×

Mechanism to correlate the presence of worms in a network

  • US 7,971,256 B2
  • Filed: 10/20/2005
  • Issued: 06/28/2011
  • Est. Priority Date: 10/20/2005
  • Status: Active Grant
First Claim
Patent Images

1. A method comprising:

  • determining, by a computer, transmitted packets from at least one of a plurality of sources to at least one of a plurality of destinations in a network, each of the transmitted packets comprising a set of characteristics;

    determining a number of the transmitted packets originating from a similar source internet protocol (IP) address;

    if the number of the transmitted packets exceeds a predefined first threshold, transmitting information about at least one packet of the transmitted packets from a worm attack identification (WAI) cache to a worm attack detector (WAD) cache, wherein the predefined first threshold is associated with a first number of packets originating from the similar source IP address, wherein the WAI cache is a content addressable memory, wherein the WAI cache has a size that is a function of how quickly a worm attack is to be detected, and wherein the size of the WAI cache is increased or decreased for worm detection based on at least one user-configured worm detection policy;

    if the number of the transmitted packets exceeds a predefined second threshold, transmitting at least one signature packet from the WAI cache to a worm attack packet signature (WAPS) cache, wherein the at least one signature packet corresponds to at least one packet of the transmitted packets, wherein the predefined second threshold is less than the predefined first threshold, and wherein the predefined second threshold is associated with a second number of packets originating from the similar source IP address;

    if at least one of the plurality of destinations becomes a source of new packets, comparing the new packets with stored signature packets in the WAPS cache, wherein the new packets are transmitted to at least one of the plurality of destinations; and

    if at least one of the new packets matches a stored signature packet, triggering a detection of a worm in the network.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×