Containment of Unknown and Polymorphic Fast Spreading Worms

US 20080222729A1
Filed: 03/05/2008
Published: 09/11/2008
Est. Priority Date: 03/05/2007
Status: Abandoned Application

First Claim

Patent Images

1. A worm containment system, comprising:

a) a host computing machine having a host operating system, the host operating system configured to manage at least one host application;

b) a virtual machine running under the control of a virtual machine monitor, the virtual machine having;

i) a clone of the host operating system; and

ii) a clone of the at least one host application;

c) a worm detector configured to monitor the virtual machine traffic for signs of worm propagation;

d) a splitter configured to duplicate packets intended for the host computing machine into;

(1) diverted packets; and

(2) buffered packets;

e) a diverter configured to route the diverted packets to the virtual machine; and

f) a buffer configured to;

i) store the buffered packets; and

ii) forward the buffered packets to the host operating system on indication from the worm detector that no worm propagation behavior was detected.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A worm containment system comprising a host computing machine, a virtual machine running under the control of a virtual machine monitor, a worm detector, a diverter and a buffer. The host computing machine has a host operating system and host application(s). The virtual machine has a clone of the host operating system and a clone of the host application(s). The worm detector is configured to monitor the virtual machine traffic for signs of worm propagation. The splitter is configured to duplicate packets intended for the host computing machine into diverted packets and buffered packets. The diverter is configured to route the diverted packets to the virtual machine. The buffer is configured to store the buffered packets and then forward the buffered packets to the host operating system on indication from the worm detector that no worm propagation behavior was detected.

Citations

20 Claims

1. A worm containment system, comprising:
- a) a host computing machine having a host operating system, the host operating system configured to manage at least one host application;
  
  b) a virtual machine running under the control of a virtual machine monitor, the virtual machine having;
  
  i) a clone of the host operating system; and
  
  ii) a clone of the at least one host application;
  
  c) a worm detector configured to monitor the virtual machine traffic for signs of worm propagation;
  
  d) a splitter configured to duplicate packets intended for the host computing machine into;
  
  (1) diverted packets; and
  
  (2) buffered packets;
  
  e) a diverter configured to route the diverted packets to the virtual machine; and
  
  f) a buffer configured to;
  
  i) store the buffered packets; and
  
  ii) forward the buffered packets to the host operating system on indication from the worm detector that no worm propagation behavior was detected.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. A worm containment system according to claim 1, wherein the virtual machine monitor runs on the host computing machine.
  - 3. A worm containment system according to claim 1, wherein the splitter and diverter are integrated.
  - 4. A worm containment system according to claim 1, wherein the virtual machine monitor runs on the host operating system.
  - 5. A worm containment system according to claim 1, further including the worm detector reporting any detected worm propagation behavior.
  - 6. A worm containment system according to claim 1, further including isolating the diverted traffic for which the worm detector detected worm propagation behavior.
  - 7. A worm containment system according to claim 1, wherein the worm propagation behavior includes attempts to infect other hosts.
  - 8. A worm containment system according to claim 1, wherein the virtual machine is suspended after the worm detector detects worm propagation behavior.
  - 9. A worm containment system according to claim 1, wherein the worm propagation behavior is characterized using propagation speed and number of intended targets.
  - 10. A worm containment system according to claim 1, wherein the virtual machine is reset to an original state after the worm detector detects worm propagation behavior.

11. A computer-readable media tangibly embodying a program of instructions executable by a computer to perform a method for containing worms on the computing machine, the method comprising:
- a) duplicating packets intended for a host computing machine into;
  
  diverted packets and buffered packets, the host computing machine having a host operating system configured to manage at least one host application;
  
  b) storing the buffered packets in a buffer;
  
  c) routing the diverted packets to a virtual machine, the virtual machine running under the control of a virtual machine monitor, the virtual machine having;
  
  i) a clone of a host operating system; and
  
  ii) a clone of the at least one host application;
  
  d) monitoring virtual machine traffic for signs of worm propagation; and
  
  e) forwarding the buffered packets to the host computing machine when no worm propagation behavior was monitored.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The media as in claim 11, wherein the virtual machine monitor runs on the host computing machine.
  - 13. The media as in claim 11, wherein the virtual machine monitor runs on the host operating system.
  - 14. The media as in claim 11, further including reporting any detected worm propagation behavior.
  - 15. The media as in claim 11, further including isolating the diverted traffic for which worm propagation behavior was monitored.
  - 16. The media as in claim 11, wherein the worm propagation behavior includes attempts to infect other hosts.
  - 17. The media as in claim 11, wherein the worm propagation behavior is characterized using propagation speed and number of intended targets.
  - 18. The media as in claim 11, further including suspending the virtual machine after worm propagation behavior is monitored.
  - 19. The media as in claim 11, further including resetting the virtual machine to an original state after worm propagation behavior is monitored.

20. A method for containing worms on a computing machine, the method comprising:
- a) duplicating packets intended for a host computing machine into;
  
  diverted packets and buffered packets, the host computing machine having;
  
  i) a host operating system; and
  
  ii) at least one host application;
  
  b) routing the diverted packets to a virtual machine, the virtual machine running under the control of a virtual machine monitor, the virtual machine having;
  
  i) a clone of a host operating system; and
  
  ii) a clone of the at least one host application;
  
  c) storing the buffered packets in a buffer;
  
  d) monitoring virtual machine traffic for signs of worm propagation; and
  
  e) forwarding the buffered packets to the host computing machine when no worm propagation behavior was monitored.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
George Mason Intellectual Properties, Inc.
Original Assignee
George Mason Intellectual Properties, Inc.
Inventors
Wang, Xinyuan, Chen, Songqing

Application Number

US12/042,587
Publication Number

US 20080222729A1
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

H04L 63/145 the attack involving the pr...

Containment of Unknown and Polymorphic Fast Spreading Worms

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Containment of Unknown and Polymorphic Fast Spreading Worms

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links