Automatic registration of a virus/worm monitor in a distributed network
First Claim
1. In a distributed network having a number of server computers and associated client devices, a network virus defense system, comprising:
- a network virus/worm sensor operable in a number of modes arranged to detect a computer virus or a computer worm in the network, the network virus/worm sensor switching from a first mode to a second mode when the computer virus or computer worm is detected, wherein in the first mode, the bandwidth of the network is minimally affected in that received data packets are not removed from or added to network traffic, but are copied, and the copied data packets are used in detecting the computer virus, and wherein in the second mode, the received data packets are not copied and a subset of the received data packets determined to be infected or suspected of being infected by the network virus/worm sensor are not returned to the network;
a traffic controller coupled to the distributed network arranged to select original data packets, wherein the selected original data packets or a copy of the selected original data packets are forwarded to the network virus/worm sensor;
a network virus sensor self registration module coupled to the network virus/worm sensor arranged to automatically self register the coupled network virus/worm sensor;
a controller storing a rules engine used to store and source a plurality of detection rules for detecting computer viruses and worms, said controller using statistical results of observed abnormal events as recorded and monitored by the network virus/worm sensor, the abnormal events defined in policies and in the plurality of detection rules, and wherein the network virus/worm sensor generates an abnormal behavior report which is evaluated by one of said server computers to determine an action to perform; and
an anti-virus agent creation module arranged to create an anti-virus agent having a detection module, an infection module and a payload.
2 Assignments
0 Petitions
Accused Products
Abstract
A network level virus monitoring system capable of monitoring a flow of network traffic in any of a number of inspection modes depending upon the particular needs of a system administrator. The system includes a network virus sensor self registration module coupled to a network virus/worm sensor arranged to automatically self register the associated network virus/worm sensor. The monitoring provides an early warning of a virus attack thereby facilitating quarantine procedures directed at containing a virus outbreak. By providing such an early warning, the network virus monitor reduces the number of computers ultimately affected by the virus attack resulting in a concomitant reduction in both the cost of repair to the system and the amount of downtime. In this way, the inventive network virus monitor provides a great improvement in system uptime and reduction in system losses.
-
Citations
29 Claims
-
1. In a distributed network having a number of server computers and associated client devices, a network virus defense system, comprising:
-
a network virus/worm sensor operable in a number of modes arranged to detect a computer virus or a computer worm in the network, the network virus/worm sensor switching from a first mode to a second mode when the computer virus or computer worm is detected, wherein in the first mode, the bandwidth of the network is minimally affected in that received data packets are not removed from or added to network traffic, but are copied, and the copied data packets are used in detecting the computer virus, and wherein in the second mode, the received data packets are not copied and a subset of the received data packets determined to be infected or suspected of being infected by the network virus/worm sensor are not returned to the network; a traffic controller coupled to the distributed network arranged to select original data packets, wherein the selected original data packets or a copy of the selected original data packets are forwarded to the network virus/worm sensor; a network virus sensor self registration module coupled to the network virus/worm sensor arranged to automatically self register the coupled network virus/worm sensor; a controller storing a rules engine used to store and source a plurality of detection rules for detecting computer viruses and worms, said controller using statistical results of observed abnormal events as recorded and monitored by the network virus/worm sensor, the abnormal events defined in policies and in the plurality of detection rules, and wherein the network virus/worm sensor generates an abnormal behavior report which is evaluated by one of said server computers to determine an action to perform; and an anti-virus agent creation module arranged to create an anti-virus agent having a detection module, an infection module and a payload. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. ln a distributed network having a number of server computers and associated client devices and a network virus/worm sensor operable in a number of modes, a method of self registering a network virus defense system comprising:
-
forwarding original data packets or a copy of the original data packets to the network virus/worm sensor using a traffic controller module coupled to the network virus/worm sensor; detecting a computer virus or a computer worm in the network, the network virus/worm sensor switching from a first mode to a second mode when the computer virus or computer worm is detected, wherein in the first mode, the bandwidth of the network is minimally affected in that received data packets are not removed from or added to network traffic, but are copied, and the copied data packets are used in detecting the computer virus or computer worm, and wherein in the second mode, the received data packets are not copied and a subset of data packets determined to be infected or suspected of being infected by the network virus/worm sensor are not returned to the network; automatically self registering the network virus/worm sensor using a network virus sensor self registration module coupled to the network virus/worm sensor; storing a rules engine used to store and source a plurality of detection rules for detecting computer viruses and worms and using statistical results of observed abnormal events as recorded and monitored by the network virus/worm sensor, the abnormal events defined in policies and in the plurality of detection rules in, and wherein the network virus/worm sensor generates an abnormal behavior report which is evaluated by one of said server computers to determine an action to perform; providing an anti-virus agent from known viruses and unknown viruses subsequently analyzed; creating a detection module that detects whether a client device is infected with a virus; creating an anti-virus infection module that overwrites the virus in the client device with the anti-virus agent; and creating a payload based on features of the detected computer virus or computer worm, wherein the payload cleans and repairs damage done to the client device. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. ln a distributed network having a number of server computers and associated client devices, computer program product for self registering a network virus defense system, that includes a network virus/worm sensor operable in a number of modes arranged to detect a computer virus or a computer worm in the network, comprising:
-
computer code for forwarding original data packets or a copy of the original data packets to the network virus/worm sensor using a traffic controller module coupled to the network virus/worm sensor; computer code for detecting a computer virus or a computer worm in the network, the network virus/worm sensor switching from a first mode to a second mode when the computer virus or computer worm is detected, wherein in the first mode, the bandwidth of the network is minimally affected in that received data packets are not removed from or added to network traffic, but are copied, and the copied data packets are used in detecting the computer virus or computer worm, and wherein in the second mode, the received data packets are not copied and a subset of data packets determined to be infected or suspected of being infected are not returned to the network; computer code for automatically self registering the network virus/worm sensor by a network virus sensor self registration module coupled to the network virus/worm sensor; computer code for storing a rules engine used to store and source a plurality of detection rules from detecting computer viruses and worms and using statistical results of observed abnormal events as recorded and monitored by the network virus/worm sensor, the abnormal events defined in policies and in the plurality of detection rules, and wherein the network virus/worm sensor generates an abnormal behavior report which is evaluated by one of said server computers to determine an action to perform; computer code for providing an anti-virus agent from known viruses and unknown viruses subsequently analyzed; computer code for creating a detection module that detects whether a client device is infected with a virus; computer code for creating an anti-virus infection module that overwrites the virus in the client device with the anti-virus agent; and computer code for creating a payload created based on features of the detected computer virus or computer worm, wherein the payload cleans and repairs damage done to the client device; and computer readable medium for storing the computer code. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29)
-
Specification