INTERDICTING MALICIOUS FILE PROPAGATION

US 20130007884A1
Filed: 09/11/2012
Published: 01/03/2013
Est. Priority Date: 12/03/2009
Status: Active Grant

First Claim

Patent Images

1. A method of interdicting propagation of a malicious file in a computer network, the method comprising the steps of:

a computer receiving packets of a message being transferred to a destination device;

in response to packet(s) of the message being received at the computer, the computer scanning the packet(s) to determine whether the packet(s) match a corresponding portion of a malicious file;

if any of the scanned packet(s) do not match the corresponding portion of the malicious file, the computer permitting a transfer of subsequent packet(s) of the message through the computer to the destination device without performing a scan of the subsequent packet(s); and

if one or more or all of the scanned packet(s) other than a last packet of the message match corresponding portions of the malicious file, the computer permitting a transfer of the one or more or all scanned packet(s) other than the last packet of the message through the computer to the destination device, and if all of the scanned packet(s) other than the last packet of the message match corresponding portions of the malicious file, the computer does not permit a transfer of the last packet of the message through the computer to the destination device.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An approach is provided for interdicting malicious file propagation. Packets of a message being transferred to a destination device are received. In response to packet(s) of the message being received, the packet(s) are scanned by determining whether the packet(s) match a corresponding portion of a malicious file. If any of the scanned packet(s) do not match the corresponding portion of the malicious file, a transfer of subsequent packet(s) of the message to the destination device is permitted without performing a scan of the subsequent packet(s). If the scanned packet(s) including a last one or more packets of the message match corresponding portions of the malicious file, a transfer of the scanned packet(s) to the destination device is permitted, except a transfer of the last one or more packets of the message to the destination device is not permitted.

1 Citation

9 Claims

1. A method of interdicting propagation of a malicious file in a computer network, the method comprising the steps of:
- a computer receiving packets of a message being transferred to a destination device;
  
  in response to packet(s) of the message being received at the computer, the computer scanning the packet(s) to determine whether the packet(s) match a corresponding portion of a malicious file;
  
  if any of the scanned packet(s) do not match the corresponding portion of the malicious file, the computer permitting a transfer of subsequent packet(s) of the message through the computer to the destination device without performing a scan of the subsequent packet(s); and
  
  if one or more or all of the scanned packet(s) other than a last packet of the message match corresponding portions of the malicious file, the computer permitting a transfer of the one or more or all scanned packet(s) other than the last packet of the message through the computer to the destination device, and if all of the scanned packet(s) other than the last packet of the message match corresponding portions of the malicious file, the computer does not permit a transfer of the last packet of the message through the computer to the destination device.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, further comprising the steps of:
    - the computer determining all of the scanned packet(s) other than the last packet of the message match the corresponding portions of the malicious file;
      
      based on all of the scanned packet(s) other than the last packet of the message matching the corresponding portions of the malicious file, the computer permitting the transfer of all of the scanned packet(s) other than the last packet of the message through the computer to the destination device and not permitting the transfer of the last packet of the message through the computer to the destination device; and
      
      based on the transfer of the last packet of the message to the destination device not being permitted, the computer providing an indication to the destination device to render the message harmless to the destination device by discarding all packet(s) of the message whose transfer to the destination device was permitted.
  - 3. The method of claim 1, further comprising the steps of:
    - the computer determining a signature of the packet(s) of the message; and
      
      the computer determining a signature of a portion of the malicious file, wherein the step of the computer scanning the packet(s) includes the computer determining whether the packet(s) of the message match the corresponding portion of the malicious file by determining whether the signature of the packet(s) of the message matches the signature of the portion of the malicious file.

4. A computer system for interdicting propagation of a malicious file in a computer network, the computer system comprising:
- a central processing unit (CPU);
  
  a computer-readable memory;
  
  a computer-readable, tangible storage device;
  
  first program instructions to receive packets of a message being transferred to a destination device;
  
  second program instructions to, in response to packet(s) of the message being received at the computer, scan the packet(s) to determine whether the packet(s) match a corresponding portion of a malicious file;
  
  third program instructions to, if any of the scanned packet(s) do not match the corresponding portion of the malicious file, permit a transfer of subsequent packet(s) of the message through the computer to the destination device without performing a scan of the subsequent packet(s); and
  
  fourth program instructions to, if one or more or all of the scanned packet(s) other than a last packet of the message match corresponding portions of the malicious file, permit a transfer of the one or more or all scanned packet(s) other than the last packet of the message through the computer to the destination device, and if all of the scanned packet(s) other than the last packet of the message match corresponding portions of the malicious file, not permit a transfer of the last packet of the message through the computer to the destination device.wherein the first, second, third and fourth program instructions are stored on the computer-readable, tangible storage device for execution by the CPU via the computer-readable memory.
- View Dependent Claims (5, 6)
- - 5. The computer system of claim 4, wherein the second program instructions determine all of the scanned packet(s) other than the last packet of the message match the corresponding portions of the malicious file, wherein the fourth program instructions, based on the scanned packet(s) other than the last packet of the message matching the corresponding portions of the malicious file, permit the transfer of all of the scanned packet(s) other than the last packet of the message through the computer system to the destination device, and do not permit the transfer of the last packet of the message through the computer system to the destination device, wherein the computer system further comprises fifth program instructions to, based on the transfer of the last packet of the message to the destination device not being permitted, provide an indication to the destination device to render the message harmless to the destination device by discarding all packet(s) of the message whose transfer to the destination device was permitted, wherein the fifth program instructions are stored on the computer-readable, tangible storage device for execution by the CPU via the computer-readable memory.
  - 6. The computer system of claim 4, further comprising:
    - fifth program instructions to determine a signature of the packet(s) of the message; and
      
      sixth program instructions to determine a signature of a portion of the malicious file, wherein the second program instructions include seventh program instructions to determine whether the packet(s) of the message match the corresponding portion of the malicious file by determining whether the signature of the packet(s) of the message matches the signature of the portion of the malicious file, wherein the fifth, sixth and seventh program instructions are stored on the computer-readable, tangible storage device for execution by the CPU via the computer-readable memory.

7. A computer program product for interdicting propagation of a malicious file in a computer network, the computer program product comprising:
- computer-readable, tangible storage device(s); and
  
  computer-readable program instructions stored on the computer-readable, tangible storage device(s), the computer-readable program instructions when executed by a CPU;
  
  receive packets of a message being transferred to a destination device;
  
  in response to packet(s) of the message being received, scan the packet(s) to determine whether the packet(s) match a corresponding portion of a malicious file;
  
  if any of the scanned packet(s) do not match the corresponding portion of the malicious file, permit a transfer of subsequent packet(s) of the message to the destination device without performing a scan of the subsequent packet(s); and
  
  if one or more or all of the scanned packet(s) other than a last packet of the message match corresponding portions of the malicious file, permit a transfer of the one or more or all scanned packet(s) other than the last packet of the message through the computer to the destination device, and if all of the scanned packet(s) other than the last packet of the message match corresponding portions of the malicious file, do not permit a transfer of the last packet of the message to the destination device.
- View Dependent Claims (8, 9)
- - 8. The program product of claim 7, the computer-readable program instructions when executed by the CPU:
    - determine all of the scanned packet(s) other than the last packet of the message match the corresponding portions of the malicious file;
      
      based on all of the scanned packet(s) other than the last packet of the message matching the corresponding portions of the malicious file, permit the transfer of all of the scanned packet(s) other than the last packet of the message to the destination device, and do not permit the transfer of the last packet of the message to the destination device; and
      
      based on the transfer of the last packet of the message to the destination device not being permitted, provide an indication to the destination device to render the message harmless to the destination device by discarding all packet(s) of the message whose transfer to the destination device was permitted.
  - 9. The program product of claim 7, the computer-readable program instructions when executed by the CPU:
    - determine a signature of the packet(s) of the message; and
      
      determine a signature of a portion of the malicious file, wherein the computer-readable program instructions, when executed by the CPU, scanning the packet(s) includes determining whether the packet(s) of the message match the corresponding portion of the malicious file by determining whether the signature of the packet(s) of the message match the signature of the portion of the malicious file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Franklin, Douglas North, Mays, Richard C.

Granted Patent

US 8,839,438 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/564   by virus signature recognition

H04L 63/145   the attack involving the pr...

H04L 9/08   Key distribution or managem...

INTERDICTING MALICIOUS FILE PROPAGATION

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

1 Citation

9 Claims

Specification

Use Cases

Quick Links

Others

INTERDICTING MALICIOUS FILE PROPAGATION

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

1 Citation

9 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others