HASH-BASED SYSTEMS AND METHODS FOR DETECTING AND PREVENTING TRANSMISSION OF POLYMORPHIC NETWORK WORMS AND VIRUSES

US 20100205671A1
Filed: 04/18/2010
Published: 08/12/2010
Est. Priority Date: 06/19/2000
Status: Active Grant

First Claim

Patent Images

1. A method for detecting transmission of potentially malicious packets, comprising:

receiving a plurality of packets;

generating hash values, as generated hash values, based on variable-sized blocks of the plurality of packets;

comparing the generated hash values to hash values associated with prior packets; and

determining that one of the plurality of packets is a potentially malicious packet when one or more of the generated hash values associated with the one of the plurality of packets match one or more of the hash values associated with the prior packets.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system (200) detects transmission of potentially malicious packets. The system (200) receives, or otherwise observes, packets and generates hash values based on variable-sized blocks of the packets. The system (200) then compares the generated hash values to hash values associated with prior packets. The system (200) determines that one of the received packets is a potentially malicious packet when one or more of the generated hash values associated with the received packet match one or more of the hash values associated with the prior packets.

106 Citations

View as Search Results

20 Claims

1. A method for detecting transmission of potentially malicious packets, comprising:
- receiving a plurality of packets;
  
  generating hash values, as generated hash values, based on variable-sized blocks of the plurality of packets;
  
  comparing the generated hash values to hash values associated with prior packets; and
  
  determining that one of the plurality of packets is a potentially malicious packet when one or more of the generated hash values associated with the one of the plurality of packets match one or more of the hash values associated with the prior packets.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the generating hash values includes:
    - hashing variable-sized blocks in a payload field of the plurality of packets to generate the hash values.
  - 3. The method of claim 2, wherein the hashing variable-sized blocks includes:
    - performing a plurality of hashes covering each byte of the payload field.
  - 4. The method of claim 2, wherein the hashing variable-sized blocks includes:
    - selecting a first block of a first block size, andhashing the first block using a plurality of different hash functions.
  - 5. The method of claim 4, wherein the hashing variable-sized blocks further includes:
    - selecting a second block of a second block size, andhashing the second block using the plurality of different hash functions.
  - 6. The method of claim 2, wherein the hashing variable-sized blocks includes:
    - selecting a plurality of blocks of a plurality of different block sizes, andhashing the blocks using a plurality of different hash functions.
  - 7. The method of claim 6, wherein the hashing variable-sized blocks further includes:
    - selecting a next plurality of blocks of a next plurality of different block sizes, andhashing the next plurality of blocks using the plurality of different hash functions.
  - 8. The method of claim 1, further comprising:
    - storing a plurality of hash values corresponding to known malicious packets.
  - 9. The method of claim 8, further comprising:
    - comparing the generated hash values to the hash values corresponding to the known malicious packets; and
      
      identifying one of the plurality of packets as a potentially malicious packet when one or more generated hash values corresponding to the one of the plurality of packets match one or more of the hash values corresponding to the known malicious packets.
  - 10. The method of claim 1, further comprising:
    - determining whether more than a predefined number of the prior packets with the one or more of the hash values was received.
  - 11. The method of claim 10, wherein the determining that one of the plurality of packets is a potentially malicious packet includes:
    - identifying the one of the plurality of packets as a potentially malicious packet when more than the predefined number of the prior packets were received within a predetermined amount of time of the one of the plurality of packets.
  - 12. The method of claim 1, wherein the one or more generated hash values corresponding to the one of the plurality of packets include a plurality of generated hash values;
    - andwherein the determining that one of the plurality of packets is a potentially malicious packet includes;
      
      identifying the one of the plurality of packets as a potentially malicious packet when at least a predetermined number of the plurality of generated hash values match the hash values associated with the prior packets.
  - 13. The method of claim 1, wherein the potentially malicious packet is associated with one of a polymorphic virus and a polymorphic worm.
  - 14. The method of claim 1, further comprising:
    - taking remedial action when the one of the plurality of packets is determined to be a potentially malicious packet.
  - 15. The method of claim 14, wherein the taking remedial action includes at least one of:
    - raising a warning,delaying transmission of the one of the plurality of packets,capturing the one of the plurality of packets for human or automated analysis,dropping the one of the plurality of packets,dropping other packets originating from a same address as the one of the plurality of packets,sending a Transmission Control Protocol (TCP) close message to a sender of the one of the plurality of packets,disconnecting a link on which the one of the plurality of packets was received,corrupting the one of the plurality of packets, andprobabilistically dropping or corrupting the one of the plurality of packets.

16. A system for hampering transmission of potentially malicious packets, comprising:
- means for observing a plurality of packets;
  
  means for generating hash values, as generated hash values, based on variable-sized blocks of the plurality of packets;
  
  means for comparing the generated hash values to hash values corresponding to prior packets;
  
  means for identifying one of the plurality of packets as a potentially malicious packet when the generated hash values corresponding to the one of the plurality of packets match the hash values corresponding to the prior packets; and
  
  means for at least one of hampering transmission of the one of the plurality of packets and capturing a copy of the one of the plurality of packets for analysis when the one of the plurality of packets is identified as a potentially malicious packet.

17. A device for detecting transmission of malicious packets, comprising:
- a hash memory configured to store information associated with a plurality of hash values corresponding to a plurality of prior packets; and
  
  a hash processor configured to;
  
  observe a packet,generate one or more hash values, as one or more generated hash values, based on variable-sized blocks of the packet,compare the one or more generated hash values to the hash values corresponding to the plurality of prior packets, andidentify the packet as a potentially malicious packet when a predetermined number of the one or more generated hash values match the hash values corresponding to the plurality of prior packets.
- View Dependent Claims (18, 19, 20)
- - 18. The device of claim 17, wherein when generating one or more hash values, the hash processor is configured to hash variable-sized blocks in a payload field of the packet.
  - 19. The device of claim 18, wherein when hashing variable-sized blocks, the hash processor is configured to perform a plurality of hashes covering each byte of the payload field.
  - 20. The device of claim 18, wherein when hashing variable-sized blocks, the hash processor is configured to:
    - select a first block of a first block size, andhash the first block using a plurality of different hash functions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Azure Networks, LLC (Oso IP, LLC)
Original Assignee
Azure Networks, LLC (Oso IP, LLC)
Inventors
Milliken, Walter Clark, Partridge, Craig, Sanchez, Luis, Milligan, Stephen Douglas, Strayer, William Timothy

Granted Patent

US 8,272,060 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/562   Static detection

H04L 51/212   using filtering or selectiv...

H04L 63/145   the attack involving the pr...

HASH-BASED SYSTEMS AND METHODS FOR DETECTING AND PREVENTING TRANSMISSION OF POLYMORPHIC NETWORK WORMS AND VIRUSES

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

106 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

HASH-BASED SYSTEMS AND METHODS FOR DETECTING AND PREVENTING TRANSMISSION OF POLYMORPHIC NETWORK WORMS AND VIRUSES

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

106 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links