System and method of detecting computer worms
First Claim
Patent Images
1. A system for detecting a computer worm, comprising:
- a traffic analysis device configured to identify and copy network traffic traveling over a communication network, the network traffic having a characteristic associated with one or more computer worms;
a computer network communicatively coupled with a memory, the computer network being configured to detect anomalies; and
a controller communicatively coupled with the memory and in communication with the traffic analysis device, the controller being configured to (i) receive the copied network traffic, (ii) replay the copied network traffic and a plurality of network activities in the computer network, (iii) monitor a behavior of the computer network in response to the replay of the copied network traffic and the plurality of network activities, (iv) identify an anomalous behavior as an unexpected occurrence in the monitored behavior to detect a computer worm of the one or more computer worms, and (v) create an identifier associated with the anomalous behavior for subsequently detecting the computer worm in a second computer network different than the computer network,wherein the identifier comprises a signature that is associated with the anomalous behavior for detecting a presence of the computer worm in the second computer network.
7 Assignments
0 Petitions
Accused Products
Abstract
A computer worm detection system orchestrates a sequence of network activities in a computer network and monitors the computer network to identify an anomalous behavior of the computer network. The computer worm detection system then determines whether the anomalous behavior is caused by the computer worm and can determine an identifier for detecting the computer worm based on the anomalous behavior. The computer worm detection system can also generate a recovery script for disabling the computer worm or repairing damage caused by the computer worm.
474 Citations
100 Claims
-
1. A system for detecting a computer worm, comprising:
-
a traffic analysis device configured to identify and copy network traffic traveling over a communication network, the network traffic having a characteristic associated with one or more computer worms; a computer network communicatively coupled with a memory, the computer network being configured to detect anomalies; and a controller communicatively coupled with the memory and in communication with the traffic analysis device, the controller being configured to (i) receive the copied network traffic, (ii) replay the copied network traffic and a plurality of network activities in the computer network, (iii) monitor a behavior of the computer network in response to the replay of the copied network traffic and the plurality of network activities, (iv) identify an anomalous behavior as an unexpected occurrence in the monitored behavior to detect a computer worm of the one or more computer worms, and (v) create an identifier associated with the anomalous behavior for subsequently detecting the computer worm in a second computer network different than the computer network, wherein the identifier comprises a signature that is associated with the anomalous behavior for detecting a presence of the computer worm in the second computer network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
-
-
44. A method for detecting a computer worm, comprising the steps of:
-
identifying and copying network traffic traveling over a communication network by a traffic analysis device, the network traffic having a characteristic associated with one or more computer worms; replaying the copied network traffic received from the traffic analysis device and a plurality of network activities in a computer network communicatively coupled with a memory, the computer network being configured to detect anomalies; monitoring a behavior of the computer network in response to the replay of the copied network traffic and the plurality of network activities; identifying an anomalous behavior as an unexpected occurrence in the monitored behavior to detect a computer worm of the one or more computer worms; and creating an identifier associated with the anomalous behavior for subsequently detecting the computer worm in a second computer network different than the computer network, wherein the identifier comprises a signature associated with the anomalous behavior for detecting a presence of the computer worm in the second computer network. - View Dependent Claims (45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72)
-
-
73. A system for detecting a computer worm, comprising:
-
means for identifying and copying network traffic having a characteristic associated with one or more computer worms; means for replaying the copied network traffic and a plurality of network activities in a computer network communicatively coupled with a memory, the computer network being configured to detect anomalies; means for monitoring a behavior of the computer network; means for identifying an anomalous behavior as an unexpected occurrence in the monitored behavior; means for comparing the anomalous behavior with the monitored behavior to detect a computer worm of the one or more computer worms; and means for creating an identifier associated with the anomalous behavior for subsequently detecting the computer worm in a second computer network different than the computer network, wherein the identifier comprises a signature that is associated with the anomalous behavior for detecting a presence of the computer worm in the second computer network. - View Dependent Claims (74, 75, 76, 77, 78)
-
-
79. A non-transitory computer readable storage medium having embodied thereon a program, the program being executable by a processor to perform a method for detecting a computer worm, the method comprising:
-
identifying and copying network traffic that is characteristic of a computer worm in a communication network; replaying the copied network traffic and a plurality of network activities in a computer network communicatively coupled with a memory, the computer network being configured to detect anomalies; monitoring a behavior of the computing network; identifying an anomalous behavior as an unexpected occurrence in the monitored behavior; comparing the anomalous behavior with the monitored behavior to detect a computer worm; and creating an identifier associated with the anomalous behavior for subsequently detecting the computer worm in a second computer network different than the computer network, wherein the identifier comprises one or more of (1) a signature associated with anomalous behavior of the computer worm for detecting a presence of the computer worm in the second computer network, or (2) a vector associated with a sequence of paths traveled by the computer worm in the computer network, or (3) a vector associated with the anomalous behavior of the computer network, the vector includes a set of values, where each value includes a port number and identifies a transport protocol. - View Dependent Claims (80, 81)
-
-
82. A system comprising:
-
a traffic analysis device configured to identify and copy network traffic, the network traffic having a characteristic associated with one or more computer worms; a computer network that comprises one or more virtual computing systems, the one or more virtual computing systems are configured to detect anomalies within the copied network traffic; and a controller communicatively in communication with the traffic analysis device and the computer network, the controller being configured to (i) receive the copied network traffic, (ii) replay the copied network traffic and a plurality of network activities in the one or more computing systems, (iii) monitor a behavior of the one or more computing systems in response to the replay of the copied network traffic and the plurality of network activities, (iv) identify an anomalous behavior as an unexpected occurrence in the monitored behavior to detect a computer worm of the one or more computer worms, and (v) create an identifier associated with the anomalous behavior for subsequently detecting the computer worm in a second computer network different than the computer network, wherein the identifier comprises a signature associated with the anomalous behavior associated for detecting a presence of the computer worm in the second computer network. - View Dependent Claims (83, 84, 85, 86, 87, 88, 89, 90, 91, 92)
-
-
93. A system for detecting a computer worm, comprising:
-
a traffic analysis device configured to identify and copy network traffic, the network traffic having a characteristic associated with one or more computer worms; a computer network communicatively coupled with a memory, the computer network being configured to detect anomalies; and a controller communicatively coupled with the memory and in communication with the traffic analysis device, the controller being configured to (i) receive the copied network traffic, (ii) replay the copied network traffic and a plurality of network activities in the computer network, (iii) monitor a behavior of the computer network in response to the replay of the copied network traffic and the plurality of network activities, (iv) identify an anomalous behavior as an unexpected occurrence in the monitored behavior to detect a computer worm of the one or more computer worms, and (v) create an identifier associated with the anomalous behavior for subsequently detecting the computer worm in a second computer network different than the computer network, wherein the identifier comprises a vector that characterizes a sequence of paths traveled by the computer worm in the computer network. - View Dependent Claims (94, 95, 96)
-
-
97. A system for detecting a computer worm, comprising:
-
a traffic analysis device configured to identify and copy network traffic, the network traffic having a characteristic associated with one or more computer worms; a computer network communicatively coupled with a memory, the computer network being configured to detect anomalies; and a controller communicatively coupled with the memory and in communication with the traffic analysis device, the controller being configured to (i) receive the copied network traffic, (ii) replay the copied network traffic and a plurality of network activities in the computer network, (iii) monitor a behavior of the computer network in response to the replay of the network traffic and the plurality of network activities, (iv) identify an anomalous behavior as an unexpected occurrence in the monitored behavior to detect a computer worm of the one or more computer worms, and (v) create an identifier associated with the anomalous behavior for subsequently detecting the computer worm in a second computer network different than the computer network, wherein the identifier comprises a vector associated with the anomalous behavior of the computer network, the vector includes a set of values, where each value includes a port number and identifies a transport protocol. - View Dependent Claims (98, 99, 100)
-
Specification