DESIGN AND EVALUATION OF A FAST AND ROBUST WORM DETECTION ALGORITHM

US 20140181978A1
Filed: 12/04/2013
Published: 06/26/2014
Est. Priority Date: 03/31/2006
Status: Active Grant

First Claim

Patent Images

1. A method for detecting the propagation of a worm in a network, the method comprising the steps of:

(1) identifying and isolating unsolicited traffic from solicited traffic; and

(2) analyzing changes in unsolicited traffic patterns to identify a worm.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and computer product are presented for identifying Internet worm propagation based upon changes in packet arrival rates at a network connection. First, unsolicited (i.e., packets that were not requested by the receiver) traffic is separated from solicited traffic at the network connection. The unsolicited traffic arrival patterns are monitored and analyzed for any changes. Once changes in the unsolicited traffic arrival patterns are detected, the changes are mathematically analyzed to detect growth trends. The presence of growth trends that follow certain key characteristics indicate whether the changes are due to worm propagation.

17 Citations

View as Search Results

17 Claims

1. A method for detecting the propagation of a worm in a network, the method comprising the steps of:
- (1) identifying and isolating unsolicited traffic from solicited traffic; and
  
  (2) analyzing changes in unsolicited traffic patterns to identify a worm.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein step (2) comprises the steps of:
    - detecting a change in arrival rates of said unsolicited traffic; and
      
      determining whether said detected change is due to worm propagation.
  - 3. The method of claim 2, wherein said step of detecting a change in arrival rates of said unsolicited traffic comprises using a cumulative summing (CUSUM) statistical analysis for detecting a change in arrival rates of said unsolicited traffic.
  - 4. The method of claim 3, wherein said step of detecting a change in arrival rates of said unsolicited traffic further comprises issuing an indication of a change in said arrival rates when CUSUM detects a change in said arrival rates that exceeds a predetermined threshold.
  - 5. The method of claim 4, wherein said step of determining whether said detected change is due to worm propagation comprises using a non-stationary Poisson process to analyze said detected changes in arrival rates to determine if said changes are due to worm propagation.
  - 6. The method of claim 5, wherein said step of determining whether said detected change is due to worm propagation is performed responsive to said issuance of said indication.
  - 7. The method of claim 6, wherein said predetermined threshold is selected to provide a small detection delay before detecting a change in arrival rates.

8. A computer program product embodied on a computer readable medium for detecting the propagation of a worm in a network, the product comprising:
- first computer executable instructions for identifying and isolating unsolicited traffic from solicited traffic; and
  
  second computer executable instructions for analyzing changes in unsolicited traffic patterns to identify a worm.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The product of claim 8, wherein said second computer executable instructions comprises:
    - instructions for detecting a change in arrival rates of said unsolicited traffic; and
      
      instructions for determining whether said detected change is due to worm propagation.
  - 10. The product of claim 9, wherein, in said second computer executable instructions, a cumulative summing (CUSUM) statistical analysis is used for detecting a change in arrival rates of said unsolicited traffic.
  - 11. The product of claim 10, wherein said second computer executable instructions further comprise instructions for issuing an indication of a change in said arrival rates when CUSUM detects a change in said arrival rates that exceeds a predetermined threshold.
  - 12. The product of claim 11, wherein, in said second computer executable instructions, a non-stationary Poisson process is used to analyze said detected changes in arrival rates to determine if said changes are due to worm propagation.
  - 13. The product of claim 12, wherein said instructions for determining whether said detected change is due to worm propagation are performed responsive to said issuance of said indication of change in said arrival rates.
  - 14. The product of claim 13, wherein said predetermined threshold is chosen such that it provides a small detection delay before detecting a change in arrival rate, said small detection delay resulting in fewer false detections.

15. A method for detecting the propagation of a worm in a network, the method comprising the steps of:
- (1) identifying and isolating unsolicited traffic from solicited traffic;
  
  (2) detecting a change in arrival rates of said unsolicited traffic, wherein said detecting comprises using a cumulative summing (CUSUM) statistical analysis for detecting a change in arrival rates of said unsolicited traffic and issuing an indication of a change in said arrival rates when CUSUM detects a change in said arrival rates that exceeds a predetermined threshold; and
  
  (3) determining whether said detected change is due to worm propagation, wherein said determining comprises using a non-stationary Poisson process to analyze said detected changes in arrival rates to determine if said changes are due to worm propagation.
- View Dependent Claims (16, 17)
- - 16. The method of claim 15, wherein said determining is performed responsive to said issuance of said indication of a change in said arrival rates.
  - 17. The method of claim 16, wherein said predetermined threshold is selected to provide a small detection delay before detecting a change in arrival rates.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
WSOU Investments, LLC (WSOU Holdings, LLC)
Original Assignee
Alcatel-Lucent USA, Inc. (Nokia Corporation)
Inventors
BU, Tian, WOO, Thomas, CHEN, Aiyou, VANDER WIEL, Scott Alan

Granted Patent

US 9,069,962 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/561   Virus type analysis

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

DESIGN AND EVALUATION OF A FAST AND ROBUST WORM DETECTION ALGORITHM

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

17 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

DESIGN AND EVALUATION OF A FAST AND ROBUST WORM DETECTION ALGORITHM

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others