Detecting Public Network Attacks Using Signatures and Fast Content Analysis
2 Assignments
0 Petitions
Accused Products
Abstract
Network worms or viruses are a growing threat to the security of public and private networks and the individual computers that make up those networks. A content sifting method if provided that automatically generates a precise signature for a worm or virus that can then be used to significantly reduce the propagation of the worm elsewhere in the network or eradicate the worm altogether. The content sifting method is complemented by a value sampling method that increases the throughput of network traffic that can be monitored. Together, the methods track the number of times invariant strings appear in packets and the network address dispersion of those packets including variant strings. When an invariant string reaches a particular threshold of appearances and address dispersion, the string is reported as a signature for suspected worm.
-
Citations
127 Claims
-
1-32. -32. (canceled)
-
33. A system for detecting a network attack, comprising:
-
a communication module configured to receive a plurality of packets on a network; a signature module configured to receive said plurality of packets from the communication module and analyze the content of said packets to detect common content among said packets to identify a network attack. - View Dependent Claims (34, 35, 36, 38, 39)
-
-
37. (canceled)
-
40. (canceled)
-
41. (canceled)
-
42. (canceled)
-
43. A computer implemented method for analyzing network activity, comprising:
-
receiving a plurality of packets transiting a network; analyzing the content of said plurality of packets to detect common content among said packets; and identifying network attacks based upon said analysis for common content. - View Dependent Claims (46, 47, 49, 50, 51, 52, 53, 54, 55, 57, 124, 125)
-
-
44. (canceled)
-
45. (canceled)
-
48. (canceled)
-
56. (canceled)
-
58. A computer implemented method for analyzing network activity comprising:
-
obtaining a plurality of packets being transmitted across a network; performing a data reduction on at least a portion of each of the packets of said plurality of packets to form a plurality of data reduced packets, wherein the reduced data packets in the plurality of data reduced packets have a smaller size and a constant predetermined relation with the packets being transmitted across the network and at least some of the packets being transmitted across the network that differ are reduced to the same reduced data packet; detecting repetition of content among said plurality of data packets based on the reduced data packets; analyzing sources and destinations of said plurality of packets; and identifying network attacks based upon said detection of repetition and said analysis of sources and destinations. - View Dependent Claims (59, 60, 63, 65, 66, 67, 68, 69, 70, 72, 73, 126)
-
-
61. (canceled)
-
62. (canceled)
-
64. (canceled)
-
71. (canceled)
-
74. A method of analyzing network activity comprising:
-
obtaining a plurality of packets transiting a network; performing a data reduction on at least a portion of each of the packets of said plurality of packets to form a plurality of data reduced packets, wherein the reduced data packets in the plurality of data reduced packets have a smaller size and a constant predetermined relation with the packets transiting the network and at least some of the packets transiting the network that differ are reduced to the same reduced data packet; analyzing said plurality of data reduced packets to detect a repetition of at least a portion of content among said plurality of data packets; and analyzing said packets having repetitive content to determine if said packets are spreading. - View Dependent Claims (75, 76, 77, 79, 80, 81, 82, 83, 84, 85, 86, 87)
-
-
78. (canceled)
-
88. An apparatus comprising:
-
a signature generator, having a connection to a network, to obtain a portion of data from the network, operating to carry out a data reduction on said data portion to reduce said data portion to a reduced data portion in a repeatable manner; and a memory, storing said reduced data portions, wherein said signature generator also operates to detect common elements within said reduced data portion, said analyzing reviewing for common content indicative of a network attack. - View Dependent Claims (89, 90, 91, 92, 93, 94, 95, 96, 98, 99, 100, 101, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120)
-
-
97. (canceled)
-
102. (canceled)
-
103. (canceled)
-
121-123. -123. (canceled)
-
127-128. -128. (canceled)
Specification