Method, apparatus, and computer program product for detecting computer worms in a network
First Claim
Patent Images
1. A computer-based method for detecting worms in a computer network, comprising:
- (a) monitoring traffic in the computer network to identify one or more traffic behavior occurrences;
(b) organizing the traffic behavior occurrences into a data structure representing a tree having nodes and links, wherein a node represents a host and a link represents one or more traffic behavior occurrences between two nodes, and wherein a new node is added to the tree after a host represented by the new node receives traffic from another host represented by another node already contained in the tree; and
(c) using the data structure to identify a possible worm-infected host in the computer network.
1 Assignment
0 Petitions
Accused Products
Abstract
A worm is a malicious process that autonomously spreads itself from one host to another. To infect a host, a worm must somehow copy itself to the host. The method in which a worm transmits a copy of itself produces network traffic patterns that can be generalized as a traffic behavior. As a worm spreads itself across the network, the propagation of the traffic behavior can be witnessed as hosts are infected, one after another. By monitoring the network traffic for propagations of traffic behaviors, a presence of a worm can be detected.
44 Citations
55 Claims
-
1. A computer-based method for detecting worms in a computer network, comprising:
-
(a) monitoring traffic in the computer network to identify one or more traffic behavior occurrences; (b) organizing the traffic behavior occurrences into a data structure representing a tree having nodes and links, wherein a node represents a host and a link represents one or more traffic behavior occurrences between two nodes, and wherein a new node is added to the tree after a host represented by the new node receives traffic from another host represented by another node already contained in the tree; and (c) using the data structure to identify a possible worm-infected host in the computer network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 47, 48, 49, 50, 51, 52, 53, 54, 55)
-
-
16. An apparatus for detecting worms in a computer network, comprising:
-
a monitoring module to monitor traffic in the computer network to identify one or more traffic behavior occurrences; an organizing module to organize the traffic behavior occurrences into a data structure representing a tree having nodes and links, wherein a node represents a host and a link represents one or more traffic behavior occurrences between two nodes, and wherein a new node is added to the tree after a host represented by the new node receives traffic from another host represented by another node already contained in the tree; and an using module to use the data structure to identify a possible worm-infected host in the computer network. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. A computer program product comprising a computer useable medium having control logic stored therein, said control logic causing a processor to detect worms in a computer network, the control logic comprising:
-
first computer readable program code means for causing a processor to monitor traffic in the computer network to identify one or more traffic behavior occurrences; second computer readable program code means for causing a processor to organize the traffic behavior occurrences into a data structure representing a tree having nodes and links, wherein a node represents a host and a link represents one or more traffic behavior occurrences between two nodes, and wherein a new node is added to the tree after a host represented by the new node receives traffic from another host represented by another node already contained in the tree; and third computer readable program code means for causing a processor to use the data structure to identify a possible worm-infected host in the computer network. - View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45)
-
-
46. A computer-based method for detecting worms in a computer network, comprising:
-
(a) monitoring traffic in the computer network to identify one or more traffic behavior occurrences; (b) generating a graph-based representation of the traffic behavior occurrences comprising a tree having nodes and links, wherein a node represents a host and a link represents one or more traffic behavior occurrences between two nodes, and wherein a new node is added to the tree after a host represented by the new node receives traffic from another host represented by another node already contained in the tree; and (c) using the graph-based representation to identify a possible worm-infected host in the computer network.
-
Specification