EMAIL WORM DETECTION METHODS AND DEVICES

US 20110107422A1
Filed: 10/30/2009
Published: 05/05/2011
Est. Priority Date: 10/30/2009
Status: Abandoned Application

First Claim

Patent Images

1. A network device for detecting email worms, comprising:

a port for receiving packets; and

a processing engine configured to inspect packets received on said port, wherein if a predetermined number of packets sent from a client represent DNS queries, the client is identified as being infected.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the invention provide a network device for detecting email worms having a port for receiving packets and a processing engine configured to inspect packets received on the port, wherein if a predetermined number of packets sent from a client represent DNS queries, the client is identified as being infected.

Citations

20 Claims

1. A network device for detecting email worms, comprising:
- a port for receiving packets; and
  
  a processing engine configured to inspect packets received on said port, wherein if a predetermined number of packets sent from a client represent DNS queries, the client is identified as being infected.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The network device of claim 1 wherein said predetermined number of packets is at least one packet and said DNS queries are mail exchange DNS queries.
  - 3. The network device of claim 1 wherein said predetermined number of packets is represented as a rate of packet traffic activity.
  - 4. The network device of claim 3 wherein said rate is at least twenty-five packets per second.
  - 5. The network device of claim 1 wherein if the client is identified as being infected, a notification is sent to at least one predetermined address.
  - 6. The network device of claim 1 wherein if the client is identified as being infected, said network device limits the number of packets sent from the client.
  - 7. The network device of claim 1 wherein if the client is identified as being infected, said network device blocks packets sent from the client.

8. A method of detecting an email worm using a network device, comprising the steps of:
- a network device monitoring packets sent from a client on a network;
  
  the network device counting a number of packets representing DNS queries sent from the client;
  
  the network device comparing the number of packets to a predetermined threshold number; and
  
  if the number of packets is at least the predetermined threshold number, the network device identifying the client as being infected.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method of claim 8 wherein said predetermined number of packets is at least one packet and said DNS queries are mail exchange DNS queries.
  - 10. The method of claim 8 wherein said predetermined number of packets is represented as a rate of packet traffic activity.
  - 11. The method of claim 10 wherein the rate is twenty-five packets per second.
  - 12. The method of claim 8, further comprising the step of:
    - if the client is identified as being infected, the network device sending a notification to a system administrator.
  - 13. The method of claim 8, further comprising the step of:
    - if the client is identified as being infected, the network device limiting the number of packets sent from the client.

14. A computer-readable medium associated with a network device, containing instructions for executing the steps of:
- monitoring packets sent from a client on a network;
  
  counting a number of packets representing DNS queries sent from the client;
  
  comparing the number of packets to a predetermined threshold number; and
  
  if the number of packets is at least the predetermined threshold number, identifying the client as being infected.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The computer-readable medium of claim 14 wherein the predetermined number of packets is at least one packet and said DNS queries are mail exchange DNS queries.
  - 16. The computer-readable medium of claim 14 wherein said predetermined number of packets is represented as a rate of packet traffic activity.
  - 17. The computer-readable medium of claim 16 wherein said rate is at least twenty-five packets per second.
  - 18. The computer-readable medium of claim 14 wherein if the client is identified as being infected, a notification is sent to at least one predetermined address.
  - 19. The computer-readable medium of claim 14 wherein if the client is identified as being infected, said network device limits the number of packets sent from the client.
  - 20. The computer-readable medium of claim 14 wherein if the client is identified as being infected, said network device blocks packets sent from the client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Inventors
Todd, Michael, Wong, Patrick Choy Ming

Application Number

US12/609,490
Publication Number

US 20110107422A1
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/145 the attack involving the pr...

EMAIL WORM DETECTION METHODS AND DEVICES

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

EMAIL WORM DETECTION METHODS AND DEVICES

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links