Protocol layer-level system and method for detecting virus activity
First Claim
Patent Images
1. A method for detecting network activity governed by malicious code, comprising:
- monitoring two protocol layers associated with data communications over a network, wherein a first of the protocol layers is positioned between OSI standard layers 2 and 3, and a second of the protocol layers is positioned between OSI standard layers 4 and 5, the protocol layers being maintained by anti-malicious code software;
determining whether the data communications are prompted by malicious code based on the monitoring; and
initiating a security event upon determining that the data communications are prompted by malicious code;
wherein the determination of whether the data communications are prompted by malicious code includes;
analyzing port numbers to which the data communications are being sent, determining whether the port numbers are unique or non-unique, initiating the security event if the port numbers are determined to be unique, performing further processing if the port numbers are determined to be non-unique, and conditionally performing the security event based on the further processing, the further processing including reassembling data of the data communications and scanning the reassembled data for malicious code.
2 Assignments
0 Petitions
Accused Products
Abstract
A system, method and computer program product for detecting network activity governed by malicious code is provided. A protocol layer associated with data communications over a network is monitored. A determination is made as to whether the data communications are prompted by malicious code based on the monitoring. A security event is initiated upon it being determined that the data communications are prompted by malicious code.
75 Citations
24 Claims
-
1. A method for detecting network activity governed by malicious code, comprising:
-
monitoring two protocol layers associated with data communications over a network, wherein a first of the protocol layers is positioned between OSI standard layers 2 and 3, and a second of the protocol layers is positioned between OSI standard layers 4 and 5, the protocol layers being maintained by anti-malicious code software; determining whether the data communications are prompted by malicious code based on the monitoring; and initiating a security event upon determining that the data communications are prompted by malicious code; wherein the determination of whether the data communications are prompted by malicious code includes;
analyzing port numbers to which the data communications are being sent, determining whether the port numbers are unique or non-unique, initiating the security event if the port numbers are determined to be unique, performing further processing if the port numbers are determined to be non-unique, and conditionally performing the security event based on the further processing, the further processing including reassembling data of the data communications and scanning the reassembled data for malicious code. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A computer program product embodied on a computer readable medium for detecting network activity governed by malicious code, comprising:
-
computer code for monitoring two protocol layers associated with data communications over a network, wherein a first of the protocol layers is positioned between OSI standard layers 2 and 3, and a second of the protocol layers is positioned between OSI standard layers 4 and 5, the protocol layers being maintained by anti-malicious code software; computer code for determining whether the data communications are prompted by malicious code based on the monitoring; and computer code for initiating a security event upon determining that the data communications are prompted by malicious code; wherein the determination of whether the data communications are prompted by malicious code includes;
analyzing port numbers to which the data communications are being sent, determining whether the port numbers are unique or non-unique, initiating the security event if the port numbers are determined to be unique, performing further processing if the port numbers are determined to be non-unique, and conditionally performing the security event based on the further processing, the further processing including reassembling data of the data communications and scanning the reassembled data for malicious code.
-
-
14. A system for detecting network activity governed by malicious code, comprising:
-
hardware for monitoring two protocol layers associated with data communications over a network, wherein a first of the protocol layers is positioned between OSI standard layers 2 and 3, and a second of the protocol layers is positioned between OSI standard layers 4 and 5, the protocol layers being maintained by anti-malicious software; hardware for determining whether the data communications are prompted by malicious code based on the monitoring; and hardware for initiating a security event upon determining that the data communications are prompted by malicious code; wherein the determination of whether the data communications are prompted by malicious code includes;
analyzing port numbers to which the data communications are being sent, determining whether the port numbers are unique or non-unique, initiating the security event if the port numbers are determined to be unique, performing further processing if the port numbers are determined to be non-unique, and conditionally performing the security event based on the further processing, the further processing including reassembling data of the data communications and scanning the reassembled data for malicious code.
-
-
15. A method for detecting network activity governed by malicious code, comprising:
-
monitoring two protocol layers associated with data communications over a network, wherein a first of the protocol layers is positioned between OSI standard layers 2 and 3, and a second of the protocol layers is positioned between OSI standard layers 4 and 5, the protocol layers being maintained by anti-malicious software; analyzing port numbers to which the data communications are being sent utilizing a signature file having port signatures; determining whether the data communications are prompted by malicious code based on the analysis; and initiating a security event upon determining that the data communications are prompted by malicious code, wherein the security event is initiated upon matching of unique port numbers with a signature of the signature file; wherein further processing occurs upon matching of a non-unique port number with a signature of the signature file, the further process including reassembling data of the data communications and scanning the reassembled data for malicious code. - View Dependent Claims (16, 17, 18, 19)
-
-
20. A computer program product embodied on a computer readable medium for detecting network activity governed by malicious code, comprising:
-
computer code for monitoring two protocol layers associated with data communications over a network, wherein a first of the protocol layers is positioned between OSI standard layers 2 and 3, and a second of the protocol layers is positioned between OSI standard layers 4 and 5, the protocol layers being maintained by anti-malicious software; computer code for analyzing port numbers to which the data communications are being sent utilizing a signature file having port signatures; computer code for determining whether the data communications are prompted by malicious code based on the analysis; and computer code for initiating a security event upon determining that the data communications are prompted by malicious code, wherein the security event is initiated upon matching of unique port numbers with a signature of the signature file; wherein further processing occurs upon matching of a non-unique port number with a signature of the signature file, the further process including reassembling data of the data communications and scanning the reassembled data for malicious code.
-
-
21. A system for detecting network activity governed by malicious code, comprising:
-
hardware for monitoring two protocol layers associated with streaming data communications over a network, wherein a first of the protocol layers is positioned between OSI standard layers 2 and 3, and a second of the protocol layers is positioned between OSI standard layers 4 and 5, the protocol layers being maintained by anti-malicious code software; hardware for analyzing port numbers to which the data communications are being sent utilizing a signature file having port signatures; hardware for determining whether the data communications are prompted by malicious code based on the analysis; and hardware for initiating a security event upon determining that the data communications are prompted by malicious code, wherein the security event is initiated upon matching of unique port number with a signature of the signature file; wherein further processing occurs upon matching of a non-unique port number with a signature of the signature file, the further processing including reassembling data of the data communication and scanning the reassembled data for malicious code.
-
-
22. A method for detecting network activity governed by malicious code, comprising:
-
monitoring two protocol layers associated with incoming and outgoing streaming data communications over a network, wherein a first of the protocol layers is positioned between OSI standard layers 2 and 3, and a second of the protocol layers is positioned between OSI standard layers 4 and 5, the protocol layers being maintained by anti-malicious software; analyzing port numbers to which the data communications are being sent utilizing a signature file having port signatures; determining whether the data communications are prompted by malicious code based on the analysis; and initiating a security event upon determining that the data communications are prompted by malicious code, wherein the security event is initiated upon matching of unique port numbers with a signature of the signature file; wherein further processing occurs upon matching of a non-unique port number with a signature of the signature file, the further process including reassembling data of the data communications and scanning the reassembled data for malicious code.
-
-
23. A method for detecting network activity governed by malicious code, comprising:
-
monitoring two protocol layers associated with incoming and outgoing streaming data communications over a network, wherein a first of the protocol layers is positioned between OSI standard layers 2 and 3, and a second of the protocol layers is positioned between OSI standard layers 4 and 5, the protocol layers being maintained by anti-malicious software; analyzing port numbers to which the data communications are being sent utilizing a signature file having port signatures; determining whether the data communications are prompted by malicious code based on the analysis; and initiating a security event upon determining that the data communications are prompted by malicious code, the security event being initiated upon matching of unique port numbers with a signature of the signature file, the security event including at least one of;
terminating the data communications, discarding a packet of the data communications, and redirecting the data communications; andprompting further processing upon matching of a non-unique port number with a signature of the signature file, the further process including reassembling data of the data communications and scanning the reassembled data for malicious code.
-
-
24. A method for detecting network activity governed by malicious code, comprising:
-
monitoring a protocol layer associated with data communications over a network; determining whether the data communications are prompted by malicious code based on the monitoring; and initiating a security event upon determining that the data communications are prompted by malicious code; wherein the determination of whether the data communications are prompted by malicious code includes;
analyzing port numbers to which the data communications are being sent, determining whether the port numbers are unique or non-unique, initiating the security event if the port numbers are determined to be unique, performing further processing if the port numbers are determined to be non-unique, and conditionally performing the security event based on the further processing, the further processing including reassembling data of the data communications and scanning the reassembled data for malicious code;wherein a plurality of protocol layers are monitored comprising a first shim positioned between OSI standard layers 2 and 3, and a second shim positioned between OSI standard layers 4 and 5, the first shim and the second shim both being maintained, managed, and monitored by anti-malicious code software.
-
Specification