Method of detecting network worms

US 7,490,355 B2
Filed: 06/16/2005
Issued: 02/10/2009
Est. Priority Date: 06/16/2005
Status: Active Grant

First Claim

Patent Images

1. A method of detecting network worms, comprising:

profiling connection information of a protected network to generate connection parameters and connection status values;

clustering the connection profile of the connection parameters and the connection status values to generate a plurality of clusters;

extracting cluster parameters from the generated clusters and computing attempt measures of the clusters;

determining whether any of the clusters is an anomaly cluster;

correlating the newly generated anomaly cluster with an existing cluster graph and adding it into the cluster graph if the correlation is successful or establishing a new cluster graph with the newly generated anomaly cluster if the correlation is unsuccessful, each of the cluster graph being appended with its status and a propagation measure;

determining whether a worm propagation activity is going on for cluster graphs that satisfy a specific propagation condition;

eliminating a cluster graph that does not satisfy the propagation condition within a first predetermined time; and

claiming the ending of the worm propagation activity of a cluster graph that does not have new cluster added to it within a second predetermined time.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of detecting network worms include the following steps: (1) Profiling the TCP connection information collected from the protected network, quantifying the plurality of statuses contained in the TCP connection information; (2) Clustering the connection profiles to discover all the anomaly clusters that are specified by the condition composing of several adaptive thresholds; (3) Correlating the anomaly clusters to result in a new cluster graph or to extend an existing cluster graph; (4) Issuing a security incident about the worm propagation according to the propagation condition that also composes of several adaptive thresholds; and (5) Keeping and maintaining the status of the cluster graphs.

21 Citations

View as Search Results

20 Claims

1. A method of detecting network worms, comprising:
- profiling connection information of a protected network to generate connection parameters and connection status values;
  
  clustering the connection profile of the connection parameters and the connection status values to generate a plurality of clusters;
  
  extracting cluster parameters from the generated clusters and computing attempt measures of the clusters;
  
  determining whether any of the clusters is an anomaly cluster;
  
  correlating the newly generated anomaly cluster with an existing cluster graph and adding it into the cluster graph if the correlation is successful or establishing a new cluster graph with the newly generated anomaly cluster if the correlation is unsuccessful, each of the cluster graph being appended with its status and a propagation measure;
  
  determining whether a worm propagation activity is going on for cluster graphs that satisfy a specific propagation condition;
  
  eliminating a cluster graph that does not satisfy the propagation condition within a first predetermined time; and
  
  claiming the ending of the worm propagation activity of a cluster graph that does not have new cluster added to it within a second predetermined time.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1, wherein the connection information is TCP connection information.
  - 3. The method of claim 1, wherein the connection parameters include at least a connection time, an IP address of and a port of a source, and an IP address of and a port of a target.
  - 4. The method of claim 1, wherein the connection status is selected from the group consisting of an attempted connection, an established connection, and a failed connection.
  - 5. The method of claim 1, wherein the cluster parameters include at least a connection time, a cluster center IP, and an exploited port.
  - 6. The method of claim 1, wherein the attempt measures include at least a cluster size, a number of attempted connections, an established connection ratio, and a failed connection ratio, the established connection ratio and the failed connection ratio being the ratios of established connections and failed connections to the number of attempted connections, respectively.
  - 7. The method of claim 1, wherein the anomaly cluster is identified when each of its attempt measures exceeds a corresponding threshold value.
  - 8. The method of claim 7, wherein the corresponding threshold value is determined by a method selected from system determination or manual adjustment.
  - 9. The method of claim 1, wherein a successful cluster correlation happens when the cluster has a same cluster feature and a connection relation with some cluster in the cluster graph.
  - 10. The method of claim 9, wherein the cluster feature is a port used by the cluster.
  - 11. The method of claim 9, wherein the connection relation between the cluster and another cluster in the cluster graph is an attempted or established connection from the center IP of the former to the center IP of the latter
  - 12. The method of claim 1, wherein the status of the cluster graph is selected from brewing, progressing and ending.
  - 13. The method of claim 1, wherein the propagation measures include at least an establishing time and a number of clusters contained therein.
  - 14. The method of claim 1, wherein the newly established cluster graph is in the status of brewing.
  - 15. The method of claim 1, wherein the propagation condition is that each of the propagation measures of the cluster graph exceeds its corresponding threshold value.
  - 16. The method of claim 15, wherein the corresponding threshold values are determined by a method selected from system determination or manual adjustment.
  - 17. The method of claim 1, wherein if the cluster graph satisfying the propagation condition is originally in the status of brewing, then the status is changed to progressing and a worm propagation incident notification is issued.
  - 18. The method of claim 1, wherein the first predetermined time is determined by a method selected from system determination or manual adjustment.
  - 19. The method of claim 1, wherein for the cluster graph that does not have any new clusters to be added within the second predetermined time the status is set as ending and a worm propagation ended incident notification is issued.
  - 20. The method of claim 1, wherein the second predetermined time is determined by a method selected from system determination or manual adjustment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
National Chung-Shan Institute of Science and Technology
Original Assignee
Chung-Shan Institute of Science & Technology Armaments Bureau MND (Government of The Republic of China)
Inventors
Wong, Hsing-Kuo
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
Nobahar; Abdulhakim

Application Number

US11/153,606
Publication Number

US 20060288415A1
Time in Patent Office

1,335 Days
Field of Search

726 22- 26, 709223-229
US Class Current

726/24
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

H04L 63/145 the attack involving the pr...

Method of detecting network worms

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

21 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method of detecting network worms

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links