Hash-based systems and methods for detecting, preventing, and tracing network worms and viruses
First Claim
1. A method for detecting transmission of malicious packets, comprising:
- receiving a packet;
generating a plurality of hash values from a payload field in the packet;
comparing the generated hash values to hash values corresponding to prior packets; and
determining that the packet is a potentially malicious packet when a plurality of the generated hash to the packet matches a plurality of the hash values corresponding to one of the prior packets and the one prior packet was received within a predetermined amount of time of the packet.
7 Assignments
0 Petitions
Accused Products
Abstract
A system (126-129) detects transmission of potentially malicious packets. The system (126-129) receives packets and generates hash values corresponding to each of the packets. The system (126-129) may then compare the generated hash values to hash values corresponding to prior packets. The system (126-129) determines that one of the packets is a potentially malicious packet when the generated hash value corresponding to the one packet matches one of the hash values corresponding to one of the prior packets and the one prior packet was received within a predetermined amount of time of the one packet. The system (126-129) may also facilitate the tracing of the path taken by a potentially malicious packet. In this case, the system (126-129) may receive a message that identifies a potentially malicious packet, generate hash values from the potentially malicious packet, and determine whether one or more of the generated hash values match hash values corresponding to previously-received packets. The system (126-129) may then identify the potentially malicious packet as one of the previously-received packets when one or more of the generated hash values match the hash value corresponding to the one previously-received packet.
-
Citations
29 Claims
-
1. A method for detecting transmission of malicious packets, comprising:
-
receiving a packet; generating a plurality of hash values from a payload field in the packet; comparing the generated hash values to hash values corresponding to prior packets; and determining that the packet is a potentially malicious packet when a plurality of the generated hash to the packet matches a plurality of the hash values corresponding to one of the prior packets and the one prior packet was received within a predetermined amount of time of the packet. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A system for hampering transmission of a potentially malicious packet, comprising:
-
means for receiving a packet; means for generating a plurality of hash values from a payload field in the packet; means for comparing the generated hash values to hash values corresponding to prior packets; means for determining that the packet is a potentially malicious packet when a plurality of the generated hash values match a plurality of the hash values corresponding to at least one of the prior packets and the at least one of the prior packets was received within a predetermined amount of time of the packet; and means for hampering transmission of the packet when the packet is determined to be a potentially malicious packet.
-
-
16. A system for detecting transmission of potentially malicious packets, comprising:
-
a plurality of input ports configured to receive a plurality of packets; a plurality of output ports configured to transmit the packets; a hash processor configured to; observe one of the packets received at the input ports, generate a plurality of hash values from a pavload field in the one packet, compare the generated hash values to hash values corresponding to previous packets, and determine that the one packet is a potentially malicious packet when a plurality of the generated hash values corresponding to the one packet matches a plurality of the hash values corresponding to one of the previous packets and the one previous packet was received within a predetermined amount of time of the one packet. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
-
Specification