System and method of containing computer worms

US 20110099633A1
Filed: 06/13/2005
Published: 04/28/2011
Est. Priority Date: 06/14/2004
Status: Active Grant

First Claim

Patent Images

1. A computer worm containment system in communication with a communication network, the system comprising:

a computer worm detection system includinga hidden computer network, anda controller configured to monitor a sequence of multiple network communications in the hidden computer network and to determine an identifier of a computer worm based on anomalous behavior caused within the hidden computer network by the computer worm; and

a computer worm blocking system configured to receive the identifier and use the identifier to block the computer worm from propagating within the communication network.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer worm containment system comprises a detection system and a blocking system. The detection system orchestrates a sequence of network activities in a decoy computer network and monitors that network to identify anomalous behavior and determine whether the anomalous behavior is caused by a computer worm. The detection system can then determine an identifier of the computer worm based on the anomalous behavior. The detection system can also generate a recovery script for disabling the computer worm or repairing damage caused by the computer worm. The blocking system is configured to use the computer worm identifier to protect another computer network. The blocking system can also use the recovery script to disable a computer worm within the other network and to repair damage caused to the network by the worm.

445 Citations

26 Claims

1. A computer worm containment system in communication with a communication network, the system comprising:
- a computer worm detection system includinga hidden computer network, anda controller configured to monitor a sequence of multiple network communications in the hidden computer network and to determine an identifier of a computer worm based on anomalous behavior caused within the hidden computer network by the computer worm; and
  
  a computer worm blocking system configured to receive the identifier and use the identifier to block the computer worm from propagating within the communication network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The computer worm containment system of claim 1 wherein the controller is further configured to generate a sequence of multiple network activities within the hidden computer network based on an identified pattern.
  - 3. The computer worm containment system of claim 2 wherein the controller determines the identifier by comparing observed behavior in the hidden computer network with behavior expected from the identified pattern.
  - 4. The computer worm containment system of claim 1 wherein the anomalous behavior includes a communication anomaly.
  - 5. The computer worm containment system of claim 1 wherein the anomalous behavior includes an execution anomaly.
  - 6. The computer worm containment system of claim 1 wherein the identifier includes a signature.
  - 7. The computer worm containment system of claim 6 wherein the signature includes a destination port and a sequence of tokens.
  - 8. The computer worm containment system of claim 1 wherein the identifier includes a vector.
  - 9. The computer worm containment system of claim 1 wherein the controller is further configured to generate a recovery script.
  - 10. The computer worm containment system of claim 9 wherein the computer worm blocking system is further configured to use the recovery script to disable the computer worm within the communication network.
  - 11. The computer worm containment system of claim 9 wherein the computer worm blocking system is further configured to use the recovery script to repair damage caused by the computer worm within the communication network.
  - 12. The computer worm containment system of claim 9 wherein the recovery script includes a detection process for detecting the computer worm and a recovery process for disabling the computer worm.
  - 13. The computer worm containment system of claim 1 wherein the computer worm blocking system includes a blocking device integrated within a computing service of the communication network.
  - 14. The computer worm containment system of claim 1 wherein the computer worm blocking system includes multiple blocking devices and a computer worm blocking manager that coordinates operations between the blocking devices.
  - 15. The computer worm containment system of claim 1 wherein the computer worm detection system and the computer worm blocking system are collocated.
  - 16. The computer worm containment system of claim 1 wherein communications between the computer worm detection system and the computer worm blocking system are cryptographically authenticated.
  - 17. The computer worm containment system of claim 1 wherein the computer worm blocking system is configured to load a signature into a content filter to block the computer worm.
  - 18. The computer worm containment system of claim 1 wherein the computer worm blocking system is configured to block a computer worm transportation vector by using a transport level action control list.
  - 19. The computer worm containment system of claim 1 wherein the computer worm blocking system includes an inline signature based Intrusion Detection and Protection system.
  - 20. The computer worm containment system of claim 1 wherein the computer worm blocking system includes a router that employs Network Based Application Recognition to classify and apply a policy to data packets.
  - 21. The computer worm containment system of claim 1 wherein the computer worm detection system further includesa traffic analysis device in communication with the communication network and configured to identify a sequence of multiple network communications characteristic of the computer worm propagating in the communication network, andwherein the controller is further configured to generate a sequence of multiple network activities within the hidden computer network based on the monitored sequence of multiple network communications.

22. A method of containing a computer worm, the method comprising:
- detecting the computer worm byidentifying a sequence of multiple network communications within a communication network that are characteristic of a computer worm,providing a second sequence of multiple network communications to a hidden network, wherein the second sequence of multiple network communications is based on the identified sequence of multiple network communications, anddetermining an identifier of the computer worm from anomalous behavior in the hidden network;
  
  providing the identifier to a computer worm blocking system of the communication network; and
  
  blocking the computer worm from propagating within the communication network.
- View Dependent Claims (23, 24, 25)
- - 23. The method of claim 22 wherein determining the identifier includes duplicating the identified sequence of multiple network communications within the hidden network to produce the anomalous behavior.
  - 24. The method of claim 22 wherein identifying the sequence of multiple network communications includes using a heuristic analysis technique to filter communication traffic of the communication network.
  - 25. The method of claim 22 further comprising generating a recovery script a providing the recovery script to the computer worm blocking system.

26. A computer worm containment system comprising:
- a computer worm detection system includinga traffic analysis device configured to monitor a communication network and to identify a sequence of multiple network communications characteristic of a computer worm propagating in the communication network,a hidden computer network, anda controller configured to copy and send the identified sequence of multiple network communications within the hidden network and to determine an identifier of the computer worm based on anomalous behavior caused within the hidden computer network by sending the identified sequence of multiple network communications; and
  
  a computer worm blocking system configured to receive the identifier of the computer worm and use the identifier of the computer worm to block the computer worm from propagating within a communication network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
NetForts, Inc. (Alphabet Inc.)
Inventors
Aziz, Ashar

Granted Patent

US 8,549,638 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/568   eliminating virus, restorin...

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

System and method of containing computer worms

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

445 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

System and method of containing computer worms

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

445 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links