Intrusion detection with automatic signature generation

US 7,761,919 B2
Filed: 05/18/2005
Issued: 07/20/2010
Est. Priority Date: 05/20/2004
Status: Active Grant

First Claim

Patent Images

1. A method for detecting malicious programs within a computer network comprising:

monitoring, by a first one of one or more agents within the computer network, at least one first packet of data communicated over said computer network, the first agent comprising a first agent network device;

at the first agent, comparing information within the at least one first packet to one or more virus scanning signature files to determine that the information within the at least one first packet does not match one of the one or more virus scanning signature files;

in response to determining that the at least a portion of the information in the at least one first packet does not match one of the one or more virus scanning signature files, transmitting, by the first agent comprising the first agent network device, said at least one first packet of data to a master within the computer network, the master comprising a network device in communication with the first agent network device via the computer network;

analyzing, by the master, said at least one first packet of data to detect the presence of a malicious program;

generating, by the master, a signature of said at least one first packet of data when a malicious program is detected;

transmitting the signature from the master comprising the network device to the first agent comprising the first agent network device and at least a second one of the one or more agents, the signature transmitted via the computer network;

monitoring, by a second one of the one or more agents, at least one second packet of data communicated over said network; and

detecting, by the second agent, evidence of said malicious program in said at least one second packet of data utilizing said generated signature.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for detecting malicious programs within a computer network includes monitoring at least one first packet of data communicated over the network, analyzing the at least one first packet of data to detect the presence of a malicious program, generating a signature of the at least one first packet of data when a malicious program is detected, monitoring at least one second packet of data communicated over the network and detecting evidence of the malicious program in the at least one second packet of data utilizing the generated signature.

23 Citations

View as Search Results

42 Claims

1. A method for detecting malicious programs within a computer network comprising:
- monitoring, by a first one of one or more agents within the computer network, at least one first packet of data communicated over said computer network, the first agent comprising a first agent network device;
  
  at the first agent, comparing information within the at least one first packet to one or more virus scanning signature files to determine that the information within the at least one first packet does not match one of the one or more virus scanning signature files;
  
  in response to determining that the at least a portion of the information in the at least one first packet does not match one of the one or more virus scanning signature files, transmitting, by the first agent comprising the first agent network device, said at least one first packet of data to a master within the computer network, the master comprising a network device in communication with the first agent network device via the computer network;
  
  analyzing, by the master, said at least one first packet of data to detect the presence of a malicious program;
  
  generating, by the master, a signature of said at least one first packet of data when a malicious program is detected;
  
  transmitting the signature from the master comprising the network device to the first agent comprising the first agent network device and at least a second one of the one or more agents, the signature transmitted via the computer network;
  
  monitoring, by a second one of the one or more agents, at least one second packet of data communicated over said network; and
  
  detecting, by the second agent, evidence of said malicious program in said at least one second packet of data utilizing said generated signature.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 41, 42)
- - 2. The method of claim 1, wherein said at least one first packet of data is selected at random from among a plurality of packets of data that are communicated over said network.
  - 3. The method of claim 1, wherein said at least one first packet of data is selected at a set interval from among a plurality of packets of data that are communicated over said network.
  - 4. The method of claim 1, wherein said at least one second packet of data that evidences said malicious program is prevented from being delivered to its destination address.
  - 5. The method of claim 1, wherein instances of detected evidence of said malicious program in said at least one second packet of data are logged.
  - 6. The method of claim 1, wherein one or more supplied signatures are used along with said generated signatures to detect evidence of said malicious program in said at least one second packet of data.
  - 7. The method of claim 1, wherein analyzing said at least one first packet of data to detect the presence of a malicious program comprises watching for a proliferation of similar packets among said at least one first packet of data.
  - 8. The method of claim 1, wherein:
    - monitoring said at least one first packet of data communicated over said network is performed by the first agent located at a first agent address;
      
      monitoring said at least one second packet of data communicated over said network is performed by the second agent located at a second agent address; and
      
      said generated signatures are sent to said first and second agents located at first and second agent addresses respectively.
  - 9. The method of claim 8, wherein an agent address database is created by recording a plurality of agent addresses and said agent address database is used to send one or more generated signatures to a plurality of agents located at the plurality of agent addresses respectively.
  - 10. The method of claim 1, wherein said at least one first packet of data and said at least one second packet of data are sub-packets.
  - 41. The method of claim 1, wherein said at least one first packet of data and said at least one second packet of data are received by the one or more agents from a first set of one or more subnets of the network and destined for a second set of one or more subnets of the network.
  - 42. The method of claim 1, wherein the second agent comprises a third network device in communication with the master via the computer network.

11. A system for detecting malicious programs within a computer network comprising:
- a first agent network device within the computer network configured to;
  
  monitor at least one first packet of data communicated over said network;
  
  compare information within the at least one first packet to one or more virus scanning signature files to determine that the information within the at least one first packet does not match one of the one or more virus scanning signature files; and
  
  in response to determining that the at least a portion of the information in the at least one first packet does not match one of the one or more virus scanning signature files, transmit said at least tone first packet of data to a master within the computer network;
  
  a master comprising a network device in communication with the first agent network device via the computer network, the master configured to;
  
  analyze said at least one first packet of data to detect the presence of a malicious program;
  
  generate a signature of said at least one first packet of data when a malicious program is detected; and
  
  transmit, via the computer network, said signature to the first agent network device and at least a second one of the one or more agents; and
  
  a second agent network device within the computer network configured to;
  
  monitor at least one second packet of data communicated over said network; and
  
  detect evidence of said malicious program in said at least one second packet of data utilizing said generated signature.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein said at least one first packet of data is selected at random from among a plurality of packets of data that are communicated over said network.
  - 13. The system of claim 11, wherein said at least one first packet of data is selected at a set interval from among a plurality of packets of data that are communicated over said network.
  - 14. The system of claim 11, wherein said at least one second packet of data that evidences said malicious program is prevented from being delivered to a destination address.
  - 15. The system of claim 11, wherein instances of detected evidence of said malicious program in said at least one second packet of data are logged.
  - 16. The system of claim 11, wherein one or more supplied signatures are used along with said generated signatures to detect evidence of said malicious program in said at least one second packet of data.
  - 17. The system of claim 11, wherein analyzing said at least one first packet of data comprises watching for a proliferation of similar packets among said at least first packet of data.
  - 18. The system of claim 11, wherein:
    - monitoring said at least one first packet of data communicated over said network is performed by the first agent network device located at a first agent address;
      
      monitoring said at least one second packet of data communicated over said network is performed by the second agent network device located at a second agent address; and
      
      said generated signatures are sent to said first and second agent network devices located at first and second agent addresses respectively.
  - 19. The system of claim 18, wherein an agent address database is created by recording a plurality of agent addresses and said agent address database is used to send one or more generated signatures to a plurality of agent network devices located at the plurality of agent addresses respectively.
  - 20. The system of claim 11, wherein said at least one first packet of data and said at least one second packet of data are sub-packets.

21. A computer system comprising:
- a processor; and
  
  a non transitory computer recording medium including computer executable code executable by the processor for detecting malicious programs within a computer network, the computer executable code operable when executed to;
  
  monitor, by a first one of one or more agents within the computer network, at least one first packet of data communicated over said computer network, the first agent comprising a first agent network device;
  
  compare, by the first agent, information within the at least one first packet to one or more virus scanning signature files to determine that the information within the at least one first packet does not match one of the one or more virus scanning signature files;
  
  in response to determining that the at least a portion of the information in the at least one first packet does not match one of the one or more virus scanning signature files, transmit, by the first agent comprising the first agent network device, said at least one first packet of data to a master within the computer network, the master comprising a network device in communication with the first agent network device via the computer network;
  
  analyze, by the master, said at least one first packet of data to detect the presence of a malicious program;
  
  generate, by the master, a signature of said at least one first packet of data when a malicious program is detected;
  
  transmit the signature from the master comprising the network device to the first agent comprising the first agent network device and at least a second one of the one or more agents, the signature transmitted via the computer network;
  
  monitor, by a second one of the one or more agents, at least one second packet of data communicated over said network; and
  
  detect, by the second agent, evidence of said malicious program in said at least one second packet of data utilizing said generated signature.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The computer system of claim 21, wherein said at least one first packet of data is selected at random from among a plurality of packets of data that are communicated over said network.
  - 23. The computer system of claim 21, wherein said at least one first packet of data is selected at a set interval from among a plurality of packets of data that are communicated over said network.
  - 24. The computer system of claim 21, wherein said at least one second packet of data that evidence said malicious program is prevented from being delivered to a destination address.
  - 25. The computer system of claim 21, wherein instances of detected evidence of said malicious program in said at least one second packet of data are logged.
  - 26. The computer system of claim 21, wherein one or more supplied signatures are used along with said generated signatures to detect evidence of said malicious program in said at least one second packet of data.
  - 27. The computer system of claim 21, wherein analyzing said at least one first packet of data to detect the presence of a malicious program comprises watching for a proliferation of similar packets among said at least one first packet of data.
  - 28. The computer system of claim 21, wherein:
    - monitoring said at least one first packet of data communicated over said network is performed by the first agent located at a first agent address;
      
      monitoring said at least one second packet of data communicated over said network is performed by the second agent located at a second agent address; and
      
      said generated signatures are sent to said first and second agents located at first and second agent addresses respectively.
  - 29. The computer system of claim 28, wherein an agent address database is created by recording a plurality of agent addresses and said agent address database is used to send one or more generated signatures to a plurality of agents located at the plurality of agent addresses respectively.
  - 30. The computer system of claim 21, wherein said at least one first packet of data and said at least one second packet of data are sub-packets.

31. A non transitory computer recording medium storing computer executable code executable by a processor for detecting malicious programs within a computer network, wherein the computer executable code is operable when executed by the processor to:
- monitor, by a first one of one or more agents within the computer network, at least one first packet of data communicated over said computer network, the first agent comprising a first agent network device;
  
  compare, by the first agent, information within the at least one first packet to one or more virus scanning signature files to determine that the information within the at least one first packet does not match one of the one or more virus scanning signature files;
  
  in response to determining that the at least a portion of the information in the at least one first packet does not match one of the one or more virus scanning signature files, transmit, by the first agent comprising the first agent network device, said at least one first packet of data to a master within the computer network, the master comprising a network device in communication with the first agent network device via the computer network;
  
  analyze, by the master, said at least one first packet of data to detect the presence of a malicious program;
  
  generate, by the master, a signature of said at least one first packet of data when a malicious program is detected;
  
  transmit the signature from the master comprising the network device to the first agent comprising the first agent network device and at least a second one of the one or more agents, the signature transmitted via the computer network;
  
  monitor, by a second one of the one or more agents, at least one second packet of data communicated over said network; and
  
  detect, by the second agent, evidence of said malicious program in said at least one second packet of data utilizing said generated signature.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 32. The computer recording medium of claim 31, wherein said at least one first packet of data is selected at random from among a plurality of packets of data that are communicated over said network.
  - 33. The computer recording medium of claim 31, wherein said at least one first packet of data is selected at a set interval from among a plurality of packets of data that are communicated over said network.
  - 34. The computer recording medium of claim 31, wherein said at least one second packet of data is prevented from being delivered to a destination address.
  - 35. The computer recording medium of claim 31, wherein instances of detected evidence of said malicious program in said at least one second packet of data are logged.
  - 36. The computer recording medium of claim 31, wherein one or more supplied signatures are used along with said generated signatures to detect evidence of said malicious program in said at least one second packet of data.
  - 37. The computer recording medium of claim 31, wherein analyzing said at least one first packet of data to detect the presence of a malicious program comprises watching for a proliferation of similar packets among said at least one first packet of data.
  - 38. The computer recording medium of claim 31, wherein:
    - monitoring said at least one first packet of data communicated over said network is performed by the first agent located at a first agent address;
      
      monitoring said at least one second packet of data communicated over said network is performed by the second agent located at a second agent address; and
      
      said generated signatures are sent to said first and second agents located at first and second agent addresses respectively.
  - 39. The computer recording medium of claim 38, wherein an agent address database is created by recording a plurality of agent addresses and said agent address database is used to send one or more generated signatures to a plurality of agents located at the plurality of agent addresses respectively.
  - 40. The computer recording medium of claim 31, wherein said at least one first packet of data and said at least one second packet of data are sub-packets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Computer Associates Think Inc. (Broadcom, Inc.)
Inventors
Gassoway, Paul
Primary Examiner(s)
Lanier; Benjamin E
Assistant Examiner(s)
ARMOUCHE, HADI S

Application Number

US11/132,611
Publication Number

US 20050262560A1
Time in Patent Office

1,889 Days
Field of Search

726/13, 726 22- 25, 713/188
US Class Current

726/24
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 63/145 the attack involving the pr...

Intrusion detection with automatic signature generation

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

23 Citations

42 Claims

Specification

Solutions

Use Cases

Quick Links

Intrusion detection with automatic signature generation

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

42 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links