Hash-based systems and methods for detecting and preventing transmission of polymorphic network worms and viruses
First Claim
1. In a network carrying a plurality of packets over at least one network link, the network including a first network component having memory and a processor and configured to store information in the memory about at least one of the plurality of packets, a method for detecting a target packet comprising:
- receiving at least one of the plurality of packets over the link to obtain a received packet;
determining a representation of at least a portion of the received packet;
identifying a location in the memory;
associating a value with the location in the memory;
receiving a query message identifying a target packet at the first network component;
the first network component using the value associated with the location in the memory in processing the query message to determine if the target packet has been encountered;
creating a reply if the target packet has been encountered; and
the first network component making the reply available to the network if the target packet has been encountered;
wherein the reply is capable of being used as part of a method for locating an intrusion point of the target packet in the network.
0 Assignments
0 Petitions
Accused Products
Abstract
A system (200) detects transmission of potentially malicious packets. The system (200) receives, or otherwise observes, packets and generates hash values based on variable-sized blocks of the packets. The system (200) then compares the generated hash values to hash values associated with prior packets. The system (200) determines that one of the received packets is a potentially malicious packet when one or more of the generated hash values associated with the received packet match one or more of the hash values associated with the prior packets.
954 Citations
38 Claims
-
1. In a network carrying a plurality of packets over at least one network link, the network including a first network component having memory and a processor and configured to store information in the memory about at least one of the plurality of packets, a method for detecting a target packet comprising:
-
receiving at least one of the plurality of packets over the link to obtain a received packet; determining a representation of at least a portion of the received packet; identifying a location in the memory; associating a value with the location in the memory; receiving a query message identifying a target packet at the first network component; the first network component using the value associated with the location in the memory in processing the query message to determine if the target packet has been encountered; creating a reply if the target packet has been encountered; and the first network component making the reply available to the network if the target packet has been encountered; wherein the reply is capable of being used as part of a method for locating an intrusion point of the target packet in the network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. In a network carrying a plurality of packets over at least one link, the network including a network component operatively coupled to the link and having a memory and a processor, a method for storing information about a plurality of packets received over the network, at least a portion of the information being used to locate an intrusion point for a first one of the plurality of packets, the method comprising:
-
receiving the first one of the plurality of packets; determining a first representation of the first one of the plurality of packets over at least a portion thereof; identifying a first location in the memory; associating a value with the first location in the memory; receiving a second one of the plurality of packets; processing the second one of the plurality of packets to obtain information contained therein; using the information contained in the second one of the plurality of packets to determine if the first one of the plurality of packets has been observed; and making a reply available to the network, in response to receiving a query message identifying a target packet, if the information contained in the second one of the plurality of packets indicates that the first one of the plurality of packets has been observed, the reply capable of being used as part of a method for locating the intrusion point for the first one of the plurality of packets to assist in determining a source location of an intrusion point of the target packet in the network.
-
-
11. A system comprising:
-
a first interface for receiving at least one of a plurality of packets to obtain at least one received packet from a network; a second interface for placing at least a subset of the at least one received packet onto a link; a bus communicatively coupled to the first interface and the second interface; a memory communicatively coupled to the bus, the memory for storing information about the at least one received packet in a machine-readable form; a processor communicatively coupled to the bus and the memory, the processor configured for executing machine-readable instructions for processing the at least one received packet; wherein the system is operable such that the memory is capable of storing the information in a form of one or more first representations for the at least one received packet, each of the one or more first representations determined from a corresponding one of the at least one received packet respectively; wherein the system is operable to receive a query message including a second representation associated with a target packet in the network and use the stored one or more first representations in the memory in processing the query message to determine if the target packet has been encountered; and wherein the system is operable to generate a reply after comparing the second representation to the stored one or more first representations;
wherein the reply is capable of being used for locating an intrusion point associated with the target packet in the network. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
-
Specification