Anti-worm-measure parameter determining apparatus, number-of-nodes determining apparatus, number-of-nodes limiting system, and computer product

US 20070220606A1
Filed: 07/13/2006
Published: 09/20/2007
Est. Priority Date: 03/15/2006
Status: Active Grant

First Claim

Patent Images

1. A computer-readable recording medium that stores therein a computer program for determining parameters for controlling timing for an anti-worm-measure means to start blocking of a communication by a worm in a network, for preventing a spread of the worm, wherein the computer program causes a computer to execute:

calculating infectivity of the worm based on number of nodes connected to the network; and

estimating an expected value of number of infected nodes at a time when the worm transmits a predetermined number of packets, based on the infectivity calculated at the calculating.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An anti-worm-measure parameter determining apparatus determines parameters for controlling timing for an anti-worm-measure means to start blocking of a communication by a worm in a network, for preventing a spread of the worm. An infectivity calculating unit calculates infectivity of the worm based on number of nodes connected to the network. A number-of-infected-nodes estimating unit calculates an expected value of number of infected nodes at a time when the worm transmits a predetermined number of packets, based on the infectivity calculated by the infectivity calculating unit.

21 Citations

View as Search Results

21 Claims

1. A computer-readable recording medium that stores therein a computer program for determining parameters for controlling timing for an anti-worm-measure means to start blocking of a communication by a worm in a network, for preventing a spread of the worm, wherein the computer program causes a computer to execute:
- calculating infectivity of the worm based on number of nodes connected to the network; and
  
  estimating an expected value of number of infected nodes at a time when the worm transmits a predetermined number of packets, based on the infectivity calculated at the calculating.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-readable recording medium according to claim 1, wherein the calculating includes calculating the infectivity of the worm based on a provability that the worm selects, as an infection destination, one node out of a group of nodes having a network address of a predetermined pattern with a network address of a node infected by the worm as a reference and number of groups of nodes having the network address of the predetermined pattern.
  - 3. The computer-readable recording medium according to claim 1, wherein the computer program further causes the computer to execute:
    - deriving, as an upper limit of number of packets allowed to be leaked from one infection source, number of packets at a time when the expected value of the number of infected nodes estimated at the estimating becomes an finite maximum value when it is assumed that some number of packets have been transmitted by the worm.
  - 4. The computer-readable recording medium according to claim 3, wherein the computer program further causes the computer to execute:
    - calculating, based on the number of packets derived at the deriving and number of packets leaked from the anti-worm-measure means starts the blocking of the communication by the worm until the anti-worm-measure means completes the blocking of the communication by the worm, an upper limit of number of packets allowed to be leaked until the anti-worm-measure means starts the blocking of the communication by the worm.
  - 5. The computer-readable recording medium according to claim 3, wherein the computer program further causes the computer to execute:
    - calculating, based on the number of packets derived at the deriving and a spreading speed of the worm, an upper limit of time until the anti-worm-measure unit completes the blocking of the communication by the worm.
  - 6. The computer-readable recording medium according to claim 1, wherein the computer program further causes the computer to execute:
    - deriving, as an upper limit of number of packets allowed to be leaked from one infection source, number of packets transmitted at a time when the expected value of the number of infected nodes estimated at the estimating exceeds a predetermined upper-limit value when it is assumed that some number of packets have been transmitted by the worm.
  - 7. The computer-readable recording medium according to claim 6, wherein the computer program further causes the computer to execute:
    - calculating, based on the number of packets derived at the deriving and number of packets leaked from the anti-worm-measure means starts the blocking of the communication by the worm until the anti-worm-measure means completes the blocking of the communication by the worm, an upper limit of number of packets allowed to be leaked until the anti-worm-measure means starts the blocking of the communication by the worm.
  - 8. The computer-readable recording medium according to claim 6, wherein the computer program further causes the computer to execute:
    - calculating, based on the number of packets derived at the deriving and a spreading speed of the worm, an upper limit of time until the anti-worm-measure unit completes the blocking of the communication by the, worm.
  - 9. The computer-readable recording medium according to claim 1, wherein the calculating includes calculating the infectivity of the worm based on number of nodes obtained by multiplying the number of nodes connected to the network by a ratio of nodes without a measure for preventing infection of the worm.

10. An anti-worm-measure parameter determining apparatus that determines parameters for controlling timing for an anti-worm-measure means to start blocking of a communication by a worm in a network, for preventing a spread of the worm, the anti-worm-measure parameter determining apparatus comprising:
- an infectivity calculating unit that calculates infectivity of the worm based on number of nodes connected to the network; and
  
  a number-of-infected-nodes estimating unit that estimates an expected value of number of infected nodes at a time when the worm transmits a predetermined number of packets, based on the infectivity calculated by the infectivity calculating unit.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The anti-worm-measure parameter determining apparatus according to claim 10, wherein the infectivity calculating unit calculates the infectivity of the worm based on a provability that the worm selects, as an infection destination, one node out of a group of nodes having a network address of a predetermined pattern with a network address of a node infected by the worm as a reference and number of groups of nodes having the network address of the predetermined pattern.
  - 12. The anti-worm-measure parameter determining apparatus according to claim 10, further comprising:
    - a number-of-leaked-packets deriving unit that derives, as an upper limit of number of packets allowed to be leaked from one infection source, number of packets at a time when the expected value of the number of infected nodes estimated by the number-of-infected-nodes estimating unit becomes an finite maximum value when it is assumed that some number of packets have been transmitted by the worm.
  - 13. The anti-worm-measure parameter determining apparatus according to claim 12, further comprising:
    - an anti-worm-measure parameter calculating unit that calculates, based on the number of packets derived by the number-of-leaked-packets deriving unit and number of packets leaked from the anti-worm-measure means starts the blocking of the communication by the worm until the anti-worm-measure means completes the blocking of the communication by the worm, an upper limit of number of packets allowed to be leaked until the anti-worm-measure means starts the blocking of the communication by the worm.
  - 14. The anti-worm-measure parameter determining apparatus according to claim 12, further comprising:
    - an anti-worm-measure parameter calculating unit that calculates, based on the number of packets derived by the number-of-leaked-packets deriving unit and a spreading speed of the worm, an upper limit of time until the anti-worm-measure unit completes the blocking of the communication by the worm.
  - 15. The anti-worm-measure parameter determining apparatus according to claim 10, further comprising:
    - a number-of-leaked-packets deriving unit that derives, as an upper limit of number of packets allowed to be leaked from one infection source, number of packets transmitted at a time when the expected value of the number of infected nodes estimated by the number-of-infected-nodes estimating unit exceeds a predetermined upper-limit value when it is assumed that some number of packets have been transmitted by the worm.
  - 16. The anti-worm-measure parameter determining apparatus according to claim 15, further comprising:
    - an anti-worm-measure parameter calculating unit that calculates, based on the number of packets derived by the number-of-leaked-packets deriving unit and number of packets leaked from the anti-worm-measure means starts the blocking of the communication by the worm until the anti-worm-measure means completes the blocking of the communication by the worm, an upper limit of number of packets allowed to be leaked until the anti-worm-measure means starts the blocking of the communication by the worm.
  - 17. The anti-worm-measure parameter determining apparatus according to claim 15, further comprising:
    - an anti-worm-measure parameter calculating unit that calculates, based on the number of packets derived by the number-of-leaked-packets deriving unit and a spreading speed of the worm, an upper limit of time until the anti-worm-measure unit completes the blocking of the communication by the worm.
  - 18. The anti-worm-measure-parameters determining apparatus according to claim 10, wherein the infectivity calculating unit calculates the infectivity of the worm based on number of nodes obtained by multiplying the number of nodes connected to the network by a ratio of nodes without a measure for preventing infection of the worm.

19. A computer-readable recording medium that stores therein a computer program for determining number of nodes connectable to a network when an anti-worm-measure means is set to start blocking of a communication by a worm at predetermined timing, for preventing a spread of the worm, wherein the computer program causes a computer to execute:
- calculating number of packets that can be leaked from packets transmitted from one infection source until the anti-worm-measure means completes the blocking of the communication by the worm;
  
  estimating, based on infectivity of the worm calculated based on the number of nodes connected to the network and the number of packets calculated at the calculating, an expected value of number of nodes infected by the worm until the anti-worm-measure means completes the blocking of the communication by the worm; and
  
  deriving, as an upper limit of number of nodes connectable to the network, number of nodes at a time when the expected value of the number of infected nodes estimated at the estimating becomes an finite maximum value when it is assumed that some number of packets have been transmitted by the worm.

20. A number-of-nodes determining apparatus that determines number of nodes connectable to a network when an anti-worm-measure means is set to start blocking of a communication by a worm at predetermined timing, for preventing a spread of the worm, the number-of-nodes limiting system comprising:
- a limit-value-of-leaked-packets calculating unit that calculates number of packets that can be leaked from packets transmitted from one infection source until the anti-worm-measure means completes the blocking of the communication by the worm;
  
  a number-of-infected-nodes estimating unit that estimates, based on infectivity of the worm calculated based on the number of nodes connected to the network and the number of packets calculated by the limit-number-of-leaked-packets calculating unit, an expected value of number of nodes infected by the worm until the anti-worm-measure means completes the blocking of the communication by the worm; and
  
  a limit-number-of-nodes deriving unit that derives, as an upper limit of number of nodes connectable to the network, number of nodes at a time when the expected value of the number of infected nodes estimated by the number-of-infected-nodes estimating unit becomes an finite maximum value when it is assumed that some number of packets have been transmitted by the worm.

21. A number-of-nodes limiting system that limits number of nodes connectable to a network when an anti-worm-measure means is set to start blocking of a communication by a worm at predetermined timing, for preventing a spread of the worm, the number-of-nodes limiting system comprising:
- a limit-value-of-leaked-packets calculating unit that calculates number of packets that can be leaked from packets transmitted from one infection source until the anti-worm-measure means completes the blocking of the communication by the worm;
  
  a number-of-infected-nodes estimating unit that estimates, based on infectivity of the worm calculated based on the number of nodes connected to the network and the number of packets calculated by the limit-number-of-leaked-packets calculating unit, an expected value of number of nodes infected by the worm until the anti-worm-measure means completes the blocking of the communication by the worm;
  
  a limit-number-of-nodes deriving unit that derives, as an upper limit of number of nodes connectable to the network, number of nodes at a time when the expected value of the number of infected nodes estimated by the number-of-infected-nodes estimating unit becomes an finite maximum value when it is assumed that some number of packets have been transmitted by the worm; and
  
  a network-address allocating unit that allocates a network address to a node with the upper limit of number of nodes connectable to the network derived by the limit-number-of-nodes deriving unit as a limit.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fujitsu Limited
Original Assignee
Fujitsu Limited
Inventors
Shimoyama, Takeshi, Omote, Kazumasa

Granted Patent

US 7,926,110 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/56 Computer malware detection ...

H04L 63/145 the attack involving the pr...

Anti-worm-measure parameter determining apparatus, number-of-nodes determining apparatus, number-of-nodes limiting system, and computer product

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

21 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Anti-worm-measure parameter determining apparatus, number-of-nodes determining apparatus, number-of-nodes limiting system, and computer product

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links