Defending against worm or virus attacks on networks
First Claim
Patent Images
1. A computer-implemented method comprising:
- an apparatus coupled to a processor, wherein the apparatus including security agents; and
the said security agents performing the operations of;
checking for behavior indicative of a worm by monitoring inbound and outbound packet flow;
wherein checking includes applying heuristics to determine whether a worm attack may have occurred; and
in response to an indication of worm behavior between risk assessment scans;
taking corrective action to prevent the spread of a worm prior to conducting a risk assessment scan;
isolating a host from a network in response to a risk assessment scan indicating that host resident security agents have been altered; and
throttling outbound packets.
1 Assignment
0 Petitions
Accused Products
Abstract
A combination of more frequent and less frequent security monitoring may be used to defeat worm or virus attacks. At periodic intervals, a risk assessment scan may be implemented to determine whether or not a worm attack has occurred. Prior thereto, an intermediate detection by an anomaly detection agent may determine whether or not a worm attack may have occurred. If a potential worm attack may have occurred, intermediate action, such as throttling of traffic, may occur. Then, at the next risk assessment scan, a determination may be made as to whether the attack is actually occurring and, if so, more effective and performance altering techniques may be utilized to counter the attack.
-
Citations
23 Claims
-
1. A computer-implemented method comprising:
-
an apparatus coupled to a processor, wherein the apparatus including security agents; and the said security agents performing the operations of; checking for behavior indicative of a worm by monitoring inbound and outbound packet flow; wherein checking includes applying heuristics to determine whether a worm attack may have occurred; and in response to an indication of worm behavior between risk assessment scans; taking corrective action to prevent the spread of a worm prior to conducting a risk assessment scan; isolating a host from a network in response to a risk assessment scan indicating that host resident security agents have been altered; and throttling outbound packets. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. An article comprising a computer readable memory device storing instructions that, if executed, enable a processor-based system to:
-
check for behavior indicative of a worm by monitoring inbound and outbound packet flow; apply heuristics to determine whether a worm attack may have occurred; and in response to worm behavior; enable the processor-based system to take corrective action to prevent the spread of a worm prior to conducting a risk assessment scan; enable the processor-based system to isolate a host from a network in response to a risk assessment scan indicating that host resident security agents have been altered; and enable the processor-based system to throttle outbound packets. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. An apparatus comprising:
-
a first agent to periodically conduct risk assessment scans for host resident security agents; wherein said first agent to isolate a host from a network in response to a risk assessment scan indicating that host resident security agents have been altered; and a second agent to check for behavior indicative of a worm between risk assessment scans by monitoring inbound and outbound packet flow and, in response to worm behavior, wherein said second agent; apply heuristics to determine whether a worm attack may have occurred; take corrective action to prevent the spread of a worm prior to conducting a risk assessment scan; and
throttle outbound packets. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
-
21. A system comprising:
-
a processor; a storage storing security agents; an apparatus coupled to said processor including a first agent to periodically conduct risk assessment scans of said security agents; wherein said first agent to isolate the system from a network in response to a risk assessment scan indicating that the security agents have been altered; a second agent to check for behavior indicative of a worm between risk assessment scans by monitoring inbound and outbound packet flows and, in response to worm behavior, wherein said second agent; apply heuristics to determine whether a worm attack may have occurred; take corrective action to prevent the spread of a worm prior to conducting a risk assessment scan; and throttle outbound packets; and a network controller coupled to said apparatus. - View Dependent Claims (22, 23)
-
Specification