Intrusion detection with automatic signature generation
First Claim
Patent Images
1. A method for detecting malicious programs within a computer network comprising:
- monitoring, by a first one of one or more agents within the computer network, at least one first packet of data communicated over said computer network, the first agent comprising a first agent network device;
at the first agent, comparing information within the at least one first packet to one or more virus scanning signature files to determine that the information within the at least one first packet does not match one of the one or more virus scanning signature files;
in response to determining that the at least a portion of the information in the at least one first packet does not match one of the one or more virus scanning signature files, transmitting, by the first agent comprising the first agent network device, said at least one first packet of data to a master within the computer network, the master comprising a network device in communication with the first agent network device via the computer network;
analyzing, by the master, said at least one first packet of data to detect the presence of a malicious program;
generating, by the master, a signature of said at least one first packet of data when a malicious program is detected;
transmitting the signature from the master comprising the network device to the first agent comprising the first agent network device and at least a second one of the one or more agents, the signature transmitted via the computer network;
monitoring, by a second one of the one or more agents, at least one second packet of data communicated over said network; and
detecting, by the second agent, evidence of said malicious program in said at least one second packet of data utilizing said generated signature.
3 Assignments
0 Petitions
Accused Products
Abstract
A method for detecting malicious programs within a computer network includes monitoring at least one first packet of data communicated over the network, analyzing the at least one first packet of data to detect the presence of a malicious program, generating a signature of the at least one first packet of data when a malicious program is detected, monitoring at least one second packet of data communicated over the network and detecting evidence of the malicious program in the at least one second packet of data utilizing the generated signature.
23 Citations
42 Claims
-
1. A method for detecting malicious programs within a computer network comprising:
-
monitoring, by a first one of one or more agents within the computer network, at least one first packet of data communicated over said computer network, the first agent comprising a first agent network device; at the first agent, comparing information within the at least one first packet to one or more virus scanning signature files to determine that the information within the at least one first packet does not match one of the one or more virus scanning signature files; in response to determining that the at least a portion of the information in the at least one first packet does not match one of the one or more virus scanning signature files, transmitting, by the first agent comprising the first agent network device, said at least one first packet of data to a master within the computer network, the master comprising a network device in communication with the first agent network device via the computer network; analyzing, by the master, said at least one first packet of data to detect the presence of a malicious program; generating, by the master, a signature of said at least one first packet of data when a malicious program is detected; transmitting the signature from the master comprising the network device to the first agent comprising the first agent network device and at least a second one of the one or more agents, the signature transmitted via the computer network; monitoring, by a second one of the one or more agents, at least one second packet of data communicated over said network; and detecting, by the second agent, evidence of said malicious program in said at least one second packet of data utilizing said generated signature. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 41, 42)
-
-
11. A system for detecting malicious programs within a computer network comprising:
-
a first agent network device within the computer network configured to; monitor at least one first packet of data communicated over said network; compare information within the at least one first packet to one or more virus scanning signature files to determine that the information within the at least one first packet does not match one of the one or more virus scanning signature files; and in response to determining that the at least a portion of the information in the at least one first packet does not match one of the one or more virus scanning signature files, transmit said at least tone first packet of data to a master within the computer network; a master comprising a network device in communication with the first agent network device via the computer network, the master configured to; analyze said at least one first packet of data to detect the presence of a malicious program; generate a signature of said at least one first packet of data when a malicious program is detected; and transmit, via the computer network, said signature to the first agent network device and at least a second one of the one or more agents; and a second agent network device within the computer network configured to; monitor at least one second packet of data communicated over said network; and detect evidence of said malicious program in said at least one second packet of data utilizing said generated signature. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A computer system comprising:
-
a processor; and a non transitory computer recording medium including computer executable code executable by the processor for detecting malicious programs within a computer network, the computer executable code operable when executed to; monitor, by a first one of one or more agents within the computer network, at least one first packet of data communicated over said computer network, the first agent comprising a first agent network device; compare, by the first agent, information within the at least one first packet to one or more virus scanning signature files to determine that the information within the at least one first packet does not match one of the one or more virus scanning signature files; in response to determining that the at least a portion of the information in the at least one first packet does not match one of the one or more virus scanning signature files, transmit, by the first agent comprising the first agent network device, said at least one first packet of data to a master within the computer network, the master comprising a network device in communication with the first agent network device via the computer network; analyze, by the master, said at least one first packet of data to detect the presence of a malicious program; generate, by the master, a signature of said at least one first packet of data when a malicious program is detected; transmit the signature from the master comprising the network device to the first agent comprising the first agent network device and at least a second one of the one or more agents, the signature transmitted via the computer network; monitor, by a second one of the one or more agents, at least one second packet of data communicated over said network; and detect, by the second agent, evidence of said malicious program in said at least one second packet of data utilizing said generated signature. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. A non transitory computer recording medium storing computer executable code executable by a processor for detecting malicious programs within a computer network, wherein the computer executable code is operable when executed by the processor to:
-
monitor, by a first one of one or more agents within the computer network, at least one first packet of data communicated over said computer network, the first agent comprising a first agent network device; compare, by the first agent, information within the at least one first packet to one or more virus scanning signature files to determine that the information within the at least one first packet does not match one of the one or more virus scanning signature files; in response to determining that the at least a portion of the information in the at least one first packet does not match one of the one or more virus scanning signature files, transmit, by the first agent comprising the first agent network device, said at least one first packet of data to a master within the computer network, the master comprising a network device in communication with the first agent network device via the computer network; analyze, by the master, said at least one first packet of data to detect the presence of a malicious program; generate, by the master, a signature of said at least one first packet of data when a malicious program is detected; transmit the signature from the master comprising the network device to the first agent comprising the first agent network device and at least a second one of the one or more agents, the signature transmitted via the computer network; monitor, by a second one of the one or more agents, at least one second packet of data communicated over said network; and detect, by the second agent, evidence of said malicious program in said at least one second packet of data utilizing said generated signature. - View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40)
-
Specification