of the plurality of destinations of the transmitted packets, transforms to become a source of new packets, the new packets being transmitted to at least one of the plurality of destinations;
means for comparing the new packets with the stored signature; and
means for triggering the detection of a worm in the network if at least one of the new packets matches with the stored signature.
-
-
19. An apparatus for preventing a network attack, the attack being due to the presence of worms in the network, the apparatus comprising
a processing system comprising a processor coupled to a display and user input device; a machine-readable medium comprising instructions executable by the processor comprising one or more instructions for determining transmitted packets from at least one of the plurality of sources to at least one of the plurality of destinations, each of the transmitted packets comprising a set of characteristics;
one or more instructions for determining a number of the transmitted packets;
one or more instructions for storing a signature corresponding to at least one of the transmitted packets if the number of the transmitted packets exceeds a predefined first threshold;
one or more instructions for determining that at least one of the plurality of destinations of the transmitted packets, transforms to become a source of new packets, the new packets being transmitted to at least one of the plurality of destinations;
one or more instructions for comparing the new packets with the stored signature; and
one or more instructions for triggering the detection of a worm in the network if at least one of the new packets matches with the stored signature.
Specification