System and method of containing computer worms
First Claim
1. A computer worm containment system in communication with a communication network, the system comprising:
- a computer worm detection system includinga hidden computer network, anda controller configured to monitor a sequence of multiple network communications in the hidden computer network and to determine an identifier of a computer worm based on anomalous behavior caused within the hidden computer network by the computer worm; and
a computer worm blocking system configured to receive the identifier and use the identifier to block the computer worm from propagating within the communication network.
6 Assignments
0 Petitions
Accused Products
Abstract
A computer worm containment system comprises a detection system and a blocking system. The detection system orchestrates a sequence of network activities in a decoy computer network and monitors that network to identify anomalous behavior and determine whether the anomalous behavior is caused by a computer worm. The detection system can then determine an identifier of the computer worm based on the anomalous behavior. The detection system can also generate a recovery script for disabling the computer worm or repairing damage caused by the computer worm. The blocking system is configured to use the computer worm identifier to protect another computer network. The blocking system can also use the recovery script to disable a computer worm within the other network and to repair damage caused to the network by the worm.
445 Citations
26 Claims
-
1. A computer worm containment system in communication with a communication network, the system comprising:
-
a computer worm detection system including a hidden computer network, and a controller configured to monitor a sequence of multiple network communications in the hidden computer network and to determine an identifier of a computer worm based on anomalous behavior caused within the hidden computer network by the computer worm; and a computer worm blocking system configured to receive the identifier and use the identifier to block the computer worm from propagating within the communication network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A method of containing a computer worm, the method comprising:
-
detecting the computer worm by identifying a sequence of multiple network communications within a communication network that are characteristic of a computer worm, providing a second sequence of multiple network communications to a hidden network, wherein the second sequence of multiple network communications is based on the identified sequence of multiple network communications, and determining an identifier of the computer worm from anomalous behavior in the hidden network; providing the identifier to a computer worm blocking system of the communication network; and blocking the computer worm from propagating within the communication network. - View Dependent Claims (23, 24, 25)
-
-
26. A computer worm containment system comprising:
-
a computer worm detection system including a traffic analysis device configured to monitor a communication network and to identify a sequence of multiple network communications characteristic of a computer worm propagating in the communication network, a hidden computer network, and a controller configured to copy and send the identified sequence of multiple network communications within the hidden network and to determine an identifier of the computer worm based on anomalous behavior caused within the hidden computer network by sending the identified sequence of multiple network communications; and a computer worm blocking system configured to receive the identifier of the computer worm and use the identifier of the computer worm to block the computer worm from propagating within a communication network.
-
Specification