Using threshold lists for worm detection
First Claim
1. A computer-implemented method for screening communication traffic, comprising:
- defining a list of one or more threshold pairs including respective first and second threshold values, each of which first threshold values is greater than one;
monitoring network traffic from a plurality of sources, so as to determine for each source a count of unique destination addresses to which the source transmitted data during a period of time; and
defining a plurality of bins for the unique destination addresses, each bin having a cut-off value and holding a number of source IP addresses that attempted to establish connections with a number of unique destination IP addresses greater than the cut-off value for the bin; and
responsively to finding that each of a first number of the sources sent data to at least a second number of the destination addresses;
reducing a threshold value by setting the threshold value to the cut-off value of a bin whose threshold was exceeded; and
invoking a response to malicious network traffic,wherein, for at least one of the threshold pairs, the first number is at least equal to the respective first threshold value, and the second number is at least equal to the respective second threshold value.
1 Assignment
0 Petitions
Accused Products
Abstract
A computer-implemented method is provided for screening communication traffic. A list of one or more threshold pairs including respective first and second threshold values, each of which first threshold values is greater than one, are defined. Network traffic from a plurality of sources is monitored, so as to determine for each source a count of unique destination addresses to which the source transmitted data during a period of time. A response to malicious network traffic is invoked responsively to finding that each of a first number of the sources sent data to at least a second number of the destination addresses, wherein, for at least one of the threshold pairs, the first number is at least equal to the respective first threshold value, and the second number is at least equal to the respective second threshold value.
-
Citations
40 Claims
-
1. A computer-implemented method for screening communication traffic, comprising:
-
defining a list of one or more threshold pairs including respective first and second threshold values, each of which first threshold values is greater than one; monitoring network traffic from a plurality of sources, so as to determine for each source a count of unique destination addresses to which the source transmitted data during a period of time; and defining a plurality of bins for the unique destination addresses, each bin having a cut-off value and holding a number of source IP addresses that attempted to establish connections with a number of unique destination IP addresses greater than the cut-off value for the bin; and responsively to finding that each of a first number of the sources sent data to at least a second number of the destination addresses; reducing a threshold value by setting the threshold value to the cut-off value of a bin whose threshold was exceeded; and invoking a response to malicious network traffic, wherein, for at least one of the threshold pairs, the first number is at least equal to the respective first threshold value, and the second number is at least equal to the respective second threshold value. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. Apparatus for screening communication traffic, comprising:
-
an event detector using hardware elements, which is adapted to monitor network traffic from a plurality of sources, so as to determine for each source a count of unique destination addresses to which the source transmitted data during a period of time, and which contains a plurality of bins for the unique destination addresses, each bin having a cut-off value and holding a number of source IP addresses that attempted to establish connections with a number of unique destination IP addresses greater than the cut-off value for the bin; and a recognition module using hardware elements, which is adapted; to define a list of one or more threshold pairs including respective first and second threshold values, each of which first threshold values is greater than one; to reduce a threshold value by setting the threshold value to the cut-off value of a bin whose threshold was exceeded; and to invoke a response to malicious network traffic responsively to finding that each of a first number of the sources sent data to at least a second number of the destination addresses, wherein, for at least one of the threshold pairs, the first number is at least equal to the respective first threshold value, and the second number is at least equal to the respective second threshold value. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
-
-
37. Apparatus for screening communication traffic, comprising:
-
hardware means for defining a list of one or more threshold pairs including respective first and second threshold values, each of which first threshold values is greater than one; hardware means for monitoring network traffic from a plurality of sources, so as to determine for each source a count of unique destination addresses to which the source transmitted data during a period of time; hardware means for maintaining a plurality of bins for the unique destination addresses each bin having a cut-off value and holding a number of source IP addresses that attempted to establish connections with a number of unique destination IP addresses greater than the cut-off value for the bin; hardware means for invoking a response to malicious network traffic responsively to finding that each of a first number of the sources sent data to at least a second number of the destination addresses, and hardware means for reducing a threshold value by setting the threshold value to the cut-off value of a bin whose threshold was exceeded, wherein, for at least one of the threshold pairs, the first number is at least equal to the respective first threshold value, and the second number is at least equal to the respective second threshold value. - View Dependent Claims (38)
-
-
39. A computer software product for screening packet-based communication traffic, the product comprising a computer-readable medium in which program instructions are stored, which instructions, when read by a computer, cause the computer:
-
to define a list of one or more threshold pairs including respective first and second threshold values, each of which first threshold values is greater than one, to monitor network traffic from a plurality of sources, so as to determine for each source a count of unique destination addresses to which the source transmitted data during a period of time, to define a plurality of bins for the unique destination addresses each bin having a cut-off value and holding a number of source IP addresses that attempted to establish connections with a number of unique destination IP addresses greater than the cut-off value for the bin; and responsively to finding that each of a first number of the sources sent data to at least a second number of the destination addresses; to reduce a threshold value by setting the threshold value to the cut-off value of a bin whose threshold was exceeded; and to invoke a response to malicious network traffic, wherein, for at least one of the threshold pairs, the first number is at least equal to the respective first threshold value, and the second number is at least equal to the respective second threshold value. - View Dependent Claims (40)
-
Specification