PROACTIVE WORM CONTAINMENT (PWC) FOR ENTERPRISE NETWORKS

US 20090031423A1
Filed: 12/20/2007
Published: 01/29/2009
Est. Priority Date: 12/20/2006
Status: Active Grant

First Claim

Patent Images

1. A malicious code containment system configured for use in an enterprise network having a plurality of hosts, comprising:

a software agent running on each host, each agent being operative to;

a) detect worm-related scan activity in the form of sustained faster-than-normal connection attempts to distinct destination addresses, andb) initiate active containment of the worm on the host.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A proactive worm containment (PWC) solution for enterprises uses a sustained faster-than-normal outgoing connection rate to determine if a host is infected. Two novel white detection techniques are used to reduce false positives, including a vulnerability time window lemma to avoid false initial containment, and a relaxation analysis to uncontain (or unblock) those mistakenly contained (or blocked) hosts, if there are any. The system integrates seamlessly with existing signature-based or filter-based worm scan filtering solutions. Nevertheless, the invention is signature free and does not rely on worm signatures. Nor is it protocol specific, as the approach performs containment consistently over a large range of worm scan rates. It is not sensitive to worm scan rate and, being a network-level approach deployed on a host, the system requires no changes to the host'"'"'s OS, applications, or hardware.

Citations

25 Claims

1. A malicious code containment system configured for use in an enterprise network having a plurality of hosts, comprising:
- a software agent running on each host, each agent being operative to;
  
  a) detect worm-related scan activity in the form of sustained faster-than-normal connection attempts to distinct destination addresses, andb) initiate active containment of the worm on the host.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The system of claim 1, further including a manager interconnected to the network, and wherein:
    - each host detecting worm-related activity sends an alert to the manager; and
      
      the manager informs other agents of the situation to determine if their hosts are also infected.
  - 3. The system of claim 2 wherein, when an agent is contacted by the manager, the agent examines its host in accordance with a window lemma to minimize availability loss of the host.
  - 4. The system of claim 3 wherein, if the agent determines that its host is infected, it initiates passive containment of the worm and performs a relaxation analysis to determine if its host exhibits sustained faster-than-normal connection attempts to distinct destination addresses.
  - 5. The system of claim 4, wherein the duration of the relaxation analysis is limited to minimize availability loss of the host.
  - 6. The system of claim 4 wherein, after a predetermined number of relaxation failures, the agent isolates its host and reports the situation to the manager.
  - 7. The system of claim 2, wherein:
    - each host further includes a malicious code signature extractor; and
      
      new signatures are reported to the manager.
  - 8. The system of claim 7, wherein:
    - the manager has access to a security manager; and
      
      when the manager receives a new signature from an agent it sends the signature to security manager so that it may install the signature into firewalls to block inbound or outbound malicious code.
  - 9. The system of claim 7, wherein when the manager receives a new signature from an agent, the signature is propagated to all other agents so that they may also install it into embedded packet filters.
  - 10. The system of claim 1, wherein the agent is implemented as a kernel driver or other operating system (OS) component.
  - 11. The system of claim 1, wherein the agent is implemented as a separated box.
  - 12. The system of claim 1, wherein the agent is implemented as part of a network interface controller (NIC).
  - 13. The system of claim 1, wherein containment is effectuated by disabling outgoing user datagram protocol (UDP) packets.
  - 14. The system of claim 1, wherein containment is effectuated by disabling transmission control protocol (TCP) connections.

15. A method of containing malicious code in an enterprise network having a plurality of hosts, comprising the steps of:
- detecting, at each host, any code attempting sustained faster-than-normal connections to distinct destination addresses; and
  
  initiating active containment of the code.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 16. The method of claim 15, further including the step of informing other agents of the code detection through a manager on the network.
  - 17. The method of claim 16 wherein, when an agent is contacted by the manager, its examines its host in accordance with a window lemma.
  - 18. The method of claim 17 wherein, if the agent determines that its host is infected, it initiates passive containment of the worm and performs a relaxation analysis to determine if its host exhibits sustained faster-than-normal connection attempts to distinct destination addresses.
  - 19. The method of claim 18, wherein the duration of the relaxation analysis is limited to minimize availability loss of its host.
  - 20. The method of claim 18 wherein, after a predetermined number of relaxation failures, the agent isolates its host and reports the situation to the manager.
  - 21. The method of claim 16, wherein:
    - each host further includes a malicious code signature extractor; and
      
      including the step of reporting new signatures to the manager.
  - 22. The method of claim 21, wherein:
    - the manager has access to a security manager; and
      
      when the manager receives a new signature from an agent it sends the signature to security manager so that it may install the signature into firewalls to block inbound or outbound malicious code.
  - 23. The method of claim 21, including the step of propagating the signature to all other agents so that they may also install it into embedded packet filters.
  - 24. The method of claim 15, including the step of disabling outgoing user datagram protocol (UDP) packets to effectuate containment
  - 25. The method of claim 15, including the step of disabling transmission control protocol (TCP) connections to effectuate containment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Penn State Research Foundation (Pennsylvania State University)
Original Assignee
Penn State Research Foundation (Pennsylvania State University)
Inventors
Liu, Peng, Jhi, Yoon-Chan, Li, Lunquan

Granted Patent

US 8,904,535 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

H04L 63/10   for controlling access to d...

H04L 63/1408   by monitoring network traff...

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

PROACTIVE WORM CONTAINMENT (PWC) FOR ENTERPRISE NETWORKS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

PROACTIVE WORM CONTAINMENT (PWC) FOR ENTERPRISE NETWORKS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links