Malware detection system and method
First Claim
Patent Images
1. A method of detecting malware infected computing devices in a network, the method comprising:
- allocating at least one network address in a network element coupled to a communications network as a bait address;
sending at least one outgoing bait packet from the bait address to the network according to a policy table stored in the network element;
receiving an incoming packet from the network at the bait address;
selectively identifying a source of the incoming packet as infected with malware if the incoming packet is unexpected or from an unauthorized source;
wherein the bait address is a layer 2 MAC address shared by a first port of the network element configured for transmitting bait packets and a second port of the network element configured for receiving incoming packets from the network.
13 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems are presented for detection of malware such as worms in which a network switch entices the malware into sending scan packets by allocating one or more ports as bait addresses, sending outgoing bait packets, and identifying compromised hosts that send unexpected incoming packets to a bait address.
-
Citations
20 Claims
-
1. A method of detecting malware infected computing devices in a network, the method comprising:
-
allocating at least one network address in a network element coupled to a communications network as a bait address; sending at least one outgoing bait packet from the bait address to the network according to a policy table stored in the network element; receiving an incoming packet from the network at the bait address; selectively identifying a source of the incoming packet as infected with malware if the incoming packet is unexpected or from an unauthorized source; wherein the bait address is a layer 2 MAC address shared by a first port of the network element configured for transmitting bait packets and a second port of the network element configured for receiving incoming packets from the network. - View Dependent Claims (2, 3, 4, 5, 6, 16, 18)
-
-
7. A system for detecting are infected computing devices in a network, the system comprising:
-
a network element operatively coupled to a communications network, the network element having at least one network address allocated as a bait address, and comprising a malware detection component operative to send at least one outgoing bait packet from the bait address to the network according to a policy table stored in the network element, to receive an incoming packet from the network at the bait address, and to selectively identify a source of the incoming packet as infected with malware if the incoming packet is unexpected or from an unauthorized source; wherein the bait address is a layer 2 MAC address shared by a first port of the network element configured for transmitting bait packets and a second port of the network element configured for receiving incoming packets from the network. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 17, 19)
-
-
20. A method of detecting malware infected computing devices in a network, the method comprising:
-
allocating at least one network address in a network element coupled to a communications network as a bait address; sending at least one outgoing bait packet from the bait address to the network; receiving an incoming packet from the network at the bait address; and selectively identifying a source of the incoming packet as infected with malware if the incoming packet is of an unexpected type and from an unauthorized source; wherein the bait address is a layer 2 MAC address shared by a first port of the network element configured for transmitting bait packets and a second port of the network element configured for receiving incoming packets from the network.
-
Specification