System and method of containing computer worms
First Claim
1. A computer worm containment system in communication with a real communication network, the system comprising:
- a computer worm detection system includinga traffic analysis device coupled in communication with the real communication network and configured to identify and copy network traffic having characteristics associated with a computer worm in the real communication network,a hidden computer network configured to detect anomalies, anda controller coupled to the hidden computer network, the controller being configured to (a) receive the copied network traffic, (b) replay the copied network traffic and a plurality of network activities generated within the hidden computer network in accordance with an identified pattern of activities, (c) monitor behavior of the hidden network in response to the replay of the copied network traffic and the plurality of network activities, and (d) determine an identifier of a computer worm based on anomalous behavior caused within the hidden computer network by the computer worm, the identifier associated with anomalous character of the computer worm and the anomalous character of the computer worm being determined by comparing the monitored behavior in the hidden computer network with behavior expected from the identified pattern of activities; and
a computer worm blocking system configured to receive the identifier and use the identifier to block the computer worm from propagating within the real communication network.
6 Assignments
0 Petitions
Accused Products
Abstract
A computer worm containment system comprises a detection system and a blocking system. The detection system orchestrates a sequence of network activities in a decoy computer network and monitors that network to identify anomalous behavior and determine whether the anomalous behavior is caused by a computer worm. The detection system can then determine an identifier of the computer worm based on the anomalous behavior. The detection system can also generate a recovery script for disabling the computer worm or repairing damage caused by the computer worm. The blocking system is configured to use the computer worm identifier to protect another computer network. The blocking system can also use the recovery script to disable a computer worm within the other network and to repair damage caused to the network by the worm.
484 Citations
54 Claims
-
1. A computer worm containment system in communication with a real communication network, the system comprising:
-
a computer worm detection system including a traffic analysis device coupled in communication with the real communication network and configured to identify and copy network traffic having characteristics associated with a computer worm in the real communication network, a hidden computer network configured to detect anomalies, and a controller coupled to the hidden computer network, the controller being configured to (a) receive the copied network traffic, (b) replay the copied network traffic and a plurality of network activities generated within the hidden computer network in accordance with an identified pattern of activities, (c) monitor behavior of the hidden network in response to the replay of the copied network traffic and the plurality of network activities, and (d) determine an identifier of a computer worm based on anomalous behavior caused within the hidden computer network by the computer worm, the identifier associated with anomalous character of the computer worm and the anomalous character of the computer worm being determined by comparing the monitored behavior in the hidden computer network with behavior expected from the identified pattern of activities; and a computer worm blocking system configured to receive the identifier and use the identifier to block the computer worm from propagating within the real communication network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 38, 44)
-
-
37. A method of containing a computer worm, the method comprising:
detecting the computer worm by identifying and copying network traffic within a real communication network that is characteristic of a computer worm, replaying the copied network traffic in accordance with a plurality of network activities within a hidden computer network configured to detect anomalies, monitoring behavior of the hidden computer network in response to the replay of the copied network traffic and the plurality of network activities, and determining an identifier of the computer worm based on anomalous behavior caused within the hidden computer network by the computer worm, using a controller coupled to the hidden computer network for the determining, the identifier associated with anomalous character of the computer worm and the anomalous character of the computer worm being determined by comparing monitored behavior in the hidden computer network with behavior expected after conducting the plurality of network activities; providing the identifier to a computer worm blocking system of the real communication network; and blocking the computer worm from propagating within the real communication network using the identifier. - View Dependent Claims (39, 40, 41, 42, 43, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54)
Specification