Heuristic detection and termination of fast spreading network worm attacks
First Claim
1. A computer-implemented method for detecting a worm infection on a set of sources coupled to a network, the method comprising the steps of:
- observing a plurality of failed network connection attempts, each failed network connection attempt originating from one of the sources and directed to a destination network address; and
responsive to a source'"'"'s failed network connection attempts during a period of time meeting at least one of a set of threshold criteria, declaring a presence of a worm, wherein the threshold criteria comprise a correlation with a prior DNS lookup having not been performed before an associated failed network connection attempt.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods, apparati, and computer program products for detecting and responding to fast-spreading network worm attacks include a network monitoring module (110), which observes (205) failed network connection attempts from multiple sources. A logging module (120) logs (220) the failed connection attempts. An analysis module (150) uses the logged data on the failed connection attempts to determine (225) whether a sources is infected with a worm using a set of threshold criteria. The threshold criteria indicate whether a source'"'"'s failed connection attempts are non-normal. In one embodiment, a response module (160) responds (240) to the computer worm by, e.g., alerting a user or system administrator, terminating an infected process (20), or terminating the infected source'"'"'s network access.
437 Citations
34 Claims
-
1. A computer-implemented method for detecting a worm infection on a set of sources coupled to a network, the method comprising the steps of:
-
observing a plurality of failed network connection attempts, each failed network connection attempt originating from one of the sources and directed to a destination network address; and responsive to a source'"'"'s failed network connection attempts during a period of time meeting at least one of a set of threshold criteria, declaring a presence of a worm, wherein the threshold criteria comprise a correlation with a prior DNS lookup having not been performed before an associated failed network connection attempt. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer-implemented method for detecting a worm on a network device, the method comprising the steps of:
-
monitoring attempts to connect to a destination network address by any of a set of processes running on the network device; logging the process and the destination network address associated with a set of failed connection attempts; and responsive to the failed connection attempts associated with a process being determined non-normal, declaring a presence of a worm, wherein the determination of non-normalcy is based at least in part on a correlation with a prior DNS lookup having not been performed before an associated failed network connection attempt. - View Dependent Claims (13, 14, 15)
-
-
16. A computer-implemented method for detecting a worm on a network, the method comprising the steps of:
-
monitoring attempts to connect to a destination network address by any of a set of network devices coupled to the network; logging the network device and the destination network address associated with a set of failed connection attempts; and responsive to the failed connection attempts associated with a network device being determined non-normal, declaring a presence of a worm, wherein the determination of non-normalcy is based at least in part on a correlation with a prior DNS lookup having not been performed before an associated failed network connection attempt. - View Dependent Claims (17, 18)
-
-
19. A computer program product comprising a computer-readable medium containing computer program code for detecting a worm infection on a set of sources coupled to a network, the computer program code comprising instructions for performing the steps of:
-
observing a plurality of failed network connection attempts, each failed network connection attempt originating from one of the sources and directed to a destination network address; and responsive to a source'"'"'s failed network connection attempts during a period of time meeting at least one of a set of threshold criteria, declaring a presence of a worm, wherein the threshold criteria comprise a correlation with a prior DNS lookup having not been performed before an associated failed network connection attempt. - View Dependent Claims (20, 21, 22, 23, 24)
-
-
25. A computer program product comprising a computer-readable medium containing computer program code for detecting a worm on a network device, the computer program code comprising instructions for performing the steps of:
-
monitoring attempts to connect to a destination network address by any of a set of processes running on the network device; logging the process and the destination network address associated with a set of failed connection attempts; and responsive to the failed connection attempts associated with a process being determined non-normal, declaring a presence of a worm, wherein the determination of non-normalcy is based at least in part on a correlation with a prior DNS lookup having not been performed before an associated failed network connection attempt.
-
-
26. A computer program product comprising a computer-readable medium containing computer program code for detecting a worm on a network, the computer program code comprising instructions for performing the steps of:
-
monitoring attempts to connect to a destination network address by any of a set of network devices coupled to the network; logging the network device and the destination network address associated with a set of failed connection attempts; and responsive to the failed connection attempts associated with a network device being determined non-normal, declaring a presence of a worm, wherein the determination of non-normalcy is based at least in part on a correlation with a prior DNS lookup having not been performed before an associated failed network connection attempt.
-
-
27. A system for detecting a worm, the system comprising:
-
a network monitoring module configured to observe a plurality of failed network connection attempts, each failed network connection attempt originating from any of a set of sources and directed to a destination network address; a logging module coupled to the network monitoring module for logging the failed attempts; and an analysis module coupled to the logging module for declaring a presence of a worm responsive to a source'"'"'s failed network connection attempts during a period of time meeting at least one of a set of threshold criteria, wherein the threshold criteria comprise a correlation with a prior DNS lookup having not been performed before an associated failed network connection attempt. - View Dependent Claims (28, 29, 30, 31, 32, 33, 34)
-
Specification