Network isolation techniques suitable for virus protection

US 7,386,888 B2
Filed: 10/09/2003
Issued: 06/10/2008
Est. Priority Date: 08/29/2003
Status: Active Grant

First Claim

Patent Images

1. In a distributed network having a number of server computers and associated client devices, method of isolating infected client devices from uninfected client devices and of inoculating the infected devices, comprising:

correlating network related virus infection reports of virus attacks;

when a specific number of reports have been correlated, determining if a virus outbreak has occurred based on the correlated information wherein an outbreak has occurred when the number of occurrences of a specified virus has surpassed a threshold;

isolating infected client devices from uninfected client devices when the virus outbreak is confirmed;

copying by a traffic controller substantially all data packets included in the network traffic; and

forwarding the copied data packets to a virus analyzer unit;

a controller signaling a virus monitor to switch to inline mode where all data packets are checked for the virus and related viruses without copying of the data packets;

monitoring all data packets in the network for the virus;

identifying the virus;

blocking only packets infected by the particular virus;

creating an anti-virus agent, wherein creating an anti-virus agent further includes;

parsing the virus into

     1) a detection module that identifies a selected one of the client devices as a target client device,

     2) an infection module that causes the virus to infect the target client device not infected by the selected virus, and

     3) a viral code payload module that infects the target client device;

analyzing the infection module to determine the method of infection and the anti-viral payload module to determine the deleterious effects;

modifying the infection module to infect client devices already infected by the virus;

incorporating the anti-virus into the payload module that acts to prevent further infection by the virus; and

forming an anti-computer virus agent by combining the detection module, the modified infection module, and the modified viral payload module.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a distributed network having a number of server computers and associated client devices, method of isolating infected client devices from uninfected client devices is described. The method is carried out by correlating network related virus infection information, determining if a virus outbreak has occurred based on the correlated information, isolating infected client devices from uninfected client devices when the virus outbreak is confirmed, monitoring all data packets in the network for the virus, identifying a packet type associated with the virus, and blocking only the identified packet type.

407 Citations

10 Claims

1. In a distributed network having a number of server computers and associated client devices, method of isolating infected client devices from uninfected client devices and of inoculating the infected devices, comprising:
- correlating network related virus infection reports of virus attacks;
  
  when a specific number of reports have been correlated, determining if a virus outbreak has occurred based on the correlated information wherein an outbreak has occurred when the number of occurrences of a specified virus has surpassed a threshold;
  
  isolating infected client devices from uninfected client devices when the virus outbreak is confirmed;
  
  copying by a traffic controller substantially all data packets included in the network traffic; and
  
  forwarding the copied data packets to a virus analyzer unit;
  
  a controller signaling a virus monitor to switch to inline mode where all data packets are checked for the virus and related viruses without copying of the data packets;
  
  monitoring all data packets in the network for the virus;
  
  identifying the virus;
  
  blocking only packets infected by the particular virus;
  
  creating an anti-virus agent, wherein creating an anti-virus agent further includes;
  
  parsing the virus into
  
       1) a detection module that identifies a selected one of the client devices as a target client device,
  
       2) an infection module that causes the virus to infect the target client device not infected by the selected virus, and
  
       3) a viral code payload module that infects the target client device;
  
  analyzing the infection module to determine the method of infection and the anti-viral payload module to determine the deleterious effects;
  
  modifying the infection module to infect client devices already infected by the virus;
  
  incorporating the anti-virus into the payload module that acts to prevent further infection by the virus; and
  
  forming an anti-computer virus agent by combining the detection module, the modified infection module, and the modified viral payload module.
- View Dependent Claims (2, 3, 4, 5)
- - 2. A method as recited in claim 1, further comprising:
    - forwarding to a virus analyzer unit coupled to a network computer virus sensor only those data packets deemed to be infected by the identified computer virus or computer worm.
  - 3. A method as recited in claim 2, comprising:
    - forwarding the copied data packets to a packet protocol determinator; and
      
      determining the packet protocol of the copied data packet.
  - 4. A method as recited in claim 3, further comprising:
    - receiving at a trash collector those copied data packets determined to be of a first set of one or more specific protocols; and
      
      receiving and analyzing those copied data packets determined to be of one or more specific protocol at a filescan unit.
  - 5. A method as recited in claim 4, further comprising:
    - determining by a virus analyzer unit if those copied data packets received at the filescan unit are infected by the detected computer virus or computer worm;
      
      forwarding those packets determined not to be infected to the trash collector;
      
      analyzing the infected copied data packets; and
      
      generating a virus report based upon the analysis.

6. In a distributed network having a number of server computers and associated client devices, computer program product for isolating infected client devices from uninfected client devices and of inoculating the infected devices embodied in a computer readable storage medium for storing the following computer code, comprising:
- computer code correlating network related virus infection reports of virus attacks;
  
  when a specific number of reports have been correlated, computer code determining if a virus outbreak has occurred based on the correlated information wherein an outbreak has occurred when the number of occurrences of a specified virus has surpassed a threshold;
  
  computer code isolating infected client devices from uninfected client devices when the virus outbreak is confirmed;
  
  computer code copying by a traffic controller substantially all data packets included in the network traffic; and
  
  forwarding the copied data packets to a virus analyzer unit;
  
  computer code controlling a controller to signal a virus monitor to switch to inline mode where all data packets are checked for the virus and related viruses without copying of the data packets;
  
  computer code monitoring all data packets in the network for the virus;
  
  computer code identifying the virus;
  
  computer code blocking only packets infected by the particular virus;
  
  computer code creating an anti-virus agent, wherein creating an anti-virus agent further includes;
  
  parsing the virus into
  
       1) a detection module that identifies a selected one of the client devices as a target client device,
  
       2) an infection module that causes the virus to infect the target client device not infected by the selected virus, and
  
       3) a viral code payload module that infects the target client device;
  
  analyzing the infection module to determine the method of infection and the anti-viral payload module to determine the deleterious effects;
  
  modifying the infection module to infect client devices already infected by the virus;
  
  incorporating the anti-virus into the payload module that acts to prevent further infection by the virus; and
  
  forming an anti-computer virus agent by combining the detection module, the modified infection module, and the modified viral payload module.
- View Dependent Claims (7, 8, 9, 10)
- - 7. Computer program product as recited in claim 6, further comprising:
    - computer code forwarding to a virus analyzer unit coupled to a network computer virus sensor only those data packets deemed to be infected by the identified computer virus or computer worm.
  - 8. Computer program product as recited in claim 7, comprising:
    - computer code forwarding the copied data packets to a packet protocol determinator; and
      
      computer code determining the packet protocol of the copied data packet.
  - 9. Computer program product as recited in claim 8, further comprising:
    - computer code receiving at a trash collector those copied data packets determined to be of a protocol not likely to be infected by the detected computer virus or computer worm; and
      
      computer code receiving and analyzing those copied data packets determined to be of a protocol likely to be infected by the detected computer virus or computer worm at a filescan unit.
  - 10. Computer program product as recited in claim 9, further comprising:
    - computer code determining by a virus/worm analyzer unit if those copied data packets received at the filescan unit are infected by the detected computer virus or computer worm;
      
      computer code forwarding those packets determined not to be infected to the trash collector;
      
      computer code analyzing the infected copied data packets; and
      
      computer code generating a virus report based upon the analysis.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
Trend Micro Inc.
Inventors
Liang, Yung Chang, Chen, Yi Fen
Primary Examiner(s)
Vu; Kim Y.
Assistant Examiner(s)
Moran; Randal D

Application Number

US10/683,873
Publication Number

US 20050050336A1
Time in Patent Office

1,706 Days
Field of Search

726/23, 726/24, 713/188
US Class Current

726/23
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/0218   Distributed architectures, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/108   when the policy decisions a...

H04L 63/1408   by monitoring network traff...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

H04L 67/34   involving the movement of s...

H04L 69/329   in the application layer [O...

H04L 9/40   Network security protocols

Network isolation techniques suitable for virus protection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

407 Citations

10 Claims

Specification

Use Cases

Quick Links

Others

Network isolation techniques suitable for virus protection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

407 Citations

10 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others