Mechanism to correlate the presence of worms in a network
First Claim
1. A method comprising:
- determining, by a computer, transmitted packets from at least one of a plurality of sources to at least one of a plurality of destinations in a network, each of the transmitted packets comprising a set of characteristics;
determining a number of the transmitted packets originating from a similar source internet protocol (IP) address;
if the number of the transmitted packets exceeds a predefined first threshold, transmitting information about at least one packet of the transmitted packets from a worm attack identification (WAI) cache to a worm attack detector (WAD) cache, wherein the predefined first threshold is associated with a first number of packets originating from the similar source IP address, wherein the WAI cache is a content addressable memory, wherein the WAI cache has a size that is a function of how quickly a worm attack is to be detected, and wherein the size of the WAI cache is increased or decreased for worm detection based on at least one user-configured worm detection policy;
if the number of the transmitted packets exceeds a predefined second threshold, transmitting at least one signature packet from the WAI cache to a worm attack packet signature (WAPS) cache, wherein the at least one signature packet corresponds to at least one packet of the transmitted packets, wherein the predefined second threshold is less than the predefined first threshold, and wherein the predefined second threshold is associated with a second number of packets originating from the similar source IP address;
if at least one of the plurality of destinations becomes a source of new packets, comparing the new packets with stored signature packets in the WAPS cache, wherein the new packets are transmitted to at least one of the plurality of destinations; and
if at least one of the new packets matches a stored signature packet, triggering a detection of a worm in the network.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and a system for preventing a network attack, the attack being caused by the presence of worms in the network, is provided. The method includes determining the number of packets being transmitted from each source in the network to a plurality of destinations, the packets being transmitted from a source with a set of characteristics. If the number of packets with the set of characteristics, being transmitted from a source, exceeds a predefined first threshold, then the signature of the packets is stored. Subsequently, if at least one of the pluralities of destinations of the packets identified with the source becomes a source of new packets, the new packets being transmitted to more than one destination; then the new packets are compared with the signature. If at least one new packet matches with the signature, then the worm is to be detected.
-
Citations
8 Claims
-
1. A method comprising:
-
determining, by a computer, transmitted packets from at least one of a plurality of sources to at least one of a plurality of destinations in a network, each of the transmitted packets comprising a set of characteristics; determining a number of the transmitted packets originating from a similar source internet protocol (IP) address; if the number of the transmitted packets exceeds a predefined first threshold, transmitting information about at least one packet of the transmitted packets from a worm attack identification (WAI) cache to a worm attack detector (WAD) cache, wherein the predefined first threshold is associated with a first number of packets originating from the similar source IP address, wherein the WAI cache is a content addressable memory, wherein the WAI cache has a size that is a function of how quickly a worm attack is to be detected, and wherein the size of the WAI cache is increased or decreased for worm detection based on at least one user-configured worm detection policy; if the number of the transmitted packets exceeds a predefined second threshold, transmitting at least one signature packet from the WAI cache to a worm attack packet signature (WAPS) cache, wherein the at least one signature packet corresponds to at least one packet of the transmitted packets, wherein the predefined second threshold is less than the predefined first threshold, and wherein the predefined second threshold is associated with a second number of packets originating from the similar source IP address; if at least one of the plurality of destinations becomes a source of new packets, comparing the new packets with stored signature packets in the WAPS cache, wherein the new packets are transmitted to at least one of the plurality of destinations; and if at least one of the new packets matches a stored signature packet, triggering a detection of a worm in the network. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system comprising:
-
means for determining transmitted packets from at least one of a plurality of sources to at least one of a plurality of destinations in a network, each of the transmitted packets comprising a set of characteristics; means for determining a number of the transmitted packets originating from a similar source internet protocol (IP) address; if the number of the transmitted packets exceeds a predefined first threshold, means for transmitting information about at least one packet of the transmitted packets from a worm attack identification (WAI) cache to a worm attack detector (WAD) cache, wherein the predefined first threshold is associated with a first number of packets originating from the similar source IP address, wherein the WAI cache is a content addressable memory, wherein the WAI cache has a size that is a function of how quickly a worm attack is to be detected, and wherein the size of the WAI cache is increased or decreased for worm detection based on at least one user-configured worm detection policy; if the number of the transmitted packets exceeds a predefined second threshold, means for transmitting at least one signature packet from the WAI cache to a worm attack packet signature (WAPS) cache, wherein the at least one signature packet corresponds to at least one packet of the transmitted packets, wherein the predefined second threshold is less than the predefined first threshold, and wherein the predefined second threshold is associated with a second number of packets originating from the similar source IP address; if at least one of the plurality of destinations becomes a source of new packets, means for comparing the new packets with stored signature packets in the WAPS cache, wherein the new packets are transmitted to at least one of the plurality of destinations; and if at least one of the new packets matches a stored signature packet, means for triggering a detection of a worm in the network.
-
-
8. An apparatus comprising:
-
a processing system comprising a processor coupled to a display and a user input device; a machine-readable medium comprising instructions executable by the processor comprising; one or more instructions for determining transmitted packets from at least one of a plurality of sources to at least one of a plurality of destinations in a network, each of the transmitted packets comprising a set of characteristics; one or more instructions for determining a number of the transmitted packets originating from a similar source internet protocol (IP) address; if the number of the transmitted packets exceeds a predefined first threshold, one or more instructions for transmitting information about at least one packet of the transmitted packets from a worm attack identification (WAI) cache to a worm attack detector (WAD) cache, wherein the predefined first threshold is associated with a first number of packets originating from the similar source IP address, wherein the WAI cache is a content addressable memory, wherein the WAI cache has a size that is a function of how quickly a worm attack is to be detected, and wherein the size of the WAI cache is increased or decreased for worm detection based on at least one user-configured worm detection policy; if the number of the transmitted packets exceeds a predefined second threshold, one or more instructions for transmitting at least one signature packet from the WAI cache to a worm attack packet signature (WAPS) cache, wherein the at least one signature packet corresponds to at least one packet of the transmitted packets, wherein the predefined second threshold is less than the predefined first threshold, and wherein the predefined second threshold is associated with a second number of packets originating from the similar source IP address; if at least one of the plurality of destinations becomes a source of new packets, one or more instructions for comparing the new packets with stored signature packets in the WAPS cache, wherein the new packets are transmitted to at least one of the plurality of destinations; and if at least one of the new packets matches a stored signature packet, one or more instructions for triggering a detection of a worm in the network.
-
Specification