Systems and Methods for Computer Worm Defense

US 20130047257A1
Filed: 10/12/2012
Published: 02/21/2013
Est. Priority Date: 04/01/2004
Status: Active Grant

First Claim

Patent Images

1. A computer worm defense system comprising:

a plurality of computer worm containment systems, each computer worm containment system comprisinga worm sensor implemented in a computing device and configured to generate a computer worm identifier for a computer worm propagating within a communication network, the worm sensor comprisingan alternate computer network, communications traffic being filtered from the communication network for analysis by the alternate computer network, the filtered communications traffic being characteristic of the computer worm; and

a controller configured to monitor the alternate computer network, and to determine the computer worm identifier based on anomalous behavior caused within the alternate computer network by the computer worm; and

a computer worm blocking system in communication with the worm sensor over the communication network and configured to receive the computer worm identifier from the worm sensor to block the propagation of the computer worm within the communication network.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer worm defense system comprises multiple containment systems tied together by a management system. Each containment system is deployed on a separate communication network and contains a worm sensor and a blocking system. In various embodiments, the computer worm may be transported from a production network, where the computer worm is not readily identifiable, to an alternate network in the worm sensor where the computer worm may be readily identifiable. Computer worm identifiers generated by a worm sensor of one containment system can be provided not only to the blocking system of the same containment system, but can also be distributed by the management system to blocking systems of other containment systems.

273 Citations

30 Claims

1. A computer worm defense system comprising:
- a plurality of computer worm containment systems, each computer worm containment system comprisinga worm sensor implemented in a computing device and configured to generate a computer worm identifier for a computer worm propagating within a communication network, the worm sensor comprisingan alternate computer network, communications traffic being filtered from the communication network for analysis by the alternate computer network, the filtered communications traffic being characteristic of the computer worm; and
  
  a controller configured to monitor the alternate computer network, and to determine the computer worm identifier based on anomalous behavior caused within the alternate computer network by the computer worm; and
  
  a computer worm blocking system in communication with the worm sensor over the communication network and configured to receive the computer worm identifier from the worm sensor to block the propagation of the computer worm within the communication network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The computer worm defense system of claim 1 each worm containment system further comprising:
    - a management system in communication with the plurality of computer worm containment systems and configured to obtain a computer worm identifier from a worm sensor of a first computer worm containment system of the plurality of computer worm containment systems and distribute the computer worm identifier to a computer worm blocking system of a second computer worm containment system of the plurality of computer worm containment systems.
  - 3. The computer worm defense system of claim 1 wherein the alternate computer network replays communications traffic filtered from the communication network, the filtered communications traffic being characteristic of computer worm.
  - 4. The computer worm defense system of claim 1 wherein the alternate computer network is transparent to and separate from the communication network.
  - 5. The computer worm defense system of claim 1 wherein the communication network is a production network.
  - 6. The computer worm defense system of claim 1 wherein the computer worm identifier comprises a signature.
  - 7. The computer worm defense system of claim 1 wherein the controller of each computer worm containment system is further configured to generate a recovery script.
  - 8. The computer worm defense system of claim 2 wherein the management system automatically distributes the computer worm identifier to the computer worm blocking system of the second computer worm containment system.
  - 9. The computer worm defense system of claim 1 wherein the controller of each computer worm containment system is further configured to copy at least a portion of network traffic from the communication network characteristic of a computer worm for analysis by the alternate computer network.
  - 10. The computer worm defense system of claim 9 wherein the controller of each computer worm containment system is further configured to suppress return traffic generated by the at least a portion of network traffic copied from the communication network characteristic of a computer worm.
  - 11. The computer worm defense system of claim 2 wherein the management system charges a fee to a subscriber associated with the second computer worm containment system for distributing the computer worm identifier to the computer worm blocking system of the second computer worm containment system.
  - 12. The computer worm defense system of claim 1 wherein the alternate computer network comprises a virtual computer system using machine virtualization technologies.
  - 13. The computer worm defense system of claim 6 wherein the signature comprises a URL and the computer worm blocking system is capable of filtering by URL.
  - 14. The computer worm defense system of claim 6 wherein the signature is for use by an inline signature based intrusion detection system, the signature being shared with the inline signature based intrusion detection system.
  - 15. The computer worm defense system of claim 6 wherein the signature comprises an ACL entry for a network device capable of filtering network traffic, the signature being shared with the network device.

16. A computer worm defense method comprising:
- filtering communications traffic from a communication network, the filtered communications traffic being characteristic of a computer worm;
  
  analyzing the filtered communications traffic within an alternate computer network of a computer worm containment system;
  
  generating a computer worm identifier based on anomalous behavior caused within the alternate computer network by the computer worm;
  
  detecting the computer worm within the communication network; and
  
  blocking the propagation of the computer worm within the communication network.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 17. The method of claim 16 further comprising distributing the computer worm to another computer worm containment system.
  - 18. The method of claim 17 further comprising blocking the computer worm from propagating in a communication network associated with the other computer worm containment system.
  - 19. The method of claim 16 further comprising replaying within the alternate computer network the filtered communications traffic from the communication network.
  - 20. The method of claim 16 wherein the alternate computer network is transparent to and separate from the communication network.
  - 21. The method of claim 16 wherein the detecting further comprises copying at least a portion of network traffic from the communication network characteristic of a computer worm for analysis by the alternate computer network.
  - 22. The method of claim 16 wherein the communication network is a production network.
  - 23. The method of claim 16 wherein generating the computer worm identifier further comprisesgenerating a sequence of network activities within the alternate computer network based on an orchestration pattern;
    - anddetermining the computer worm identifier by comparing observed behavior in the alternate computer network with orchestrated behavior expected from the orchestration pattern.
  - 24. The method of claim 16 wherein generating the computer worm identifier further comprises generating a signature.
  - 25. The method of claim 16 further comprising generating a recovery script.
  - 26. The method of claim 17 wherein distributing the computer worm identifier is performed automatically.
  - 27. The method of claim 17 wherein distributing the computer worm identifier is performed by a management system.
  - 28. The method of claim 17 wherein distributing the computer worm identifier comprises charging a fee to a subscriber associated with the other computer worm containment system.
  - 29. The method of claim 16 wherein the alternate computer network comprises a virtual computer system using machine virtualization technologies.

30. A non-transitory machine readable medium having embodied thereon executable code, the executable code being executable by a processor to perform a computer worm defense method comprising:
- filtering communications traffic from a communication network, the filtered communications traffic being characteristic of a computer worm;
  
  analyzing the filtered communications traffic within an alternate computer network of a computer worm containment system;
  
  generating a computer worm identifier based on anomalous behavior caused within the alternate computer network by the computer worm;
  
  detecting the computer worm within the communication network; and
  
  blocking the propagation of the computer worm within the communication network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Aziz, Ashar

Granted Patent

US 8,516,593 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 2009/45595   Network integration; Enabli...

G06F 21/53   by executing in a restricte...

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

G06F 9/45537   Provision of facilities of ...

G06F 9/45558   Hypervisor-specific managem...

G06Q 20/10   specially adapted for elect...

H04L 63/0227   Filtering policies mail mes...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 63/1491 : using deception as counterm...

H04L 63/20 : for managing network securi...

View All

Systems and Methods for Computer Worm Defense

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

273 Citations

30 Claims

Specification

Use Cases

Quick Links

Others

Systems and Methods for Computer Worm Defense

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

273 Citations

30 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others