Automatic registration of a virus/worm monitor in a distributed network

US 7,565,550 B2
Filed: 10/09/2003
Issued: 07/21/2009
Est. Priority Date: 08/29/2003
Status: Active Grant

First Claim

Patent Images

1. In a distributed network having a number of server computers and associated client devices, a network virus defense system, comprising:

a network virus/worm sensor operable in a number of modes arranged to detect a computer virus or a computer worm in the network, the network virus/worm sensor switching from a first mode to a second mode when the computer virus or computer worm is detected, wherein in the first mode, the bandwidth of the network is minimally affected in that received data packets are not removed from or added to network traffic, but are copied, and the copied data packets are used in detecting the computer virus, and wherein in the second mode, the received data packets are not copied and a subset of the received data packets determined to be infected or suspected of being infected by the network virus/worm sensor are not returned to the network;

a traffic controller coupled to the distributed network arranged to select original data packets, wherein the selected original data packets or a copy of the selected original data packets are forwarded to the network virus/worm sensor;

a network virus sensor self registration module coupled to the network virus/worm sensor arranged to automatically self register the coupled network virus/worm sensor;

a controller storing a rules engine used to store and source a plurality of detection rules for detecting computer viruses and worms, said controller using statistical results of observed abnormal events as recorded and monitored by the network virus/worm sensor, the abnormal events defined in policies and in the plurality of detection rules, and wherein the network virus/worm sensor generates an abnormal behavior report which is evaluated by one of said server computers to determine an action to perform; and

an anti-virus agent creation module arranged to create an anti-virus agent having a detection module, an infection module and a payload.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network level virus monitoring system capable of monitoring a flow of network traffic in any of a number of inspection modes depending upon the particular needs of a system administrator. The system includes a network virus sensor self registration module coupled to a network virus/worm sensor arranged to automatically self register the associated network virus/worm sensor. The monitoring provides an early warning of a virus attack thereby facilitating quarantine procedures directed at containing a virus outbreak. By providing such an early warning, the network virus monitor reduces the number of computers ultimately affected by the virus attack resulting in a concomitant reduction in both the cost of repair to the system and the amount of downtime. In this way, the inventive network virus monitor provides a great improvement in system uptime and reduction in system losses.

Citations

29 Claims

1. In a distributed network having a number of server computers and associated client devices, a network virus defense system, comprising:
- a network virus/worm sensor operable in a number of modes arranged to detect a computer virus or a computer worm in the network, the network virus/worm sensor switching from a first mode to a second mode when the computer virus or computer worm is detected, wherein in the first mode, the bandwidth of the network is minimally affected in that received data packets are not removed from or added to network traffic, but are copied, and the copied data packets are used in detecting the computer virus, and wherein in the second mode, the received data packets are not copied and a subset of the received data packets determined to be infected or suspected of being infected by the network virus/worm sensor are not returned to the network;
  
  a traffic controller coupled to the distributed network arranged to select original data packets, wherein the selected original data packets or a copy of the selected original data packets are forwarded to the network virus/worm sensor;
  
  a network virus sensor self registration module coupled to the network virus/worm sensor arranged to automatically self register the coupled network virus/worm sensor;
  
  a controller storing a rules engine used to store and source a plurality of detection rules for detecting computer viruses and worms, said controller using statistical results of observed abnormal events as recorded and monitored by the network virus/worm sensor, the abnormal events defined in policies and in the plurality of detection rules, and wherein the network virus/worm sensor generates an abnormal behavior report which is evaluated by one of said server computers to determine an action to perform; and
  
  an anti-virus agent creation module arranged to create an anti-virus agent having a detection module, an infection module and a payload.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. A system as recited in claim 1, wherein during an initialization phase of the network virus/worm sensor, the network virus sensor self registration module collects selected network environmental information and network configuration information.
  - 3. A system as recited in claim 2, wherein when the distributed network is an IP based type network, the selected network environmental information includes an IP address for all of the relevant client devices included in the IP-based type network.
  - 4. A system as recited in claim 3, wherein the network configuration information includes self configuration information related to an appropriate IP address for the network virus/worm sensor.
  - 5. A system as recited in claim 4, wherein the network configuration information includes locations of all relevant server computers.
  - 6. A system as recited in claim 5, wherein selected ones of the relevant server computers are identified as controllers.
  - 7. A system as recited in claim 6, wherein each of the identified controllers includes a rules engine used to store and source a plurality of detection rules for detecting computer viruses and worms and an outbreak prevention policy (OPP) distribution and execution engine that provides a set of anti-virus policies, protocols, and procedures suitable for use by a system administrator for both preventing viral outbreaks and repairing any subsequent damage caused by a viral outbreak.
  - 8. A system as recited in claim 7, wherein during the initialization phase, each of the rules engines associated with each of the identified controllers are updated with a set of detection rules for detecting computer viruses and worms.
  - 9. A system as recited in claim 7, wherein during the initialization phase, each of the outbreak prevention policy distribution and execution engines associated with each of the identified controllers are updated with a set of anti-virus policies, a set of anti-virus protocols, and a set of anti-virus procedures.

10. ln a distributed network having a number of server computers and associated client devices and a network virus/worm sensor operable in a number of modes, a method of self registering a network virus defense system comprising:
- forwarding original data packets or a copy of the original data packets to the network virus/worm sensor using a traffic controller module coupled to the network virus/worm sensor;
  
  detecting a computer virus or a computer worm in the network, the network virus/worm sensor switching from a first mode to a second mode when the computer virus or computer worm is detected, wherein in the first mode, the bandwidth of the network is minimally affected in that received data packets are not removed from or added to network traffic, but are copied, and the copied data packets are used in detecting the computer virus or computer worm, and wherein in the second mode, the received data packets are not copied and a subset of data packets determined to be infected or suspected of being infected by the network virus/worm sensor are not returned to the network;
  
  automatically self registering the network virus/worm sensor using a network virus sensor self registration module coupled to the network virus/worm sensor;
  
  storing a rules engine used to store and source a plurality of detection rules for detecting computer viruses and worms and using statistical results of observed abnormal events as recorded and monitored by the network virus/worm sensor, the abnormal events defined in policies and in the plurality of detection rules in, and wherein the network virus/worm sensor generates an abnormal behavior report which is evaluated by one of said server computers to determine an action to perform;
  
  providing an anti-virus agent from known viruses and unknown viruses subsequently analyzed;
  
  creating a detection module that detects whether a client device is infected with a virus;
  
  creating an anti-virus infection module that overwrites the virus in the client device with the anti-virus agent; and
  
  creating a payload based on features of the detected computer virus or computer worm, wherein the payload cleans and repairs damage done to the client device.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 11. A method as recited in claim 10, further comprising:
    - during an initialization phase of the network virus/worm sensor, collecting selected network environmental information and network configuration information by the network virus/worm self registration module.
  - 12. A method as recited in claim 11, wherein when the distributed network is an IP based type network, the selected network environmental information includes an IP address for all of the relevant client devices included in the IP-based type network.
  - 13. A method as recited in claim 12, wherein the network configuration information includes self configuration information related to an appropriate IP address for the network virus/worm sensor.
  - 14. A method as recited in claim 13, wherein the network configuration information includes locations of all relevant server computers.
  - 15. A method as recited in claim 14, wherein selected ones of the relevant server computers are identified as controllers.
  - 16. A method as recited in claim 15, wherein each of the identified controllers includes a rules engine used to store and source a plurality of detection rules for detecting computer viruses and worms and an outbreak prevention policy (OPP) distribution and execution engine that provides a set of anti-virus policies, protocols, and procedures suitable for use by a system administrator for both preventing viral outbreaks and repairing any subsequent damage caused by a viral outbreak.
  - 17. A method as recited in claim 16, further comprising:
    - during the initialization phase,updating each of the rules engines associated with each of the identified controllers with a set of detection rules for detecting computer viruses and worms.
  - 18. A method as recited in claim 16, further comprising:
    - during the initialization phase,updating each of the outbreak prevention policy distribution and execution engines associated with each of the identified controllers with a set of anti-virus policies, a set of anti-virus protocols, and a set of anti-virus procedures.
  - 19. A method as recited in claim 10, wherein in a first mode the bandwidth of the network is substantially unaffected by the network virus/worm sensor, the network virus/worm sensor not removing or adding network traffic but copying data packets, and wherein when the network virus/worm sensor detects a computer virus or a computer worm, the virus/worm sensor switches to a second mode such that only those data packets infected by the computer virus are not returned to the network.

20. ln a distributed network having a number of server computers and associated client devices, computer program product for self registering a network virus defense system, that includes a network virus/worm sensor operable in a number of modes arranged to detect a computer virus or a computer worm in the network, comprising:
- computer code for forwarding original data packets or a copy of the original data packets to the network virus/worm sensor using a traffic controller module coupled to the network virus/worm sensor;
  
  computer code for detecting a computer virus or a computer worm in the network, the network virus/worm sensor switching from a first mode to a second mode when the computer virus or computer worm is detected, wherein in the first mode, the bandwidth of the network is minimally affected in that received data packets are not removed from or added to network traffic, but are copied, and the copied data packets are used in detecting the computer virus or computer worm, and wherein in the second mode, the received data packets are not copied and a subset of data packets determined to be infected or suspected of being infected are not returned to the network;
  
  computer code for automatically self registering the network virus/worm sensor by a network virus sensor self registration module coupled to the network virus/worm sensor;
  
  computer code for storing a rules engine used to store and source a plurality of detection rules from detecting computer viruses and worms and using statistical results of observed abnormal events as recorded and monitored by the network virus/worm sensor, the abnormal events defined in policies and in the plurality of detection rules, and wherein the network virus/worm sensor generates an abnormal behavior report which is evaluated by one of said server computers to determine an action to perform;
  
  computer code for providing an anti-virus agent from known viruses and unknown viruses subsequently analyzed;
  
  computer code for creating a detection module that detects whether a client device is infected with a virus;
  
  computer code for creating an anti-virus infection module that overwrites the virus in the client device with the anti-virus agent; and
  
  computer code for creating a payload created based on features of the detected computer virus or computer worm, wherein the payload cleans and repairs damage done to the client device; and
  
  computer readable medium for storing the computer code.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 21. Computer program product as recited in claim 20, further comprising:
    - computer code for collecting selected network environmental information and network configuration information by the network virus/worm self registration module during an initialization phase.
  - 22. Computer program product as recited in claim 21, wherein when the network is an IP based type network, the selected network environmental information includes an IP address for all of the relevant client devices included in the network.
  - 23. Computer program product as recited in claim 22, wherein the network configuration information includes self configuration information related to an appropriate IP address for the network virus/worm sensor.
  - 24. Computer program product as recited in claim 23, wherein the network configuration information includes locations of all relevant server computers.
  - 25. Computer program product as recited in claim 24, wherein selected ones of the relevant server computers are identified as controllers.
  - 26. Computer program product as recited in claim 25, wherein each of the identified controllers includes a rules engine used to store and source a plurality of detection rules for detecting computer viruses and worms and an outbreak prevention policy (OPP) distribution and execution engine that provides a set of anti-virus policies, protocols, and procedures suitable for use by a system administrator for both preventing viral outbreaks and repairing any subsequent damage caused by a viral outbreak.
  - 27. Computer program product as recited in claim 26, further comprising:
    - during the initialization phase,updating each of the rules engines associated with each of the identified controllers with a set of detection rules for detecting computer viruses and worms.
  - 28. Computer program product as recited in claim 26, further comprising:
    - computer code for updating each of the outbreak prevention policy distribution and execution engines associated with each of the identified controllers with a set of anti-virus policies, a set of anti-virus protocols, and a set of anti-virus procedures during the initialization phase.
  - 29. Computer program product as recited in claim 20, wherein in a first mode the bandwidth of the network is substantially unaffected by the network virus/worm sensor, the network virus/worm sensor not removing or adding network traffic but copying data packets, and wherein when the network virus/worm sensor detects a computer virus or a computer worm, the network virus/worm sensor switches to a second mode such that only those data packets infected by the computer virus are not returned to the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
Trend Micro Inc.
Inventors
Liang, Yung Chang, Chen, Yi Fen
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
GEE, JASON KAI YIN

Application Number

US10/683,582
Publication Number

US 20050050335A1
Time in Patent Office

2,112 Days
Field of Search

713/187, 713/188, 726/22, 726/23, 726/24, 726/25
US Class Current

713/188
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/0218   Distributed architectures, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/108   when the policy decisions a...

H04L 63/1408   by monitoring network traff...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

H04L 67/34   involving the movement of s...

H04L 69/329   in the application layer [O...

H04L 9/40   Network security protocols

Automatic registration of a virus/worm monitor in a distributed network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Automatic registration of a virus/worm monitor in a distributed network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links