Detecting dissemination of malicious programs
First Claim
1. A method for detecting a dissemination of a malicious program comprising the steps of:
- receiving a packet of data to be forwarded to another network;
performing a hash function on one or more fields of said packet of data generating a hash value; and
determining a number of different hash values generated from performing said hash function on said one or more fields of a predetermined number of packets to be forwarded to another network, wherein if said number of different hash values is greater than or equal to a predetermined value then the method further comprises the step of;
determining if said predetermined number of packets is below a threshold, wherein if said predetermined number of packets is at or below said threshold then said dissemination of said malicious program is detected.
3 Assignments
0 Petitions
Accused Products
Abstract
A method, system and computer program product for detecting the dissemination of malicious programs. The degree of randomness in the Internet Protocol (IP) destination addresses of received IP packets to be forwarded to an external network may be detected by performing a hash function on the IP destination addresses thereby generating one or more different hash values. If a high number of different hash values were generated for a small number of IP packets examined, then random IP destination addresses may be detected. By detecting random destination IP addresses, the dissemination of a malicious program, e.g., virus, worm program, may be detected.
-
Citations
30 Claims
-
1. A method for detecting a dissemination of a malicious program comprising the steps of:
-
receiving a packet of data to be forwarded to another network; performing a hash function on one or more fields of said packet of data generating a hash value; and determining a number of different hash values generated from performing said hash function on said one or more fields of a predetermined number of packets to be forwarded to another network, wherein if said number of different hash values is greater than or equal to a predetermined value then the method further comprises the step of; determining if said predetermined number of packets is below a threshold, wherein if said predetermined number of packets is at or below said threshold then said dissemination of said malicious program is detected. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer program product embodied in a machine readable medium for detecting a dissemination of a malicious program comprising the programming steps of:
-
receiving a packet of data to be forwarded to another network; performing a hash function on one or more fields of said packet of data generating a hash value; and determining a number of different hash values generated from performing said hash function on said one or more fields of a predetermined number of packets to be forwarded to another network, wherein if said number of different hash values is greater than or equal to a predetermined value then the method further comprises the step of; determining if said predetermined number of packets is below a threshold, wherein if said predetermined number of packets is at or below said threshold then said dissemination of said malicious program is detected. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A system, comprising:
-
a memory unit operable for storing a computer program operable for detecting a dissemination of a malicious program; and a processor coupled to said memory unit, wherein said processor, responsive to said computer program, comprises; circuitry operable for receiving a packet of data to be forwarded to another network; circuitry operable for performing a hash function on a destination address of said packet of data generating a hash value; and circuitry operable for determining a number of different hash values generated from performing said hash function on destination addresses of a predetermined number of packets to be forwarded to another network, wherein if said number of different hash values is greater than or equal to a predetermined value then said processor further comprises; circuitry operable for determining if said predetermined number of packets is below a threshold, wherein if said predetermined number of packets is at or below said threshold then said dissemination of said malicious program is detected. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification