Hash-based systems and methods for detecting, preventing, and tracing network worms and viruses

US 7,328,349 B2
Filed: 09/20/2002
Issued: 02/05/2008
Est. Priority Date: 12/14/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A method for detecting transmission of malicious packets, comprising:

receiving a packet;

generating a plurality of hash values from a payload field in the packet;

comparing the generated hash values to hash values corresponding to prior packets; and

determining that the packet is a potentially malicious packet when a plurality of the generated hash to the packet matches a plurality of the hash values corresponding to one of the prior packets and the one prior packet was received within a predetermined amount of time of the packet.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system (126-129) detects transmission of potentially malicious packets. The system (126-129) receives packets and generates hash values corresponding to each of the packets. The system (126-129) may then compare the generated hash values to hash values corresponding to prior packets. The system (126-129) determines that one of the packets is a potentially malicious packet when the generated hash value corresponding to the one packet matches one of the hash values corresponding to one of the prior packets and the one prior packet was received within a predetermined amount of time of the one packet. The system (126-129) may also facilitate the tracing of the path taken by a potentially malicious packet. In this case, the system (126-129) may receive a message that identifies a potentially malicious packet, generate hash values from the potentially malicious packet, and determine whether one or more of the generated hash values match hash values corresponding to previously-received packets. The system (126-129) may then identify the potentially malicious packet as one of the previously-received packets when one or more of the generated hash values match the hash value corresponding to the one previously-received packet.

Citations

29 Claims

1. A method for detecting transmission of malicious packets, comprising:
- receiving a packet;
  
  generating a plurality of hash values from a payload field in the packet;
  
  comparing the generated hash values to hash values corresponding to prior packets; and
  
  determining that the packet is a potentially malicious packet when a plurality of the generated hash to the packet matches a plurality of the hash values corresponding to one of the prior packets and the one prior packet was received within a predetermined amount of time of the packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the generating the hash values from the payload field includes:
    - hashing successive fixed-sized blocks in the payload field in the packet.
  - 3. The method of claim 1, further comprising:
    - storing a plurality of hash values corresponding to known malicious packets.
  - 4. The method of claim 3, further comprising:
    - comparing the generated hash values to the hash values corresponding to the known malicious packets; and
      
      declaring that the packet is a malicious packet when one or more of the generated hash values corresponding to the packet matches one or more of the hash values corresponding to the known malicious packets.
  - 5. The method of claim 4, further comprising:
    - taking remedial action when the packet is declared a malicious packet.
  - 6. The method of claim 5, wherein the taking remedial action includes at least one of:
    - raising a warning,delaying transmission of the packet,requiring human examination of the packet,dropping the packet,dropping other packets originating from a same address as the packet,sending a Transmission Control Protocol (TCP) close message to a sender of the packet, disconnecting a link on which the packet was received, or corrupting the packet.
  - 7. The method of claim 1, further comprising:
    - determining whether more than a predefined number of the prior packets with the matching plurality of hash values was received.
  - 8. The method of claim 7, wherein the determining that the packet is a potentially malicious packet includes:
    - identifying the packet as a potentially malicious packet when more than the predefined number of the prior packets were received within the predetermined amount of time of the packet.
  - 9. The method of claim 7, further comprising:
    - recording the generated hash values corresponding to the packet when no more than the predefined number of the prior packets was received.
  - 10. The method of claim 1, wherein the potentially malicious packet is associated with one of a virus or a worm.
  - 11. The method of claim 1, further comprising:
    - taking remedial action when the packet is determined to be a potentially malicious packet.
  - 12. The method of claim 11, wherein the taking remedial action includes at least one of:
    - raising a warning,delaying transmission of the packet,requiring human examination of the packet,dropping the packet,dropping other packets originating from a same address as the packet,sending a Transmission Control Protocol (TCP) close message to a sender of the packet,disconnecting a link on which the packet was received, or corrupting the packet.
  - 13. The method of claim 11, wherein the taking remedial action includes:
    - determining a probability value associated with whether the packet is a potentially malicious packet, andperforming a remedial action when the probability value is above a threshold.
  - 14. The method of claim 1, further comprising:
    - comparing a source address associated with the packet to addresses of legitimate replicators, anddetermining that the packet is not malicious when the source address matches one of the addresses of legitimate replicators.

15. A system for hampering transmission of a potentially malicious packet, comprising:
- means for receiving a packet;
  
  means for generating a plurality of hash values from a payload field in the packet;
  
  means for comparing the generated hash values to hash values corresponding to prior packets;
  
  means for determining that the packet is a potentially malicious packet when a plurality of the generated hash values match a plurality of the hash values corresponding to at least one of the prior packets and the at least one of the prior packets was received within a predetermined amount of time of the packet; and
  
  means for hampering transmission of the packet when the packet is determined to be a potentially malicious packet.

16. A system for detecting transmission of potentially malicious packets, comprising:
- a plurality of input ports configured to receive a plurality of packets;
  
  a plurality of output ports configured to transmit the packets;
  
  a hash processor configured to;
  
  observe one of the packets received at the input ports,generate a plurality of hash values from a pavload field in the one packet,compare the generated hash values to hash values corresponding to previous packets, anddetermine that the one packet is a potentially malicious packet when a plurality of the generated hash values corresponding to the one packet matches a plurality of the hash values corresponding to one of the previous packets and the one previous packet was received within a predetermined amount of time of the one packet.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 17. The system of claim 16, wherein when generating the hash values from the payload field, the hash processor is configured to hash successive fixed-sized blocks in the payload field in the one packet.
  - 18. The system of claim 16, further comprising:
    - a hash memory configured to store a plurality of hash values corresponding to known malicious packets.
  - 19. The system of claim 18, wherein the hash processor is further configured to:
    - compare one or more of the generated hash values to the hash values in the hash memory, anddeclare that the one packet is a malicious packet when the one or more of the generated hash values corresponding to the one packet matches one or more of the hash values in the hash memory.
  - 20. The system of claim 19, wherein the hash processor is further configured to take remedial action when the one packet is declared a malicious packet.
  - 21. The system of claim 20, wherein when taking remedial action, the hash processor is configured to at least one of:
    - raise a warning,delay transmission of the one packet,require human examination of the one packet,drop the one packet,drop other packets originating from a same address as the one packet,send a Transmission Control Protocol (TCP) close message to a sender of the one packet,disconnect a link on which the one packet was received, or corrupt the one packet.
  - 22. The system of claim 16, wherein the hash processor is further configured to determine whether more than a predefined number of the previous packets with the plurality of hash values was received.
  - 23. The system of claim 22, wherein when determining that the one packet is a potentially malicious packet, the hash processor is configured to identify the one packet as a potentially malicious packet when more than the predefined number of the previous packets were received within the predetermined amount of time of the one packet.
  - 24. The system of claim 22, wherein the hash processor is further configured to record the generated hash values corresponding to the one packet when no more than the predefined number of the previous packets was received.
  - 25. The system of claim 16, wherein the potentially malicious packet is associated with one of a virus or a worm.
  - 26. The system of claim 16, wherein the hash processor is further configured to take remedial action when the one packet is determined to be a potentially malicious packet.
  - 27. The system of claim 26, wherein when taking remedial action, the hash processor is configured to at least one of:
    - raise a warning,delay transmission of the one packet,require human examination of the one packet,drop the one packet,drop other packets originating from a same address as the one packet,send a Transmission Control Protocol (TCP) close message to a sender of the one packet,disconnect a link on which the one packet was received, or corrupt the one packet.
  - 28. The system of claim 26, wherein when taking remedial action, the hash processor is configured to:
    - determine a probability value associated with whether the one packet is a potentially malicious packet, andperform a remedial action when the probability value is above a threshold.
  - 29. The system of claim 16, wherein the hash processor is further configured to:
    - compare a source address associated with the one packet to addresses of legitimate replicators, anddetermine that the one packet is not malicious when the source address matches one of the addresses of legitimate replicators.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Stragent, LLC (Oso IP, LLC)
Original Assignee
BBN Technologies Corporation (Rtx Corporation)
Inventors
Milliken, Walter Clark
Primary Examiner(s)
Revak, Christopher
Assistant Examiner(s)
Chai, Longbit

Application Number

US10/251,403
Publication Number

US 20030115485A1
Time in Patent Office

1,964 Days
Field of Search

713178-181, 713160-161, 726 22- 25, 370229-235
US Class Current

713/181
CPC Class Codes

G06F 21/562   Static detection

H04L 51/212   using filtering or selectiv...

H04L 63/145   the attack involving the pr...

Hash-based systems and methods for detecting, preventing, and tracing network worms and viruses

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Hash-based systems and methods for detecting, preventing, and tracing network worms and viruses

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links