Apparatus, method and program to detect and control deleterious code (virus) in computer network
First Claim
1. A method to detect harmful packets on a computer network, the method including:
- providing at least one algorithm that scans received packets;
identifying packets having a predefined format including a single Source Address (SA), N Destination Addresses (DAs), and M Destination Ports (DPs), wherein N>
(greater than) M;
wherein the SA, DP, and many DAs are stored in a leaf of a Patricia Tree arrangement, and wherein the Patricia Tree arrangement includes a Direct Table;
indexing into a slot of the Direct Table utilizing a hash value of SA and DP of a predefined packet;
if the slot has no entry, inserting a pointer in said slot;
if the slot contains information pointing to a single leaf;
comparing leaf SA, DP with SA, DP in a predefined packet;
if a match occurs on SA, DP, comparing the DA in the leaf with the DA in the predefined packet; and
if no match occurs, adding the DA of the predefined packet to the list of DAs in the leaf;
reporting said packets to a central administrative authority, which authority includes functionality for taking decisive actions to limit harmful effects of said packets, wherein the decisive actions include;
adding Destination Port, DP, of said packets to a list of Permissive DPs;
dropping all subsequent packets having the same SA, DA and DP as an identified packet; and
rate limiting the set of all subsequent packets with the same SA;
providing a list of Permissible DPs;
comparing a DP in the identified packet with the list of Permissible DPs; and
discarding the identified packet having a matching DP.
5 Assignments
0 Petitions
Accused Products
Abstract
A detection and response system including a set of algorithms for detection within a stream of normal computer traffic a subset of TCP packets with one IP Source Address (SA), one Destination Port (DP), and a number exceeding a threshold of distinct Destination Addresses (DA). There is efficient use of a lookup mechanism such as a Direct Table and Patricia search tree to record sets of packets with one SA and one DP as well as the set of DA values observed for the given SA, DP combination. The existence of such a subset and the header values including SA, DP, and multiple DAs of the subset are reported to a network administrator. In addition, various administrative responses to reports are provided.
-
Citations
4 Claims
-
1. A method to detect harmful packets on a computer network, the method including:
-
providing at least one algorithm that scans received packets; identifying packets having a predefined format including a single Source Address (SA), N Destination Addresses (DAs), and M Destination Ports (DPs), wherein N>
(greater than) M;wherein the SA, DP, and many DAs are stored in a leaf of a Patricia Tree arrangement, and wherein the Patricia Tree arrangement includes a Direct Table; indexing into a slot of the Direct Table utilizing a hash value of SA and DP of a predefined packet; if the slot has no entry, inserting a pointer in said slot; if the slot contains information pointing to a single leaf; comparing leaf SA, DP with SA, DP in a predefined packet; if a match occurs on SA, DP, comparing the DA in the leaf with the DA in the predefined packet; and if no match occurs, adding the DA of the predefined packet to the list of DAs in the leaf; reporting said packets to a central administrative authority, which authority includes functionality for taking decisive actions to limit harmful effects of said packets, wherein the decisive actions include; adding Destination Port, DP, of said packets to a list of Permissive DPs; dropping all subsequent packets having the same SA, DA and DP as an identified packet; and rate limiting the set of all subsequent packets with the same SA; providing a list of Permissible DPs; comparing a DP in the identified packet with the list of Permissible DPs; and discarding the identified packet having a matching DP. - View Dependent Claims (2, 4)
-
-
3. A system to detect packets containing harmful code in a computer network, the system comprising:
-
a Network Processor including memory and at least one processing element; a data structure including at least one Patricia Tree arrangement storing at least one rule with bit pattern similar to that of a packet carrying harmful code located within said memory; a computer program deployed on said at least one processing element and when executed causing said processing element to; generate keys from predefined fields in predefined packets; correlate the key with the rule to identify packets having a single SA (Source Address), a single DP (Destination Port) and many DAs (Destination Addresses); wherein the SA, DP and many DAs are stored in a leaf of a Patricia Tree arrangement, and wherein the Patricia Tree arrangement includes a Direct Table; index into a slot of the Direct Table utilizing a hashed of SA and DP of a predefined packet; if the slot has no entry, insert a pointer in said slot; and if the slot contains information pointing to a single leaf; compare leaf SA, DP with SA, DP in predefined packet; if a match occurs on SA, DP, compare the DA in the leaf with the DA in the packet; and if no match occurs, add the packet DA is to the list of DAs in the leaf.
-
Specification