Using threshold lists for worm detection

US 7,624,447 B1
Filed: 09/08/2005
Issued: 11/24/2009
Est. Priority Date: 09/08/2005
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for screening communication traffic, comprising:

defining a list of one or more threshold pairs including respective first and second threshold values, each of which first threshold values is greater than one;

monitoring network traffic from a plurality of sources, so as to determine for each source a count of unique destination addresses to which the source transmitted data during a period of time; and

defining a plurality of bins for the unique destination addresses, each bin having a cut-off value and holding a number of source IP addresses that attempted to establish connections with a number of unique destination IP addresses greater than the cut-off value for the bin; and

responsively to finding that each of a first number of the sources sent data to at least a second number of the destination addresses;

reducing a threshold value by setting the threshold value to the cut-off value of a bin whose threshold was exceeded; and

invoking a response to malicious network traffic,wherein, for at least one of the threshold pairs, the first number is at least equal to the respective first threshold value, and the second number is at least equal to the respective second threshold value.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method is provided for screening communication traffic. A list of one or more threshold pairs including respective first and second threshold values, each of which first threshold values is greater than one, are defined. Network traffic from a plurality of sources is monitored, so as to determine for each source a count of unique destination addresses to which the source transmitted data during a period of time. A response to malicious network traffic is invoked responsively to finding that each of a first number of the sources sent data to at least a second number of the destination addresses, wherein, for at least one of the threshold pairs, the first number is at least equal to the respective first threshold value, and the second number is at least equal to the respective second threshold value.

Citations

40 Claims

1. A computer-implemented method for screening communication traffic, comprising:
- defining a list of one or more threshold pairs including respective first and second threshold values, each of which first threshold values is greater than one;
  
  monitoring network traffic from a plurality of sources, so as to determine for each source a count of unique destination addresses to which the source transmitted data during a period of time; and
  
  defining a plurality of bins for the unique destination addresses, each bin having a cut-off value and holding a number of source IP addresses that attempted to establish connections with a number of unique destination IP addresses greater than the cut-off value for the bin; and
  
  responsively to finding that each of a first number of the sources sent data to at least a second number of the destination addresses;
  
  reducing a threshold value by setting the threshold value to the cut-off value of a bin whose threshold was exceeded; and
  
  invoking a response to malicious network traffic,wherein, for at least one of the threshold pairs, the first number is at least equal to the respective first threshold value, and the second number is at least equal to the respective second threshold value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method according to claim 1, wherein the list includes two or more threshold pairs, and wherein defining the list comprises defining the list of the two or more threshold pairs.
  - 3. The method according to claim 2, wherein the first threshold value of a first one of the pairs is greater than the first threshold value of a second one of the pairs, and the second threshold value of the first one of the pairs is less than the second threshold value of the second one of the pairs.
  - 4. The method according to claim 2, wherein invoking the response comprises blocking at least a portion of the data sent from the plurality of sources.
  - 5. The method according to claim 2, wherein defining the list comprises:
    - monitoring the network traffic from the plurality of sources during a period of time considered to be peacetime, so as to determine for each source a baseline count of the unique destination addresses to which the determining, responsively to monitoring the network during the peacetime period to at least a fourth number defining the first and second threshold values of source transmitted data during the peacetime period;
      
      traffic, that each of a third number of sources sent data of destination addresses; and
      
      one of the pairs based on the third and fourth numbers.
  - 6. The method according to claim 2, wherein defining the list comprises performing an analysis of the network traffic during the period of time, and defining the list responsively to the analysis.
  - 7. The method according to claim 2, and comprising:
    - defining a global threshold value; and
      
      blocking data sent from one of the sources upon determining that the one of the sources sent data to a third number of the destination addresses at least equal to the global threshold value during the period of time, without regard to finding that each of the first number of the sources sent data to at least the second number of the destination addresses.
  - 8. The method according to claim 7, wherein defining the global threshold value comprises decreasing the global threshold value upon finding that each of the first number of the sources sent data to at least the second number of the destination addresses.
  - 9. The method according to claim 1, wherein invoking the response comprises determining that at least a portion of the network traffic was generated by a worm.
  - 10. The method according to claim 1, wherein monitoring comprises monitoring the network traffic from the plurality of sources, so as to determine for each source the count of unique destination addresses with which the source attempted to establish connections during the period of time.
  - 11. The method according to claim 10, wherein monitoring comprises monitoring the network traffic from the plurality of sources, so as to determine for each source the count of unique destination addresses with which the source unsuccessfully attempted to establish the connections during the period of time.
  - 12. The method according to claim 1, wherein invoking the response comprises blocking at least a portion of the data sent from the plurality of sources.
  - 13. The method according to claim 1, wherein defining the list comprises:
    - monitoring the network traffic from the plurality of sources during a period of time considered to be peacetime, so as to determine for each source a baseline count of the unique destination addresses to which the source transmitted data during the peacetime period;
      
      determining, responsively to monitoring the network traffic, that each of a third number of the sources sent data during the peacetime period to at least a fourth number of the destination addresses; and
      
      defining the first and second threshold values of one of the pairs based on the third and fourth numbers.
  - 14. The method according to claim 1, wherein defining the list comprises performing an analysis of the network traffic during the period of time, and defining the list responsively to the analysis.
  - 15. The method according to claim 1, and comprising:
    - defining a global threshold value; and
      
      blocking data sent from one of the sources upon determining that the one of the sources sent data to a third number of the destination addresses at least equal to the global threshold value during the period of time, without regard to finding that each of the first number of the sources sent data to at least the second number of the destination addresses.
  - 16. The method according to claim 15, wherein defining the global threshold value comprises decreasing the global threshold value upon finding that each of the first number of the sources sent data to at least the second number of the destination addresses.
  - 17. The method according to claim 1,wherein monitoring the network traffic comprises monitoring the network traffic from the plurality of sources using a destination protocol port, so as to determine for each source the count of unique destination addresses to which the source transmitted data using the destination protocol port during the period of time, andwherein invoking the response comprises invoking the response responsively to finding that each of the first number of the sources sent data to at least the second number of the destination addresses using the destination protocol port.
  - 18. The method according to claim 1, wherein at least one of the second threshold values is greater than one.

19. Apparatus for screening communication traffic, comprising:
- an event detector using hardware elements, which is adapted to monitor network traffic from a plurality of sources, so as to determine for each source a count of unique destination addresses to which the source transmitted data during a period of time, and which contains a plurality of bins for the unique destination addresses, each bin having a cut-off value and holding a number of source IP addresses that attempted to establish connections with a number of unique destination IP addresses greater than the cut-off value for the bin; and
  
  a recognition module using hardware elements, which is adapted;
  
  to define a list of one or more threshold pairs including respective first and second threshold values, each of which first threshold values is greater than one;
  
  to reduce a threshold value by setting the threshold value to the cut-off value of a bin whose threshold was exceeded; and
  
  to invoke a response to malicious network traffic responsively to finding that each of a first number of the sources sent data to at least a second number of the destination addresses, wherein, for at least one of the threshold pairs, the first number is at least equal to the respective first threshold value, and the second number is at least equal to the respective second threshold value.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 20. The apparatus according to claim 19, wherein the list includes two or more threshold pairs, and wherein the recognition module is adapted to define the list of the two or more threshold pairs.
  - 21. The apparatus according to claim 20, wherein the first threshold value of a first one of the pairs is greater than the first threshold value of a second one of the pairs, and the second threshold value of the first one of the pairs is less than the second threshold value of the second one of the pairs.
  - 22. The apparatus according to claim 20, wherein the recognition module is adapted to invoke the response by blocking at least a portion of the data sent from the plurality of sources.
  - 23. The apparatus according to claim 20, wherein the recognition module is adapted:
    - to determine for each source, responsively to the network traffic from the plurality of sources during a period of time considered to be peacetime, a baseline count of the unique destination addresses to which the during the peacetime period to at least a fourth number source transmitted data during the peacetime period, to determine, responsively to monitoring the network traffic, that each of a third number of sources sent data of destination addresses, andto define the first and second threshold values of one of the pairs based on the third and fourth numbers.
  - 24. The apparatus according to claim 20, wherein the recognition module is adapted to perform an analysis of the network traffic during the period of time, and define the list responsively to the analysis.
  - 25. The apparatus according to claim 20, wherein the recognition module is adapted to define a global threshold value, and block data sent from one of the sources upon determining that the one of the sources sent data to a third number of the destination addresses at least equal to the global threshold value during the period of time, without regard to finding that each of the first number of the sources sent data to at least the second number of the destination addresses.
  - 26. The apparatus according to claim 25, wherein the recognition module is adapted to decrease the global threshold value upon finding that each of the first number of the sources sent data to at least the second number of the destination addresses.
  - 27. The apparatus according to claim 19, wherein the recognition module is adapted to determine that at least a portion of the network traffic was generated by a worm.
  - 28. The apparatus according to claim 19, wherein the event detector is adapted to monitor the network traffic from the plurality of sources, so as to determine for each source the count of unique destination addresses with which the source attempted to establish connections during the period of time.
  - 29. The apparatus according to claim 28, wherein the event detector is adapted to monitor the network traffic from the plurality of sources, so as to determine for each source the count of unique destination addresses with which the source unsuccessfully attempted to establish the connections during the period of time.
  - 30. The apparatus according to claim 19, wherein the recognition module is adapted to invoke the response by blocking at least a portion of the data sent from the plurality of sources.
  - 31. The apparatus according to claim 19, wherein the recognition module is adapted:
    - to determine for each source, responsively to the network traffic from the plurality of sources during a count of the unique destination addresses to which the period of time considered to be peacetime, a baseline source transmitted data during the peacetime period,to determine, responsively to monitoring the network traffic, that each of a third number of the sources sent data during the peacetime period to at least a fourth number of the destination addresses, and to define the first and second threshold values of one of the pairs based on the third and fourth numbers.
  - 32. The apparatus according to claim 19, wherein the recognition module is adapted to perform an analysis of the network traffic during the period of time, and define the list responsively to the analysis.
  - 33. The apparatus according to claim 19, wherein the recognition module is adapted to define a global threshold value, and block data sent from one of the sources upon determining that the one of the sources sent data to a third number of the destination addresses at least equal to the global threshold value during the period of time, without regard to finding that each of the first number of the sources sent data to at least the second number of the destination addresses.
  - 34. The apparatus according to claim 33, wherein the recognition module is adapted to decrease the global threshold value upon finding that each of the first number of the sources sent data to at least the second number of the destination addresses.
  - 35. The apparatus according to claim 19, wherein the event detector is adapted to monitor the network traffic from the plurality of sources using a destination protocol port, so as to determine for each source the count of unique destination addresses to which the source transmitted data using the destination protocol port during the period of time, and wherein the recognition module is adapted to invoke the response responsively to finding that each of the first number of the sources sent data to at least the second number of the destination addresses using the destination protocol port.
  - 36. The apparatus according to claim 19, wherein at least one of the second threshold values is greater than one.

37. Apparatus for screening communication traffic, comprising:
- hardware means for defining a list of one or more threshold pairs including respective first and second threshold values, each of which first threshold values is greater than one;
  
  hardware means for monitoring network traffic from a plurality of sources, so as to determine for each source a count of unique destination addresses to which the source transmitted data during a period of time;
  
  hardware means for maintaining a plurality of bins for the unique destination addresses each bin having a cut-off value and holding a number of source IP addresses that attempted to establish connections with a number of unique destination IP addresses greater than the cut-off value for the bin;
  
  hardware means for invoking a response to malicious network traffic responsively to finding that each of a first number of the sources sent data to at least a second number of the destination addresses, andhardware means for reducing a threshold value by setting the threshold value to the cut-off value of a bin whose threshold was exceeded,wherein, for at least one of the threshold pairs, the first number is at least equal to the respective first threshold value, and the second number is at least equal to the respective second threshold value.
- View Dependent Claims (38)
- - 38. The apparatus according to claim 37, wherein the list includes two or more threshold pairs, and wherein the means for defining the list are adapted to define the list of the two or more threshold pairs.

39. A computer software product for screening packet-based communication traffic, the product comprising a computer-readable medium in which program instructions are stored, which instructions, when read by a computer, cause the computer:
- to define a list of one or more threshold pairs including respective first and second threshold values, each of which first threshold values is greater than one,to monitor network traffic from a plurality of sources, so as to determine for each source a count of unique destination addresses to which the source transmitted data during a period of time,to define a plurality of bins for the unique destination addresses each bin having a cut-off value and holding a number of source IP addresses that attempted to establish connections with a number of unique destination IP addresses greater than the cut-off value for the bin; and
  
  responsively to finding that each of a first number of the sources sent data to at least a second number of the destination addresses;
  
  to reduce a threshold value by setting the threshold value to the cut-off value of a bin whose threshold was exceeded; and
  
  to invoke a response to malicious network traffic,wherein, for at least one of the threshold pairs, the first number is at least equal to the respective first threshold value, and the second number is at least equal to the respective second threshold value.
- View Dependent Claims (40)
- - 40. The product according to claim 39, wherein the list includes two or more threshold pairs, and wherein the instructions cause the computer to define the list of the two or more threshold pairs.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Karmi, Dror, Stein, Yehiel, Horowitz, Keren, Rivlin, Rami, Touitou, Dan, Tzadikario, Rephael
Primary Examiner(s)
Dada; Beemnet W

Application Number

US11/222,730
Time in Patent Office

1,538 Days
Field of Search

726 22- 25, 713/153, 713/154, 713/151, 713/178, 713/188, 709/224, 709/229
US Class Current

726/23
CPC Class Codes

H04L 63/0263 Rule management

H04L 63/1441 Countermeasures against mal...

Using threshold lists for worm detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Using threshold lists for worm detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links