Defending against worm or virus attacks on networks

US 7,797,749 B2
Filed: 11/03/2004
Issued: 09/14/2010
Est. Priority Date: 11/03/2004
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

an apparatus coupled to a processor, wherein the apparatus including security agents; and

the said security agents performing the operations of;

checking for behavior indicative of a worm by monitoring inbound and outbound packet flow;

wherein checking includes applying heuristics to determine whether a worm attack may have occurred; and

in response to an indication of worm behavior between risk assessment scans;

taking corrective action to prevent the spread of a worm prior to conducting a risk assessment scan;

isolating a host from a network in response to a risk assessment scan indicating that host resident security agents have been altered; and

throttling outbound packets.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A combination of more frequent and less frequent security monitoring may be used to defeat worm or virus attacks. At periodic intervals, a risk assessment scan may be implemented to determine whether or not a worm attack has occurred. Prior thereto, an intermediate detection by an anomaly detection agent may determine whether or not a worm attack may have occurred. If a potential worm attack may have occurred, intermediate action, such as throttling of traffic, may occur. Then, at the next risk assessment scan, a determination may be made as to whether the attack is actually occurring and, if so, more effective and performance altering techniques may be utilized to counter the attack.

Citations

23 Claims

1. A computer-implemented method comprising:
- an apparatus coupled to a processor, wherein the apparatus including security agents; and
  
  the said security agents performing the operations of;
  
  checking for behavior indicative of a worm by monitoring inbound and outbound packet flow;
  
  wherein checking includes applying heuristics to determine whether a worm attack may have occurred; and
  
  in response to an indication of worm behavior between risk assessment scans;
  
  taking corrective action to prevent the spread of a worm prior to conducting a risk assessment scan;
  
  isolating a host from a network in response to a risk assessment scan indicating that host resident security agents have been altered; and
  
  throttling outbound packets.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 including terminating the throttling if a risk assessment scan indicates that a worm attack has not occurred.
  - 3. The method of claim 1 wherein checking for behavior indicative of a worm includes analyzing characteristics of packet headers.
  - 4. The method of claim 3 including storing information related to recent packet flows.
  - 5. The method of claim 1 including checking for behavior indicative of a worm between risk assessment scans more frequently than risk assessment scans are conducted.
  - 6. The method of claim 1 including checking for a virus or worm signature between risk assessment scans.

7. An article comprising a computer readable memory device storing instructions that, if executed, enable a processor-based system to:
- check for behavior indicative of a worm by monitoring inbound and outbound packet flow;
  
  apply heuristics to determine whether a worm attack may have occurred; and
  
  in response to worm behavior;
  
  enable the processor-based system to take corrective action to prevent the spread of a worm prior to conducting a risk assessment scan;
  
  enable the processor-based system to isolate a host from a network in response to a risk assessment scan indicating that host resident security agents have been altered; and
  
  enable the processor-based system to throttle outbound packets.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The article of claim 7 further storing instructions that, if executed, enable the processor-based system to terminate the throttling is a risk assessment scan indicates that a worm attack has not occurred.
  - 9. The article of claim 7 further storing instructions that, if executed, enable the processor-based system to analyze characteristics of packet headers.
  - 10. The article of claim 9 further storing instructions that, if executed, enable the processor-based system to store information related to recent packet flows.
  - 11. The article of claim 7 further storing instructions that, if executed, enable the processor-based system to check for behavior indicative of a won-n between risk assessment scans more frequently than risk assessment scans are conducted.
  - 12. The article of claim 7 further storing instructions that, if executed, enable the processor-based system to check for a virus or worm signature between risk assessment scans.

13. An apparatus comprising:
- a first agent to periodically conduct risk assessment scans for host resident security agents;
  
  wherein said first agent to isolate a host from a network in response to a risk assessment scan indicating that host resident security agents have been altered; and
  
  a second agent to check for behavior indicative of a worm between risk assessment scans by monitoring inbound and outbound packet flow and,in response to worm behavior, wherein said second agent;
  
  apply heuristics to determine whether a worm attack may have occurred;
  
  take corrective action to prevent the spread of a worm prior to conducting a risk assessment scan; and
  
  throttle outbound packets.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The apparatus of claim 13 wherein said first and second agents are part of microcontroller.
  - 15. The apparatus of claim 14 wherein said agents are part of an embedded microcontroller.
  - 16. The apparatus of claim 13 including a device to interface said apparatus to a packet processing device.
  - 17. The apparatus of claim 16 including an interface to a host including host resident security agents.
  - 18. The apparatus of claim 17 including an interface to a network controller.
  - 19. The apparatus of claim 13 wherein said second agent to analyze characteristics of packet headers.
  - 20. The apparatus of claim 13 wherein said first agent to conduct risk assessment scans less frequently than said second agent checks for behavior indicative of a worm between risk assessment scans.

21. A system comprising:
- a processor;
  
  a storage storing security agents;
  
  an apparatus coupled to said processor including a first agent to periodically conduct risk assessment scans of said security agents;
  
  wherein said first agent to isolate the system from a network in response to a risk assessment scan indicating that the security agents have been altered;
  
  a second agent to check for behavior indicative of a worm between risk assessment scans by monitoring inbound and outbound packet flows and,in response to worm behavior, wherein said second agent;
  
  apply heuristics to determine whether a worm attack may have occurred;
  
  take corrective action to prevent the spread of a worm prior to conducting a risk assessment scan; and
  
  throttle outbound packets; and
  
  a network controller coupled to said apparatus.
- View Dependent Claims (22, 23)
- - 22. The system of claim 21 wherein said second agent to analyze characteristics of packet headers.
  - 23. The system of claim 21 wherein said first agent to conduct risk assessment scans less frequently than said second agent checks for behavior indicative of a worm between risk assessment scans.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Rajagopal, Priya, Durham, David, Sahita, Ravi
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
TABOR, AMARE F

Application Number

US10/980,015
Publication Number

US 20060095970A1
Time in Patent Office

2,141 Days
Field of Search

726/26, 726 23- 25, 713/201, 713/188
US Class Current

726/25
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

Defending against worm or virus attacks on networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Defending against worm or virus attacks on networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links