Method, apparatus, and computer program product for detecting computer worms in a network
First Claim
Patent Images
1. A computer-based method for detecting worms in a computer network, comprising:
- (a) monitoring traffic in the computer network to identify one or more traffic behavior occurrences;
(b) organizing the traffic behavior occurrences into a data structure representing a tree having nodes and links, wherein a node represents a host and a link represents one or more traffic behavior occurrences between two nodes, and wherein a new node is added to the tree after a host represented by the new node receives traffic from another host represented by another node already contained in the tree; and
(c) using the data structure to determine an average branching factor of each depth of the tree; and
(d) indicating that at least one host of the tree is a possible worm-infected host if the average branching factor is greater than a threshold.
1 Assignment
0 Petitions
Accused Products
Abstract
A worm is a malicious process that autonomously spreads itself from one host to another. To infect a host, a worm must somehow copy itself to the host. The method in which a worm transmits a copy of itself produces network traffic patterns that can be generalized as a traffic behavior. As a worm spreads itself across the network, the propagation of the traffic behavior can be witnessed as hosts are infected, one after another. By monitoring the network traffic for propagations of traffic behaviors, a presence of a worm can be detected.
15 Citations
55 Claims
-
1. A computer-based method for detecting worms in a computer network, comprising:
-
(a) monitoring traffic in the computer network to identify one or more traffic behavior occurrences; (b) organizing the traffic behavior occurrences into a data structure representing a tree having nodes and links, wherein a node represents a host and a link represents one or more traffic behavior occurrences between two nodes, and wherein a new node is added to the tree after a host represented by the new node receives traffic from another host represented by another node already contained in the tree; and (c) using the data structure to determine an average branching factor of each depth of the tree; and (d) indicating that at least one host of the tree is a possible worm-infected host if the average branching factor is greater than a threshold. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 33, 34, 35, 36, 37, 38, 39, 40, 41)
-
-
17. An apparatus for detecting worms in a computer network, comprising:
-
a monitoring module to monitor traffic in the computer network to identify one or more traffic behavior occurrences; an organizing module to organize the traffic behavior occurrences into a data structure representing a tree having nodes and links, wherein a node represents a host and a link represents one or more traffic behavior occurrences between two nodes, and wherein a new node is added to the tree after a host represented by the new node receives traffic from another host represented by another node already contained in the tree; and a using module to use the data structure to determine an average branching factor of each depth of the tree; and an indicating module to indicate that at least one host of the tree is a possible worm-infected host if the average branching factor is greater than a threshold. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
-
-
32. A computer-based method for detecting worms in a computer network, comprising:
-
(a) monitoring traffic in the computer network to identify one or more traffic behavior occurrences; (b) generating a graph-based representation of the traffic behavior occurrences comprising a tree having nodes and links, wherein a node represents a host and a link represents one or more traffic behavior occurrences between two nodes, and wherein a new node is added to the tree after a host represented by the new node receives traffic from another host represented by another node already contained in the tree; and (c) using the graph based representation to determine an average branching factor of each depth of the tree; and (d) indicating that at least one host of the tree is a possible worm-infected host if the average branching factor is greater than a threshold.
-
-
42. A computer program product including a non-transitory computer-readable medium having instructions stored thereon that, when executed by a computing device, cause the computing device to perform operations comprising:
-
(a) monitoring traffic in the computer network to identify one or more traffic behavior occurrences; (b) organizing the traffic behavior occurrences into a data structure representing a tree having nodes and links, wherein a node represents a host and a link represents one or more traffic behavior occurrences between two nodes, and wherein a new node is added to the tree after a host represented by the new node receives traffic from another host represented by another node already contained in the tree; (c) using the data structure to determine an average branching factor of each depth of the tree; and (d) indicating that at least one host of the tree is a possible worm-infected host if the average branching factor is greater than a threshold. - View Dependent Claims (43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55)
-
Specification