Virus monitor and methods of use thereof

US 7,523,493 B2
Filed: 10/09/2003
Issued: 04/21/2009
Est. Priority Date: 08/29/2003
Status: Active Grant

First Claim

Patent Images

1. In a distributed network of interconnected computing devices, a network virus monitor, comprising:

a virus sensor operable in a number of modes arranged to detect a computer virus in the network such that the bandwidth of the network is minimally affected in a first mode in that original data packets continue to their destination after they are copied creating copied data packets which are analyzed for the computer virus, and wherein when the virus sensor detects the computer virus, the virus sensor switches to a second mode, wherein original data packets are analyzed and a subset of data packets determined to be infected or suspected of being infected are not returned to the network and wherein the virus monitor is able to automatically collect network environment data and assign an IP address to itself, and wherein the virus monitor automatically locates a controller in the network and registers itself with the controller, from where the virus monitor receives a rule set and an outbreak prevention policy (OPP); and

a traffic controller coupled to the virus sensor and the network arranged to select certain data packets wherein the selected data packets are forwarded to the virus sensor.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network level virus monitoring system capable of monitoring a flow of network traffic in any of a number of inspection modes depending upon the particular needs of a system administrator. The monitoring provides an early warning of a virus attack thereby facilitating quarantine procedures directed at containing a virus outbreak. By providing such an early warning, the network virus monitor reduces the number of computers ultimately affected by the virus attack resulting in a concomitant reduction in both the cost of repair to the system and the amount of downtime. In this way, the inventive network virus monitor provides a great improvement in system uptime and reduction in system losses.

317 Citations

20 Claims

1. In a distributed network of interconnected computing devices, a network virus monitor, comprising:
- a virus sensor operable in a number of modes arranged to detect a computer virus in the network such that the bandwidth of the network is minimally affected in a first mode in that original data packets continue to their destination after they are copied creating copied data packets which are analyzed for the computer virus, and wherein when the virus sensor detects the computer virus, the virus sensor switches to a second mode, wherein original data packets are analyzed and a subset of data packets determined to be infected or suspected of being infected are not returned to the network and wherein the virus monitor is able to automatically collect network environment data and assign an IP address to itself, and wherein the virus monitor automatically locates a controller in the network and registers itself with the controller, from where the virus monitor receives a rule set and an outbreak prevention policy (OPP); and
  
  a traffic controller coupled to the virus sensor and the network arranged to select certain data packets wherein the selected data packets are forwarded to the virus sensor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A monitor as recited in claim 1, wherein the traffic controller further comprises:
    - a data packet copier operable in the first mode and arranged to generate a copied data packet of each of the selected data packets wherein the selected data packets are returned to the network.
  - 3. A monitor as recited in claim 2, wherein the data packet copier is disabled in the second mode such that the selected data packets are passed to the virus sensor.
  - 4. A monitor as recited in claim 3, wherein the virus monitor further comprises:
    - a data packet protocol identifier coupled to the virus sensor arranged to identify a data packet protocol associated with the data packet infected by a computer virus.
  - 5. A monitor as recited in claim 4, wherein the selected data packets to be forwarded to the virus monitor are each associated with the data packet protocol associated with the computer virus.
  - 6. A monitor as recited in claim 1, wherein the virus sensor unit further comprises:
    - a filescan module arranged to scan a selected file for the computer virus.
  - 7. A monitor as recited in claim 6, wherein the filescan is remotely located.
  - 8. A monitor as recited in claim 7, wherein the remotely located filescan is used for scanning selected files larger than a set file size.

9. A method of monitoring a distributed network of computing devices for a computer virus at a virus monitor coupled to the distributed network, comprising:
- monitoring a flow of data packets in the network for the computer virus while minimally reducing the flow of data packets in a standby mode, wherein data packets continue to their destination after they are copied creating copied data packets which are analyzed for the computer virus, thereby preserving network bandwidth;
  
  determining that at least one of the copied data packets is infected or suspected of being infected with the computer virus;
  
  monitoring the flow of data packets in an inline mode wherein original data packets are analyzed and wherein data packets that are determined to be infected or suspected of infection are not returned to the flow of data packets; and
  
  initializing the virus monitor by automatically;
  
  collecting network environment data;
  
  assigning an IP address to the virus monitor;
  
  locating a controller in the network; and
  
  registering the virus monitor with the controller, from where the virus monitor receives a rule set and an outbreak prevention policy (OPP).
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. A method as recited in claim 9, further comprising:
    - isolating a portion of the network infected by the computer virus; and
      
      cleaning the isolated portion of the network.
  - 11. A method as recited in claim 9, further comprising:
    - sending a virus report to a controller.
  - 12. A method as recited in claim 9, further comprising:
    - copying selected ones of the flow of data packets from correspondingoriginal data packets retrieved from the flow of data packets based upon a packet type; and
      
      returning the retrieved data packets to the flow of data packets.
  - 13. A method as recited in claim 12, wherein the packet type is determined by the detected computer virus.
  - 14. A method as recited in claim 13, wherein a network bandwidth associated with the standby mode is minimally affected by the monitoring.

15. A computer-readable medium storing computer code for monitoring a distributed network of computing devices for a computer virus at a virus monitor coupled to the distributed network, the computer-readable medium comprising:
- computer code for monitoring a flow of data packets in the network for the computer virus while minimally reducing the flow of data packets in a standby mode, wherein data packets continue to their destination after they are copied creating copied data packets which are analyzed for the computer virus, thereby preserving network bandwidth;
  
  computer code for determining that at least one of the copied data packets is infected or suspected of being infected with the computer virus;
  
  computer code for monitoring the flow of data packets in an inline mode wherein original data packets are analyzed and wherein data packets that are determined to be infected or suspected of infection are not returned to the flow of data packets;
  
  computer code for automatically collecting network environment data at the virus monitor;
  
  computer code for automatically assigning an IP address to the virus monitor; and
  
  computer code for automatically locating a controller in the network and registering the virus monitor with the controller, from where the virus monitor receives a rule set and an outbreak prevention policy (OPP).
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. A computer-readable medium as recited in claim 15, further comprising:
    - computer code for isolating a portion of the network infected by the computer virus; and
      
      computer code for cleaning the isolated portion of the network.
  - 17. A computer-readable medium as recited in claim 15, further comprising:
    - computer code for sending a virus report to a controller.
  - 18. A computer-readable medium as recited in claim 15, further comprising:
    - computer code for copying selected ones of the flow of data packets from corresponding original data packets retrieved from the flow of data packets based upon a packet type; and
      
      computer code for returning the retrieved data packets to the flow of data packets.
  - 19. A computer-readable medium as recited in claim 18, further comprising:
    - computer code for determining the packet type using the detected computer virus.
  - 20. A computer-readable medium as recited in claim 19, wherein a network bandwidth associated with the standby mode is minimally affected by the monitoring.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
Trend Micro Inc.
Inventors
Chen, Yi Fen, Liang, Yung Chang
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
GEE, JASON KAI YIN

Application Number

US10/684,330
Publication Number

US 20050050338A1
Time in Patent Office

2,021 Days
Field of Search

726/13, 726/24, 709/224, 713/188
US Class Current

726/13
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/0218   Distributed architectures, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/108   when the policy decisions a...

H04L 63/1408   by monitoring network traff...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

H04L 67/34   involving the movement of s...

H04L 69/329   in the application layer [O...

H04L 9/40   Network security protocols

Virus monitor and methods of use thereof

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

317 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Virus monitor and methods of use thereof

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

317 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links