MALWARE DETECTION SYSTEM AND METHOD

US 20090222920A1
Filed: 02/29/2008
Published: 09/03/2009
Est. Priority Date: 02/29/2008
Status: Active Grant

First Claim

Patent Images

1. A method of detecting malware infected computing devices in a network, the method comprising:

allocating at least one network address in a network element coupled to a communications network as a bait address;

sending at least one outgoing bait packet from the bait address to the network;

receiving an incoming packet from the network at the bait address; and

selectively identifying a source of the incoming packet as infected with malware if the incoming packet is unexpected or from an unauthorized source.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems are presented for detection of malware such as worms in which a network switch entices the malware into sending scan packets by allocating one or more ports as bait addresses, sending outgoing bait packets, and identifying compromised hosts that send unexpected incoming packets to a bait address.

Citations

20 Claims

1. A method of detecting malware infected computing devices in a network, the method comprising:
- allocating at least one network address in a network element coupled to a communications network as a bait address;
  
  sending at least one outgoing bait packet from the bait address to the network;
  
  receiving an incoming packet from the network at the bait address; and
  
  selectively identifying a source of the incoming packet as infected with malware if the incoming packet is unexpected or from an unauthorized source.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the network element is a layer 2 switch or a layer 3 switch coupled to the communications network.
  - 3. The method of claim 1, wherein the bait address is a layer 2 address.
  - 4. The method of claim 3, wherein the bait address is a MAC address shared by a first port of the network element configured for transmitting bait packets and a second port of the network element configured for receiving incoming packets from the network.
  - 5. The method of claim 1, wherein outgoing bait packets are sent from the bait address to the network according to a policy table stored in the network element.
  - 6. The method of claim 1, wherein outgoing bait packets are sent from the bait address to the network according to a bait packet types list and a bait packet schedule stored in the network element.
  - 7. The method of claim 1, the at least one outgoing bait packet is sent as a broadcast from the bait address to the network.
  - 8. The method of claim 1, wherein at least one outgoing bait packet is sent as a unicast from the bait address to the network.
  - 9. The method of claim 1, wherein allocating at least one network address comprises allocating all ports of the network element as bait addresses.

10. A system for detecting malware infected computing devices in a network, the system comprising:
- a network element operatively coupled to a communications network, the network element having at least one network address allocated as a bait address, and comprising a malware detection component operative to send at least one outgoing bait packet from the bait address to the network, to receive an incoming packet from the network at the bait address, and to selectively identify a source of the incoming packet as infected with malware if the incoming packet is unexpected or from an unauthorized source.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 11. The system of claim 10, wherein the network element is a layer 2 switch or a layer 3 switch coupled to the communications network.
  - 12. The system of claim 10, wherein the bait address is a layer 2 address.
  - 13. The system of claim 12, wherein the bait address is a MAC address shared by a first port of the network element configured for transmitting bait packets and a second port of the network element configured for receiving incoming packets from the network.
  - 14. The system of claim 10, wherein the malware detection component comprises a policy table with a bait packet types list and a bait packet schedule, and wherein the malware detection component is operative to send outgoing bait packets from the bait address to the network according to the bait packet types list and the bait packet schedule.
  - 15. The system of claim 10, wherein the malware detection component is operative to send the outgoing bait packet as a broadcast from the bait address to the network.
  - 16. The system of claim 10, wherein the malware detection component is operative to send the outgoing bait packet as a unicast from the bait address to the network.
  - 17. The system of claim 10, wherein all ports of the network element are allocated as bait addresses.
  - 18. The system of claim 10, wherein the at least one outgoing bait packet sent from the bait address to the network does not indicate any specific service.
  - 19. The system of claim 18, wherein the at least one outgoing bait packet sent from the bait address to the network is a bootp broadcast.
  - 20. The system of claim 10, wherein the malware detection component is operative to determine whether the incoming packet is unexpected based on the type of outgoing bait packet sent from the bait address to the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Netskope Incorporated
Original Assignee
Alcatel-Lucent SA (Nokia Corporation)
Inventors
Chow, Stanley, Abdel-Aziz, Bassem, Khan, Faud

Granted Patent

US 8,181,249 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

MALWARE DETECTION SYSTEM AND METHOD

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

MALWARE DETECTION SYSTEM AND METHOD

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links