Efficient management and blocking of malicious code and hacking attempts in a network environment

US 7,007,302 B1
Filed: 08/31/2001
Issued: 02/28/2006
Est. Priority Date: 08/31/2001
Status: Expired due to Term

First Claim

Patent Images

1. A method for preventing an outbreak of malicious code, comprising:

a) identifying malicious code at a local location on a network;

b) encrypting information relating to the malicious code at the local location;

c) sending the encrypted information relating to the malicious code to a plurality of remote locations utilizing the network; and

d) blocking instances of the malicious code at the remote locations for a predetermined amount of time based on the information;

e) registering at least one of a name and checksum of a file containing the malicious code as a known threat;

f) wherein the information is selected from the group consisting of a type, context, protocol, severity, reporting server, and IP address associated with the malicious code;

g) wherein the information relating to the malicious code includes an identification of the source of the malicious code, wherein communications originating at the identified source are denied access to the remote locations for the predetermined amount of time.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and computer program product are provided for preventing an outbreak of malicious code. First, malicious code is identified at a local location on a network. Information relating to the malicious code such as type, context, protocol, severity, reporting server, and IP address, is encrypted at the local location. The encrypted information relating to the malicious code is sent to a plurality of remote locations utilizing the network. Instances of the malicious code are blocked at the remote locations for a predetermined amount of time based on the information.

137 Citations

21 Claims

1. A method for preventing an outbreak of malicious code, comprising:
- a) identifying malicious code at a local location on a network;
  
  b) encrypting information relating to the malicious code at the local location;
  
  c) sending the encrypted information relating to the malicious code to a plurality of remote locations utilizing the network; and
  
  d) blocking instances of the malicious code at the remote locations for a predetermined amount of time based on the information;
  
  e) registering at least one of a name and checksum of a file containing the malicious code as a known threat;
  
  f) wherein the information is selected from the group consisting of a type, context, protocol, severity, reporting server, and IP address associated with the malicious code;
  
  g) wherein the information relating to the malicious code includes an identification of the source of the malicious code, wherein communications originating at the identified source are denied access to the remote locations for the predetermined amount of time.
- View Dependent Claims (2, 3, 4, 16, 17, 18, 19, 20, 21)
- - 2. The method as recited in claim 1, wherein the malicious code is at least one of a virus, worm, and Trojan.
  - 3. The method as recited in claim 1, further comprising executing countermeasures for limiting the effect of the malicious code at the local location.
  - 4. The method as recited in claim 1, wherein additional information about the malicious code is retrieved if an aspect of the malicious code is not recognized.
  - 16. The method as recited in claim 1, wherein the information includes a type, context, protocol, severity, reporting server, and IP address associated with the malicious code.
  - 17. The method as recited in claim 16, wherein the type is selected from the group consisting of an unwanted message attempt, and a denial of service attack.
  - 18. The method as recited in claim 16, wherein the context is selected from the group consisting of a virus name, a subject, a mail header, and a magic number for a message.
  - 19. The method as recited in claim 1, further comprising attempting to identify a source of the malicious code, and, if the source is identified, retrieving information about the source from a database.
  - 20. The method as recited in claim 1, wherein additional information relating to the malicious code is retrieved from a database if the malicious code is not identified in conjunction with an event at the local location on the network.
  - 21. The method of claim 1, wherein a simple mail transfer protocol (SMTP) is utilized for collecting the information that is associated with spam attempts, spam-relay attempts, denial of service (DoS) attacks, and malicious attachment forwarding;
    - a net news transfer protocol (NNTP) is utilized for collecting the information that is associated with DoS attacks, malicious attachment forwarding, and cross-posting;
      
      a file transfer protocol (FTP) is utilized for collecting the information that is associated with DoS attacks, and repeated unsuccessful logins;
      
      a hypertext transfer protocol (HTTP) is utilized for collecting the information that is associated with malicious content, DoS attacks, and known hacking attempts; and
      
      a firewall protocol is utilized for collecting the information that is associated with intrusion detection, and port scanning attempts.

5. A computer program product for managing an outbreak of malicious code, comprising:
- a) computer code for identifying malicious code at a local location on a network;
  
  b) computer code for encrypting information relating to the malicious code at the local location;
  
  c) computer code for sending the encrypted information relating to the malicious code to a plurality of remote locations utilizing the network; and
  
  d) computer code for blocking instances of the malicious code at the remote locations for a predetermined amount of time based on the information;
  
  e) computer code for registering at least one of a name and checksum of a file containing the malicious code as a known threat;
  
  f) wherein the information is selected from the group consisting of a type, context, protocol, severity, reporting server, and IP address associated with the malicious code;
  
  g) wherein the information relating to the malicious code includes an identification of the source of the malicious code, wherein communications originating at the identified source are denied access to the remote locations for the predetermined amount of time.

6. A system for preventing an outbreak of malicious code, comprising:
- a) logic for identifying malicious code at a local location on a network;
  
  b) logic for encrypting information relating to the malicious code at the local location;
  
  c) logic for sending the encrypted information relating to the malicious code to a plurality of remote locations utilizing the network; and
  
  d) logic for blocking instances of the malicious code at the remote locations for a predetermined amount of time based on the information;
  
  e) logic for registering at least one of a name and checksum of a file containing the malicious code as a known threat;
  
  f) wherein the information is selected from the group consisting of a type, context, protocol, severity, reporting server, and IP address associated with the malicious code;
  
  g) wherein the information relating to the malicious code includes an identification of the source of the malicious code, wherein communications originating at the identified source are denied access to the remote locations for the predetermined amount of time.

7. A method for denying access to a hacker, comprising:
- a) identifying an attack by a hacker at a local location on a network;
  
  b) encrypting information relating to the attack at the local location;
  
  c) sending the encrypted information relating to the attack to a plurality of remote locations utilizing the network; and
  
  d) restricting access to the remote locations for a predetermined amount of time based on the information;
  
  e) registering at least one of a name and checksum of a file associated with the attack as a known threat;
  
  f) wherein the information is selected from the group consisting of a type, context, protocol, severity, reporting server, and IP address associated with the attack;
  
  g) wherein the information relating to the attack includes an identification of the source of the attack, wherein communications originating at the identified source are denied access to the remote locations for the predetermined amount of time.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method as recited in claim 7, wherein the attack attempts to create a denial of service.
  - 9. The method as recited in claim 7, further comprising registering the source of the attack as a known threat.
  - 10. The method as recited in claim 7, wherein the attack is recognized based at least in part on recognizing that the source of the attack is registered as a known threat.
  - 11. The method as recited in claim 7, further comprising executing countermeasures for limiting the effect of the attack at the local location.
  - 12. The method as recited in claim 7, wherein additional information about the attack is retrieved if an aspect of the attack is not recognized.

13. A computer program product for denying access to a hacker, comprising:
- a) computer code for identifying an attack by a hacker at a local location on a network;
  
  b) computer code for encrypting information relating to the attack at the local location;
  
  c) computer code for sending the encrypted information relating to the attack to a plurality of remote locations utilizing the network; and
  
  d) computer code for restricting access to the remote locations for a predetermined amount of time based on the information;
  
  e) computer code for registering at least one of a name and checksum of a file associated with the attack as a known threat;
  
  f) wherein the information is selected from the group consisting of a type, context, protocol, severity, reporting server, and IP address associated with the attack;
  
  g) wherein the information relating to the attack includes an identification of the source of the attack, wherein communications originating at the identified source are denied access to the remote locations for the predetermined amount of time.

14. A system for denying access to a hacker, comprising:
- a) logic for identifying an attack by a hacker at a local location on a network;
  
  b) logic for encrypting information relating to the attack at the local location;
  
  c) logic for sending the encrypted information relating to the attack to a plurality of remote locations utilizing the network; and
  
  d) logic for restricting access to the remote locations for a predetermined amount of time based on the information;
  
  e) logic for registering at least one of a name and checksum of a file associated with the attack as a known threat;
  
  f) wherein the information is selected from the group consisting of a type, context, protocol, severity, reporting server, and IP address associated with the attack;
  
  g) wherein the information relating to the attack includes an identification of the source of the attack wherein communications originating at the identified source are denied access to the remote locations for the predetermined amount of time.

15. A method for preventing an outbreak of malicious code, comprising:
- a) identifying malicious code at a local location on a network;
  
  b) wherein the malicious code is at least one of a virus, worm and, Trojan;
  
  c) wherein the malicious code is recognized based at least in part on recognizing that at least one of a checksum and a file name of the malicious code is registered as a known threat;
  
  d) encrypting information relating to the malicious code at the local location, wherein the information is selected from the group consisting of a type, context, protocol, severity, reporting server, and IP address associated with the malicious code, and wherein the information relating to the attack includes an identification of the source of the attack, wherein communications originating at the identified source are denied access to the remote locations for the predetermined amount of time;
  
  e) sending the encrypted information relating to the malicious code to a plurality of remote locations utilizing the network;
  
  f) restricting access to the remote locations by communications originating at the source of the malicious code for a predetermined amount of time based on the information;
  
  g) executing countermeasures for limiting the effect of the malicious code at the local location; and
  
  h) retrieving additional information about the malicious code if an aspect of the attack is not recognized.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Jagger, Luke D., Rothwell, Anton C., Dennis, William R.
Primary Examiner(s)
JUNG, DAVID YIUK

Application Number

US09/944,869
Time in Patent Office

1,642 Days
Field of Search

713/340, 713150-155, 726 23- 27
US Class Current

726/25
CPC Class Codes

G06F 21/56   Computer malware detection ...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Efficient management and blocking of malicious code and hacking attempts in a network environment

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

137 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Efficient management and blocking of malicious code and hacking attempts in a network environment

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

137 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links