×

Using threshold lists for worm detection

  • US 7,624,447 B1
  • Filed: 09/08/2005
  • Issued: 11/24/2009
  • Est. Priority Date: 09/08/2005
  • Status: Active Grant
First Claim
Patent Images

1. A computer-implemented method for screening communication traffic, comprising:

  • defining a list of one or more threshold pairs including respective first and second threshold values, each of which first threshold values is greater than one;

    monitoring network traffic from a plurality of sources, so as to determine for each source a count of unique destination addresses to which the source transmitted data during a period of time; and

    defining a plurality of bins for the unique destination addresses, each bin having a cut-off value and holding a number of source IP addresses that attempted to establish connections with a number of unique destination IP addresses greater than the cut-off value for the bin; and

    responsively to finding that each of a first number of the sources sent data to at least a second number of the destination addresses;

    reducing a threshold value by setting the threshold value to the cut-off value of a bin whose threshold was exceeded; and

    invoking a response to malicious network traffic,wherein, for at least one of the threshold pairs, the first number is at least equal to the respective first threshold value, and the second number is at least equal to the respective second threshold value.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×