Method and device for innoculating email infected with a virus

US 6,910,134 B1
Filed: 08/29/2000
Issued: 06/21/2005
Est. Priority Date: 08/29/2000
Status: Active Grant

First Claim

Patent Images

1. A method for inoculating email infected with a virus, the email being composed of data packets sent over a network and associated with a traffic flow in the network, the method comprising:

scanning the data packets forming the traffic flow associated with the email;

detecting the signature of a known virus in the data packets;

determining whether there is an attachment associated with the email; and

altering bits of the data packet associated with the attachment to inoculate the email.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and device for detecting and inoculating emails infected with viruses are described. The method involves identifying a particular traffic and its associated data packets as an email session and scanning the associated data packets in order to compare their contents with a database of known signatures. If a match is found between the data packets and a signature of a known virus, it is determined if there is an attachment to the email. If an attachment is detected, some or all of the bits of the data packets associated with the attachment are altered, thereby rendering the infected attachment harmless. The network device includes memory for storing the database of known signatures and a content processor able to compare the contents of data packets with a database of known signatures. The content processor is also operable to alter some or all of the bits of the attachment to inoculate the email and attachment.

149 Citations

18 Claims

1. A method for inoculating email infected with a virus, the email being composed of data packets sent over a network and associated with a traffic flow in the network, the method comprising:
- scanning the data packets forming the traffic flow associated with the email;
  
  detecting the signature of a known virus in the data packets;
  
  determining whether there is an attachment associated with the email; and
  
  altering bits of the data packet associated with the attachment to inoculate the email.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein altering the bits entails setting all the bits associated with the data packet to a predetermined value.
  - 3. The method of claim 1 where in the method is performed by a content processor in a network device operating at wire speed.
  - 4. The method of claim 1 wherein the signature is detected in the text of the email.
  - 5. The method of claim 4 wherein the signature is ASCII text.
  - 6. The method of claim 1 wherein the signature is a binary signature located in the attachment.
  - 7. The method of claim 1 wherein the signature is stored in a memory, the memory holding a database of known signatures.
  - 8. The method of claim 7 wherein a new virus signature is added by loading the new virus signature into the database of new signatures.
  - 9. The method of claim 1 further comprising before scanning the data packets, identifying the data packets as containing email.

10. A network device for scanning and inoculating email infected with a virus, the email being composed of data packets sent over a network and associated with a traffic flow in the network, the network device comprising:
- memory storing a database of known signatures, the known signatures including signatures of viruses;
  
  a content processor connected to the memory, the content processor operable to scan the data packets and determine whether the contents of the data packets match one of the signatures of viruses in the database of known signatures, and to determine whether the email associated with the data packets includes an attachment, the content processor further operable to alter bits of the data packets forming the attachment, thereby inoculating the attachment and the email.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The network device of claim 10 wherein the content scanning engine is able to scan across multiple data packets by storing intermediate conclusions in a session memory.
  - 12. The network device of claim 10 wherein the content processor is formed by a queue engine operable to reorder out of order data packets, a content scanning engine operable to scan the data packets, and a context engine operable to schedule data packets for scanning by the content scanning engine.
  - 13. The network device of claim 10 wherein the traffic flow is identified by a unique session id.
  - 14. The network device of claim 10 further comprising a quality of service processor connected to the content processor and operable to schedule the transmission of the data packets onto the network.
  - 15. The network device of claim 10 wherein the content scanning engine is able to match signatures of arbitrary length, scan across boundaries of the data packets, and begin and end scanning anywhere within the data packet.
  - 16. The network device of claim 10 further comprising a host processor in communication with the content processor, the host processor operable to compile the database of known signatures and cause it to be loaded into the memory.
  - 17. The network device of claim 16 wherein a new virus signature is added by creating a database of known signatures, recompiling the new database in the host processor, and loading the new database of known signatures into the memory.
  - 18. The network device of claim 16 wherein a new virus signature is added by loading the new virus signature directly into the database of known signatures.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AudioCodes, Inc. (Audiocodes Limited)
Original Assignee
Netrake Corp. (Audiocodes Limited)
Inventors
Maher, III, Robert Daniel, Forbes, Brian Michael, Lie, Milton Andre, Hervin, Mark Warden
Primary Examiner(s)
Caldwell, Andrew
Assistant Examiner(s)
FIELDS, COURTNEY D

Application Number

US09/651,665
Time in Patent Office

1,757 Days
Field of Search

713/187, 713/188, 713/193, 713/194, 713/200, 713/201
US Class Current

726/24
CPC Class Codes

G06F 21/564   by virus signature recognition

G06F 21/568   eliminating virus, restorin...

H04L 63/145   the attack involving the pr...

Method and device for innoculating email infected with a virus

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

149 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Method and device for innoculating email infected with a virus

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

149 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others