Heuristic detection and termination of fast spreading network worm attacks

US 7,159,149 B2
Filed: 10/24/2002
Issued: 01/02/2007
Est. Priority Date: 10/24/2002
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting a worm infection on a set of sources coupled to a network, the method comprising the steps of:

observing a plurality of failed network connection attempts, each failed network connection attempt originating from one of the sources and directed to a destination network address; and

responsive to a source'"'"'s failed network connection attempts during a period of time meeting at least one of a set of threshold criteria, declaring a presence of a worm, wherein the threshold criteria comprise a correlation with a prior DNS lookup having not been performed before an associated failed network connection attempt.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparati, and computer program products for detecting and responding to fast-spreading network worm attacks include a network monitoring module (110), which observes (205) failed network connection attempts from multiple sources. A logging module (120) logs (220) the failed connection attempts. An analysis module (150) uses the logged data on the failed connection attempts to determine (225) whether a sources is infected with a worm using a set of threshold criteria. The threshold criteria indicate whether a source'"'"'s failed connection attempts are non-normal. In one embodiment, a response module (160) responds (240) to the computer worm by, e.g., alerting a user or system administrator, terminating an infected process (20), or terminating the infected source'"'"'s network access.

437 Citations

34 Claims

1. A computer-implemented method for detecting a worm infection on a set of sources coupled to a network, the method comprising the steps of:
- observing a plurality of failed network connection attempts, each failed network connection attempt originating from one of the sources and directed to a destination network address; and
  
  responsive to a source'"'"'s failed network connection attempts during a period of time meeting at least one of a set of threshold criteria, declaring a presence of a worm, wherein the threshold criteria comprise a correlation with a prior DNS lookup having not been performed before an associated failed network connection attempt.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein at least one source is a process running on a network device.
  - 3. The method of claim 2, further comprising the step of:
    - responsive to a declaration of a worm, terminating the process associated with the declared worm.
  - 4. The method of claim 1, wherein at least one source is a network device coupled to a network.
  - 5. The method of claim 4, further comprising the step of:
    - responsive to a declaration of a worm, terminating network access of the network device associated with the declared worm.
  - 6. The method of claim 1, further comprising the step of:
    - responsive to a declaration of a worm, alerting a user.
  - 7. The method of claim 1, farther comprising the step of:
    - responsive to a declaration of a worm, alerting a system administrator.
  - 8. The method of claim 1, wherein the threshold criteria further comprise:
    - a number of failed network connection attempts; and
      
      a diversity of destination network addresses associated with the failed network connection attempts.
  - 9. The method of claim 1, wherein the threshold criteria further comprise a weighting associated with at least one of the failed network connection attempts according to an attribute thereof.
  - 10. The method of claim 1, wherein a threshold criterion applied to a source depends on the source, and different threshold criteria are used for different sources.
  - 11. The method of claim 1, wherein the step of declaring a worm comprises excluding a source from the threshold criteria, whereby the source'"'"'s failed network connection attempts do not cause a presence of a worm to be declared.

12. A computer-implemented method for detecting a worm on a network device, the method comprising the steps of:
- monitoring attempts to connect to a destination network address by any of a set of processes running on the network device;
  
  logging the process and the destination network address associated with a set of failed connection attempts; and
  
  responsive to the failed connection attempts associated with a process being determined non-normal, declaring a presence of a worm, wherein the determination of non-normalcy is based at least in part on a correlation with a prior DNS lookup having not been performed before an associated failed network connection attempt.
- View Dependent Claims (13, 14, 15)
- - 13. The method of claim 12, further comprising the step of:
    - responsive to a declaration of a worm, terminating the process associated with the non-normal failed connection attempts.
  - 14. The method of claim 12, further comprising the step of:
    - responsive to a declaration of a worm, terminating network access of the network device.
  - 15. The method of claim 12, wherein the determination of non-normalcy is based at least in part on:
    - a number of failed network connection attempts; and
      
      a diversity of destination network addresses associated with the failed network connection attempts.

16. A computer-implemented method for detecting a worm on a network, the method comprising the steps of:
- monitoring attempts to connect to a destination network address by any of a set of network devices coupled to the network;
  
  logging the network device and the destination network address associated with a set of failed connection attempts; and
  
  responsive to the failed connection attempts associated with a network device being determined non-normal, declaring a presence of a worm, wherein the determination of non-normalcy is based at least in part on a correlation with a prior DNS lookup having not been performed before an associated failed network connection attempt.
- View Dependent Claims (17, 18)
- - 17. The method of claim 16, further comprising the step of:
    - responsive to a declaration of a worm, terminating network access of the network device.
  - 18. The method of claim 16, wherein the determination of non-normalcy is based at least in part on:
    - a number of failed network connection attempts; and
      
      a diversity of destination network addresses associated with the failed network connection attempts.

19. A computer program product comprising a computer-readable medium containing computer program code for detecting a worm infection on a set of sources coupled to a network, the computer program code comprising instructions for performing the steps of:
- observing a plurality of failed network connection attempts, each failed network connection attempt originating from one of the sources and directed to a destination network address; and
  
  responsive to a source'"'"'s failed network connection attempts during a period of time meeting at least one of a set of threshold criteria, declaring a presence of a worm, wherein the threshold criteria comprise a correlation with a prior DNS lookup having not been performed before an associated failed network connection attempt.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The computer program product of claim 19, wherein at least one source is a process running on a network device.
  - 21. The computer program product of claim 20, the instructions for further performing the step of:
    - responsive to a declaration of a worm, terminating the process associated with the declared worm.
  - 22. The computer program product of claim 19, wherein at least one source is a network device coupled to a network.
  - 23. The computer program product of claim 22, the instructions for further performing the step of:
    - responsive to a declaration of a worm, terminating network access of the network device associated with the declared worm.
  - 24. The computer program product of claim 19, wherein the threshold criteria further comprise:
    - a number of failed network connection attempts; and
      
      a diversity of destination network addresses associated with the failed network connection attempts.

25. A computer program product comprising a computer-readable medium containing computer program code for detecting a worm on a network device, the computer program code comprising instructions for performing the steps of:
- monitoring attempts to connect to a destination network address by any of a set of processes running on the network device;
  
  logging the process and the destination network address associated with a set of failed connection attempts; and
  
  responsive to the failed connection attempts associated with a process being determined non-normal, declaring a presence of a worm, wherein the determination of non-normalcy is based at least in part on a correlation with a prior DNS lookup having not been performed before an associated failed network connection attempt.

26. A computer program product comprising a computer-readable medium containing computer program code for detecting a worm on a network, the computer program code comprising instructions for performing the steps of:
- monitoring attempts to connect to a destination network address by any of a set of network devices coupled to the network;
  
  logging the network device and the destination network address associated with a set of failed connection attempts; and
  
  responsive to the failed connection attempts associated with a network device being determined non-normal, declaring a presence of a worm, wherein the determination of non-normalcy is based at least in part on a correlation with a prior DNS lookup having not been performed before an associated failed network connection attempt.

27. A system for detecting a worm, the system comprising:
- a network monitoring module configured to observe a plurality of failed network connection attempts, each failed network connection attempt originating from any of a set of sources and directed to a destination network address;
  
  a logging module coupled to the network monitoring module for logging the failed attempts; and
  
  an analysis module coupled to the logging module for declaring a presence of a worm responsive to a source'"'"'s failed network connection attempts during a period of time meeting at least one of a set of threshold criteria, wherein the threshold criteria comprise a correlation with a prior DNS lookup having not been performed before an associated failed network connection attempt.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34)
- - 28. The system of claim 27, wherein the threshold criteria further comprise:
    - a number of failed network connection attempts; and
      
      a diversity of destination network addresses associated with the failed network connection attempts.
  - 29. The system of claim 27, wherein the threshold criteria further comprise a weighting associated with at least one of the failed network connection attempts according to an attribute thereof.
  - 30. The system of claim 27, further comprising:
    - a response module coupled to the analysis module, the response module configured to respond to the worm upon a declaration thereof.
  - 31. The system of claim 30, wherein the response module is configured to alert a user of a declared worm.
  - 32. The system of claim 27, wherein at least one source is a process running on a network device, and the response module is configured to terminate the process associated with a declared worm.
  - 33. The system of claim 27, wherein at least one source is a network device coupled to a network, and the response module is configured to terminate network access of the network device associated with a declared worm.
  - 34. The system of claim 27, wherein the analysis module is configured to exclude a source from the threshold criteria, whereby the source'"'"'s failed network connection attempts do not cause the analysis module to declare a worm.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
McCorkendale, Bruce, Spiegel, Mark, Sobel, William
Primary Examiner(s)
Beausoliel; Robert
Assistant Examiner(s)
GUYTON, PHILIP A

Application Number

US10/280,586
Publication Number

US 20040083408A1
Time in Patent Office

1,531 Days
Field of Search

714/39, 714/43, 714/48, 713/200, 713/201
US Class Current

714/43
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

H04L 63/145 the attack involving the pr...

Heuristic detection and termination of fast spreading network worm attacks

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

437 Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Heuristic detection and termination of fast spreading network worm attacks

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

437 Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links