PROACTIVE WORM CONTAINMENT (PWC) FOR ENTERPRISE NETWORKS
First Claim
1. A malicious code containment system configured for use in an enterprise network having a plurality of hosts, comprising:
- a software agent running on each host, each agent being operative to;
a) detect worm-related scan activity in the form of sustained faster-than-normal connection attempts to distinct destination addresses, andb) initiate active containment of the worm on the host.
2 Assignments
0 Petitions
Accused Products
Abstract
A proactive worm containment (PWC) solution for enterprises uses a sustained faster-than-normal outgoing connection rate to determine if a host is infected. Two novel white detection techniques are used to reduce false positives, including a vulnerability time window lemma to avoid false initial containment, and a relaxation analysis to uncontain (or unblock) those mistakenly contained (or blocked) hosts, if there are any. The system integrates seamlessly with existing signature-based or filter-based worm scan filtering solutions. Nevertheless, the invention is signature free and does not rely on worm signatures. Nor is it protocol specific, as the approach performs containment consistently over a large range of worm scan rates. It is not sensitive to worm scan rate and, being a network-level approach deployed on a host, the system requires no changes to the host'"'"'s OS, applications, or hardware.
-
Citations
25 Claims
-
1. A malicious code containment system configured for use in an enterprise network having a plurality of hosts, comprising:
-
a software agent running on each host, each agent being operative to; a) detect worm-related scan activity in the form of sustained faster-than-normal connection attempts to distinct destination addresses, and b) initiate active containment of the worm on the host. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A method of containing malicious code in an enterprise network having a plurality of hosts, comprising the steps of:
-
detecting, at each host, any code attempting sustained faster-than-normal connections to distinct destination addresses; and initiating active containment of the code. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
Specification