System and method for providing passive screening of transient messages in a distributed computing environment

US 7,461,403 B1
Filed: 02/01/2002
Issued: 12/02/2008
Est. Priority Date: 08/03/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A system for providing passive screening of transient messages in a distributed computing environment, comprising:

a network interface passively monitoring a transient packet stream at a network boundary comprising receiving incoming datagrams structured in compliance with a network protocol layer;

a packet receiver reassembling one or more of the incoming datagrams into a segment structured in compliance with a transport protocol layer;

an antivirus scanner scanning contents of the reassembled segment for a presence of at least one of a computer virus and malware to identify infected message contents;

a protocol-specific module processing each reassembled datagram based on the transport protocol layer employed by the reassembled datagram; and

a spoof module sending a spoofed network protocol packet responsive to an occurrence of at least one of an infection and a network attack;

wherein the spoofed network protocol packet spoofs an origin server by being utilized to send a legitimate packet to a network domain in place of an infected packet.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method includes passive screening of transient messages in a distributed computing environment. A transient packet stream is passively monitored at a network boundary. Incoming datagrams structured in compliance with a network protocol layer are received. One or more of the incoming datagrams are reassembled into a segment structured in compliance with a transport protocol layer. Contents of the reassembled segment are scanned for a presence of at least one of a computer virus and malware to identify infected message contents.

90 Citations

View as Search Results

49 Claims

1. A system for providing passive screening of transient messages in a distributed computing environment, comprising:
- a network interface passively monitoring a transient packet stream at a network boundary comprising receiving incoming datagrams structured in compliance with a network protocol layer;
  
  a packet receiver reassembling one or more of the incoming datagrams into a segment structured in compliance with a transport protocol layer;
  
  an antivirus scanner scanning contents of the reassembled segment for a presence of at least one of a computer virus and malware to identify infected message contents;
  
  a protocol-specific module processing each reassembled datagram based on the transport protocol layer employed by the reassembled datagram; and
  
  a spoof module sending a spoofed network protocol packet responsive to an occurrence of at least one of an infection and a network attack;
  
  wherein the spoofed network protocol packet spoofs an origin server by being utilized to send a legitimate packet to a network domain in place of an infected packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. A system according to claim 1, further comprising:
    - an incoming queue staging each incoming datagram intermediate to reassembly.
  - 3. A system according to claim 1, further comprising:
    - a network protocol-specific decoder decoding the reassembled segment prior to scanning.
  - 4. A system according to claim 1, wherein the antivirus scanner terminates the transient packet stream if the reassembled segment is not infected with at least one of a computer virus and malware.
  - 5. A system according to claim 1, wherein the antivirus scanner takes an action if the reassembled segment is infected with at least one of a computer virus and malware.
  - 6. A system according to claim 5, wherein the action comprises at least one of logging the infection;
    - generating a warning;
      
      spoofing a valid datagram in place of the infected datagram; and
      
      acquiescing to the infection.
  - 7. A system according to claim 1, further comprising:
    - a protocol-specific queue staging each reassembled segment with other reassembled segments sharing the same transport protocol layer.
  - 8. A system according to claim 7, further comprising:
    - an information record storing information dependent on the same transport protocol layer with staged reassembled segment.
  - 9. A system according to claim 8, further comprising:
    - a contents record storing the contents with the staged reassembled segment.
  - 10. A system according to claim 8, wherein the information comprises at least one of a source address, source port number, destination address, destination port number, URL, file name, user name, sender identification, recipient identification, and subject.
  - 11. A system according to claim 1, further comprising;
    - an event correlator analyzing the transient packet stream for events indicative of a network service attack.
  - 12. A system according to claim 11, further comprising:
    - a data repository maintaining each event.
  - 13. A system according to claim 1, wherein the distributed computing environment is TCP/IP-compliant and each incoming message is SMTP-compliant.
  - 14. A system according to claim 1, wherein the incoming datagrams include IP datagrams that are reassembled into TCP segments.

15. A method for providing passive screening of transient messages in a distributed computing environment, comprising:
- passively monitoring a transient packet stream at a network boundary comprising receiving incoming datagrams structured in compliance with a network protocol layer;
  
  reassembling one or more of the incoming datagrams into a segment structured in compliance with a transport protocol layer;
  
  scanning contents of the reassembled segment for a presence of at least one of a computer virus and malware to identify infected message contents;
  
  processing each reassembled datagram based on the transport protocol layer employed by the reassembled datagram; and
  
  sending a spoofed network protocol packet responsive to an occurrence of at least one of an infection and a network attack;
  
  wherein the spoofed network protocol packet spoofs an origin server by being utilized to send a legitimate packet to a network domain in place of an infected packet.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 16. A method according to claim 15, further comprising:
    - staging each incoming datagram intermediate to reassembly.
  - 17. A method according to claim 15, further comprising:
    - decoding the reassembled segment prior to scanning.
  - 18. A method according to claim 15, further comprising:
    - terminating the transient packet stream if the reassembled segment is not infected with at least one of a computer virus and malware.
  - 19. A method according to claim 15, further comprising:
    - taking an action if the reassembled segment is infected with at least one of a computer virus and malware.
  - 20. A method according to claim 19, further comprising:
    - executing the action, comprising at least one of;
      
      logging the infection;
      
      generating a warning;
      
      spoofing a valid datagram in place of the infected datagram; and
      
      acquiescing to the infection.
  - 21. A method according to claim 15, further comprising:
    - staging each reassembled segment with other reassembled segments sharing the same transport protocol layer.
  - 22. A method according to claim 21, further comprising:
    - storing information dependent on the same transport protocol layer with the staged reassembled segment.
  - 23. A method according to claim 22, further comprising:
    - storing the contents with the staged reassembled segment.
  - 24. A method according to claim 22, wherein the information comprises at least one of a source address, source port number, destination address, destination port number, URL, file name, user name, sender identification, recipient identification, and subject.
  - 25. A method according to claim 15, further comprising:
    - analyzing the transient packet stream for events indicative of a network service attack.
  - 26. A method according to claim 25, further comprising:
    - maintaining each event in a data repository.
  - 27. A method according to claim 15, wherein the distributed computing environment is TCP/IP-compliant and each incoming message is SMTP-compliant.
  - 28. A computer-readable storage medium holding code for performing the method according to claims 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, or 27.

29. A system for passively detecting computer viruses and malware and denial of service-type network attacks in a distributed computing environment, comprising:
- a network interface receiving copies of datagrams transiting a boundary of a network domain into an incoming packet queue, each datagram being copied from a packet stream;
  
  a packet receiver reassembling one or more such datagrams from the incoming packet queue into network protocol packets, each staged in a reassembled packet queue;
  
  an antivirus scanner scanning each network protocol packet from the reassembled packet queue to ascertain an infection of at least one of a computer virus and malware;
  
  an event correlator evaluating events identified from the datagrams in the packet stream to detect a denial of service-type network attack on the network domain; and
  
  a spoof module sending a spoofed network protocol packet responsive to an occurrence of at least one of the infection and the network attack;
  
  wherein a protocol-specific module processes each reassembled datagram based on an upper protocol layer employed by the reassembled datagram;
  
  wherein the spoofed network protocol packet spoofs an origin server by being utilized to send a legitimate packet to the network domain in place of an infected packet.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 30. A system according to claim 29 further comprising:
    - a parser parsing each reassembled datagram into network protocol-specific information and packet content.
  - 31. A system according to claim 30, wherein the network protocol-specific information comprises a source address, source port number, destination address, destination port number, and URL for HTTP;
    - a file name and user name for FTP; and
      
      a sender identification, recipient identification, and subject for SMTP.
  - 32. A system according to claim 30, further comprising:
    - a decoder decoding the packet content prior to performing the operation of scanning.
  - 33. A system according to claim 29, further comprising:
    - a log logging an occurrence of at least one of the infection and the network attack.
  - 34. A system according to claim 29, further comprising:
    - a warning module generating a warning responsive to an occurrence of at least one of the infection and the network attack.
  - 35. A system according to claim 29, wherein the distributed computing environment is TCP/IP-compliant, each datagram is IP-compliant, and each network protocol packet is TCP-compliant.
  - 36. A system according to claim 29, wherein the network protocol packets employ at least one of HTTP, FTP, SMTP, POP3, NNTP, and Gnutella network protocols.
  - 37. A system according to claim 29, wherein only datagrams compliant with IP protocol are reassembled.
  - 38. A system according to claim 29, wherein the antivirus scanner includes a plurality of protocol-specific scanning submodules, each protocol-specific scanning submodule designated for scanning network protocol packets of a particular protocol.
  - 39. A system according to claim 38, wherein the protocol-specific scanning submodules include an HTTP submodule, an FTP submodule, an SMTP submodule, and an NNTP submodule.
  - 40. A system according to claim 38, wherein each of the protocol-specific scanning submodules is used for retrieving a re-assembled packet from an associated protocol-specific queue.
  - 41. A system according to claim 40, wherein the packet receiver maintains each protocol-specific queue at a constant size in accordance with the antivirus scanner.

42. A method for passively detecting computer viruses and malware and denial of service-type network attacks in a distributed computing environment, comprising:
- receiving copies of datagrams transiting a boundary of a network domain into an incoming packet queue, each datagram being copied from a packet stream;
  
  reassembling one or more such datagrams from the incoming packet queue into network protocol packets, each staged in a reassembled packet queue;
  
  scanning each network protocol packet form the reassembled packet queue to ascertain an infection of at least one of a computer virus and malware;
  
  evaluating events identified from the datagrams in the packet stream to detect a denial of service-type network attack on the network domain; and
  
  sending a spoofed network protocol packet responsive to an occurrence of at least one of the infection and the network attack;
  
  wherein a protocol-specific module processes each reassembled datagram based on an upper protocol layer employed by the reassembled datagram;
  
  wherein the spoofed network protocol packet spoofs an origin server by being utilized to send a legitimate packet to the network domain in place of an infected packet.
- View Dependent Claims (43, 44, 45, 46, 47, 48, 49)
- - 43. A method according to claim 42, further comprising:
    - parsing each reassembled datagram into network protocol-specific information and packet content.
  - 44. A method according to claim 43, wherein the network protocol-specific information comprises a source address, source port number, destination address, destination port number, and URL for HTTP;
    - a file name and user name for FTP; and
      
      a sender identification, recipient identification, and subject for SMTP.
  - 45. A method according to claim 43, further comprising:
    - decoding the packet content prior to performing the operation of scanning.
  - 46. A method according to claim 42 further comprising:
    - logging an occurrence of at least one of the infection and the network attack.
  - 47. A method according to claim 42, further comprising:
    - generating a warning responsive to an occurrence of at least one of the infection and the network attack.
  - 48. A method according to claim 42, wherein the distributed computing environment is TCP/IP-compliant, each datagram is IP-compliant, and each network protocol packet is TCP-compliant.
  - 49. A computer-readable storage medium holding code for performing the method according to claims 42, 43, 44, 45, 46, 47, or 48.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, Inc. (McAfee, LLC)
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Libenzi, Davide, Kouznetsov, Victor
Primary Examiner(s)
Sheikh; Ayaz
Assistant Examiner(s)
Henning; Matthew T

Application Number

US10/061,415
Time in Patent Office

2,496 Days
Field of Search

713/201, 713/151, 713/154, 713/188, 709/224, 709/231, 709/232, 726/24, 726/13
US Class Current

726/24
CPC Class Codes

H04L 63/145   the attack involving the pr...

H04L 63/164   at the network layer

H04L 63/166   at the transport layer

System and method for providing passive screening of transient messages in a distributed computing environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

90 Citations

49 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for providing passive screening of transient messages in a distributed computing environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

90 Citations

49 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links