PASSIVE DETECTION OF REBOOTING HOSTS IN A NETWORK

US 20100332641A1
Filed: 11/10/2008
Published: 12/30/2010
Est. Priority Date: 11/09/2007
Status: Abandoned Application

First Claim

Patent Images

1. A computer-implemented method for detecting host reboots passively, the computer-implemented method comprising:

a) storing a list of one or more host initialization events, each of the one or more host initialization events being associated with a host system;

b) receiving packet destination information derived from packets sourced from the host system;

c) comparing the received packet destination information with the list of one or more host initialization events to determine whether any matches occur;

d) incrementing the value of a count variable if a match is determined to exist, otherwise, maintaining the count variable at its current value; and

e) determining whether one or more reboots of the host occurred using the value of the count variable.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Host reboots may be detected passively by tracking and analyzing host initialization events and/or by tracking and analyzing temporal skews in periodic events. Detected host reboots may then be used to determine or help determine whether or not the host has a possible malware infection.

38 Citations

View as Search Results

23 Claims

1. A computer-implemented method for detecting host reboots passively, the computer-implemented method comprising:
- a) storing a list of one or more host initialization events, each of the one or more host initialization events being associated with a host system;
  
  b) receiving packet destination information derived from packets sourced from the host system;
  
  c) comparing the received packet destination information with the list of one or more host initialization events to determine whether any matches occur;
  
  d) incrementing the value of a count variable if a match is determined to exist, otherwise, maintaining the count variable at its current value; and
  
  e) determining whether one or more reboots of the host occurred using the value of the count variable.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer-implemented method of claim 1 further comprising:
    - f) controlling the execution of a host malware protection policy using a value of the count variable.
  - 3. The computer-implemented method of claim 1 wherein the list of one or more host initialization events is associated with a set of one or more host systems.
  - 4. The computer-implemented method of claim 1 wherein in the list of one or more host initialization events, each host initialization event includes a {destination IP address, destination port} pair,wherein the packet destination information received includes destination IP address and destination port information, andwherein the act of comparing the received packet destination information with the list of one or ore host initialization events to determine whether any matches occur includes comparing a destination IP address and a destination port of the received packet destination information with that of the one or more host initialization events.
  - 5. The computer-implemented method of claim 1 wherein in the list of one or more host initialization events, each host initialization event includes a destination autonomous system identifier,wherein the packet destination information received includes a destination autonomous system identifier information, andwherein the act of comparing the received packet destination information with the list of one or more host initialization events to determine whether any matches occur includes comparing a destination autonomous system identifier of the received packet destination information with that of the one or more host initialization events.
  - 6. The computer-implemented method of claim 1 wherein in the list of one or more host initialization events, each host initialization event includes a destination domain identifier,wherein the packet destination information received includes destination domain identifier information, andwherein the act of comparing the received packet destination information with the list of one or more host initialization events to determine whether any matches occur includes comparing a destination domain identifier of the received packet destination information with that of the one or more host initialization events.
  - 7. The computer-implemented method of claim 2 wherein the act of controlling the execution of a host malware protection policy using a value of the count variable includescomparing the value of the count variable with a predetermined threshold value, andexecuting the host malware protection policy if the value of the count variable exceeds the predetermined threshold value, otherwise, not executing the host malware protection policy.
  - 8. The computer-implemented method of claim 2, further comprising:
    - decrementing the value of a count variable if a previously determined match has a time falling outside of a sliding window having a predetermined temporal length.
  - 9. The computer-implemented method of claim 8 wherein the act of controlling the execution of a host malware protection policy using a value of the count variable includescomparing the value of the count variable with a predetermined threshold value, andexecuting the host malware protection policy if the value of the count variable exceeds the predetermined threshold value, otherwise, not executing the host malware protection policy.
  - 10. The computer-implemented method of claim 2 wherein the act of controlling the execution of a host malware protection policy further uses an indication that the host system was inactive for at least a second predetermined period of time preceding a determination of the occurrence of a match.
  - 11. The computer-implemented method of claim 10 wherein the indication that the host system was inactive for at least the second predetermined period of time includes determining that the host system had no network activity for the second predetermined period of time preceding a determination of the occurrence of a match.

12. Apparatus for detecting host reboots passively, the apparatus comprising:
- a) means for storing a list of one or more host initialization events, each of the one or more host initialization events being associated with a host system;
  
  b) means for receiving packet destination information derived from packets sourced from the host system;
  
  c) means for comparing the received packet destination information with the list of one or more host initialization events to determine whether any matches occur;
  
  d) means for incrementing the value of a count variable if a match is determined to exist, otherwise, maintaining the count variable at its current value; and
  
  e) means for determining whether one or more reboots of the host occurred using the value of the count variable.
- View Dependent Claims (13)
- - 13. The apparatus of claim 12 further comprising:
    - f) means for controlling the execution of a host malware protection policy using a value of the count variable.

14. A computer-implemented method for detecting host reboots passively, the computer-implemented method comprising:
- a) accepting information of packet flows for the host system, wherein each of the packet flows corresponds to one or more events, and wherein a plurality of packet flows corresponding to a given one of the one or more events exhibit periodicity;
  
  b) determining, for each of the one or more events, whether or not the event exhibits a phase change using the corresponding plurality of packet flows; and
  
  c) determining whether one or more reboots of the host occurred using the determination of whether or not the event exhibits a phase change.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The computer-implemented method of claim 14 further comprising:
    - d) controlling the execution of a host malware protection policy using the determination of whether or not the event exhibits a phase change.
  - 16. The computer-implemented method of claim 14 further comprising:
    - accept packets sourced from the host system;
      
      determine packet flows and the one of the one or more events to which the packet flows belong from the accepted packets using at least one of (A) destination IP address of the accepted packets, and (B) destination port number of the accepted packets; and
      
      determining whether any of the determined events exhibits periodicity using time stamps of the accepted packets.
  - 17. The computer-implemented method of claim 14 wherein the act of determining, for each of the one or more events, whether or not the event exhibits a phase change using the corresponding plurality of packet flows includes:
    - 1) determining the period of the event using the corresponding plurality of packet flows,2) determining whether a time of an instance of the event conforms to the determined period relative to an epoch, and3) determining that the event exhibits a phase change if the time of the instance of the event does not conform to the determined period relative to an epoch.
  - 18. The computer-implemented method of claim 15 wherein the act of controlling the execution of a host malware protection policy using the determination of whether or not the event exhibits a phase change includesdetermining a temporal amount of the phase change, andcontrolling the execution of a host malware protection policy using the determined temporal amount.
  - 19. The computer-implemented method of claim 18 wherein the act of controlling the execution of a host malware protection policy using the determination of whether or not the event exhibits a phase change further includesdetermining a number of events exhibiting a phase shift, andcontrolling the execution of a host malware protection policy using the determined number of events exhibiting a phase shift.
  - 20. The computer-implemented method of claim 15 wherein the act of controlling the execution of a host malware protection policy using the determination of whether or not the event exhibits a phase change further includesdetermining a number of events exhibiting a phase shift, andcontrolling the execution of a host malware protection policy using the determined number of events exhibiting a phase shift.
  - 21. The computer-implemented method of claim 16 wherein the act of determining whether any of the determined events exhibits periodicity using time stamps of the accepted packets includes:
    - for each of a plurality of period values T and for each of the events,determining a modulo T of the time stamps of the events to define T-phase values, andfor any defined T-phase values,counting a number of times the T-phase value occurred over a sample period to determine a count,comparing the determined count with a value derived from an expected count for the period T over the sample period, anddetermining whether the event is a periodic event using a result of the comparison.

22. Apparatus for detecting host reboots passively, the apparatus comprising:
- a) means for accepting information of packet flows for the host system, wherein each of the packet flows corresponds to one or more events, and wherein a plurality of packet flows corresponding to a given one of the one or more events exhibit periodicity;
  
  b) means for determining, for each of the one or more events, whether or not the event exhibits a phase change using the corresponding plurality of packet flows; and
  
  c) means for determining whether one or more reboots of the host occurred using the determination of whether or not the event exhibits a phase change.
- View Dependent Claims (23)
- - 23. The apparatus of claim 22 further comprising:
    - d) means for controlling the execution of a host malware protection policy using the determination of whether or not the event exhibits a phase change.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Polytechnic Institute Of New York University (New York University)
Original Assignee
Polytechnic Institute Of New York University (New York University)
Inventors
Memon, Nasir, Shanmugasundaram, Kulesh

Application Number

US12/268,190
Publication Number

US 20100332641A1
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

G06F 21/554 involving event detection a...

H04L 12/6418 Hybrid transport

PASSIVE DETECTION OF REBOOTING HOSTS IN A NETWORK

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

38 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

PASSIVE DETECTION OF REBOOTING HOSTS IN A NETWORK

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links