Mechanism to correlate the presence of worms in a network

US 7,971,256 B2
Filed: 10/20/2005
Issued: 06/28/2011
Est. Priority Date: 10/20/2005
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

determining, by a computer, transmitted packets from at least one of a plurality of sources to at least one of a plurality of destinations in a network, each of the transmitted packets comprising a set of characteristics;

determining a number of the transmitted packets originating from a similar source internet protocol (IP) address;

if the number of the transmitted packets exceeds a predefined first threshold, transmitting information about at least one packet of the transmitted packets from a worm attack identification (WAI) cache to a worm attack detector (WAD) cache, wherein the predefined first threshold is associated with a first number of packets originating from the similar source IP address, wherein the WAI cache is a content addressable memory, wherein the WAI cache has a size that is a function of how quickly a worm attack is to be detected, and wherein the size of the WAI cache is increased or decreased for worm detection based on at least one user-configured worm detection policy;

if the number of the transmitted packets exceeds a predefined second threshold, transmitting at least one signature packet from the WAI cache to a worm attack packet signature (WAPS) cache, wherein the at least one signature packet corresponds to at least one packet of the transmitted packets, wherein the predefined second threshold is less than the predefined first threshold, and wherein the predefined second threshold is associated with a second number of packets originating from the similar source IP address;

if at least one of the plurality of destinations becomes a source of new packets, comparing the new packets with stored signature packets in the WAPS cache, wherein the new packets are transmitted to at least one of the plurality of destinations; and

if at least one of the new packets matches a stored signature packet, triggering a detection of a worm in the network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and a system for preventing a network attack, the attack being caused by the presence of worms in the network, is provided. The method includes determining the number of packets being transmitted from each source in the network to a plurality of destinations, the packets being transmitted from a source with a set of characteristics. If the number of packets with the set of characteristics, being transmitted from a source, exceeds a predefined first threshold, then the signature of the packets is stored. Subsequently, if at least one of the pluralities of destinations of the packets identified with the source becomes a source of new packets, the new packets being transmitted to more than one destination; then the new packets are compared with the signature. If at least one new packet matches with the signature, then the worm is to be detected.

Citations

8 Claims

1. A method comprising:
- determining, by a computer, transmitted packets from at least one of a plurality of sources to at least one of a plurality of destinations in a network, each of the transmitted packets comprising a set of characteristics;
  
  determining a number of the transmitted packets originating from a similar source internet protocol (IP) address;
  
  if the number of the transmitted packets exceeds a predefined first threshold, transmitting information about at least one packet of the transmitted packets from a worm attack identification (WAI) cache to a worm attack detector (WAD) cache, wherein the predefined first threshold is associated with a first number of packets originating from the similar source IP address, wherein the WAI cache is a content addressable memory, wherein the WAI cache has a size that is a function of how quickly a worm attack is to be detected, and wherein the size of the WAI cache is increased or decreased for worm detection based on at least one user-configured worm detection policy;
  
  if the number of the transmitted packets exceeds a predefined second threshold, transmitting at least one signature packet from the WAI cache to a worm attack packet signature (WAPS) cache, wherein the at least one signature packet corresponds to at least one packet of the transmitted packets, wherein the predefined second threshold is less than the predefined first threshold, and wherein the predefined second threshold is associated with a second number of packets originating from the similar source IP address;
  
  if at least one of the plurality of destinations becomes a source of new packets, comparing the new packets with stored signature packets in the WAPS cache, wherein the new packets are transmitted to at least one of the plurality of destinations; and
  
  if at least one of the new packets matches a stored signature packet, triggering a detection of a worm in the network.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the set of characteristics includes a protocol.
  - 3. The method of claim 1, wherein triggering the detection of the worm further comprises dropping worm traffic, the worm traffic corresponding to the worm.
  - 4. The method of claim 1, wherein caching each of the transmitted packets in the WAI cache further comprises assigning a timer to the WAI cache, the timer deciding a time frame for a storage of the transmitted packets in the WAI cache.
  - 5. The method of claim 1, wherein the caching each of the transmitted packets in the WAI cache further comprises caching the transmitted packets in a worm attack detection (WAD) cache, the caching being performed if the number of the transmitted packets is more than the predefined first threshold.
  - 6. The method of claim 5, further comprising caching the signature packets in the WAPS cache including storing at least a first packet, the first packet being one of the transmitted packets that is exchanged between at least one of the plurality of sources and an external host.

7. A system comprising:
- means for determining transmitted packets from at least one of a plurality of sources to at least one of a plurality of destinations in a network, each of the transmitted packets comprising a set of characteristics;
  
  means for determining a number of the transmitted packets originating from a similar source internet protocol (IP) address;
  
  if the number of the transmitted packets exceeds a predefined first threshold, means for transmitting information about at least one packet of the transmitted packets from a worm attack identification (WAI) cache to a worm attack detector (WAD) cache, wherein the predefined first threshold is associated with a first number of packets originating from the similar source IP address, wherein the WAI cache is a content addressable memory, wherein the WAI cache has a size that is a function of how quickly a worm attack is to be detected, and wherein the size of the WAI cache is increased or decreased for worm detection based on at least one user-configured worm detection policy;
  
  if the number of the transmitted packets exceeds a predefined second threshold, means for transmitting at least one signature packet from the WAI cache to a worm attack packet signature (WAPS) cache, wherein the at least one signature packet corresponds to at least one packet of the transmitted packets, wherein the predefined second threshold is less than the predefined first threshold, and wherein the predefined second threshold is associated with a second number of packets originating from the similar source IP address;
  
  if at least one of the plurality of destinations becomes a source of new packets, means for comparing the new packets with stored signature packets in the WAPS cache, wherein the new packets are transmitted to at least one of the plurality of destinations; and
  
  if at least one of the new packets matches a stored signature packet, means for triggering a detection of a worm in the network.

8. An apparatus comprising:
- a processing system comprising a processor coupled to a display and a user input device;
  
  a machine-readable medium comprising instructions executable by the processor comprising;
  
  one or more instructions for determining transmitted packets from at least one of a plurality of sources to at least one of a plurality of destinations in a network, each of the transmitted packets comprising a set of characteristics;
  
  one or more instructions for determining a number of the transmitted packets originating from a similar source internet protocol (IP) address;
  
  if the number of the transmitted packets exceeds a predefined first threshold, one or more instructions for transmitting information about at least one packet of the transmitted packets from a worm attack identification (WAI) cache to a worm attack detector (WAD) cache, wherein the predefined first threshold is associated with a first number of packets originating from the similar source IP address, wherein the WAI cache is a content addressable memory, wherein the WAI cache has a size that is a function of how quickly a worm attack is to be detected, and wherein the size of the WAI cache is increased or decreased for worm detection based on at least one user-configured worm detection policy;
  
  if the number of the transmitted packets exceeds a predefined second threshold, one or more instructions for transmitting at least one signature packet from the WAI cache to a worm attack packet signature (WAPS) cache, wherein the at least one signature packet corresponds to at least one packet of the transmitted packets, wherein the predefined second threshold is less than the predefined first threshold, and wherein the predefined second threshold is associated with a second number of packets originating from the similar source IP address;
  
  if at least one of the plurality of destinations becomes a source of new packets, one or more instructions for comparing the new packets with stored signature packets in the WAPS cache, wherein the new packets are transmitted to at least one of the plurality of destinations; and
  
  if at least one of the new packets matches a stored signature packet, one or more instructions for triggering a detection of a worm in the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Venkat, Balaji, Bhikkaji, Bhargav
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
NGUYEN, TRONG H

Application Number

US11/254,592
Publication Number

US 20070094730A1
Time in Patent Office

2,077 Days
Field of Search

None
US Class Current

726/24
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 63/145 the attack involving the pr...

Mechanism to correlate the presence of worms in a network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

8 Claims

Specification

Solutions

Use Cases

Quick Links

Mechanism to correlate the presence of worms in a network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

8 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links