System and method of containing computer worms

US 8,549,638 B2
Filed: 06/13/2005
Issued: 10/01/2013
Est. Priority Date: 06/14/2004
Status: Active Grant

First Claim

Patent Images

1. A computer worm containment system in communication with a real communication network, the system comprising:

a computer worm detection system includinga traffic analysis device coupled in communication with the real communication network and configured to identify and copy network traffic having characteristics associated with a computer worm in the real communication network,a hidden computer network configured to detect anomalies, anda controller coupled to the hidden computer network, the controller being configured to (a) receive the copied network traffic, (b) replay the copied network traffic and a plurality of network activities generated within the hidden computer network in accordance with an identified pattern of activities, (c) monitor behavior of the hidden network in response to the replay of the copied network traffic and the plurality of network activities, and (d) determine an identifier of a computer worm based on anomalous behavior caused within the hidden computer network by the computer worm, the identifier associated with anomalous character of the computer worm and the anomalous character of the computer worm being determined by comparing the monitored behavior in the hidden computer network with behavior expected from the identified pattern of activities; and

a computer worm blocking system configured to receive the identifier and use the identifier to block the computer worm from propagating within the real communication network.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer worm containment system comprises a detection system and a blocking system. The detection system orchestrates a sequence of network activities in a decoy computer network and monitors that network to identify anomalous behavior and determine whether the anomalous behavior is caused by a computer worm. The detection system can then determine an identifier of the computer worm based on the anomalous behavior. The detection system can also generate a recovery script for disabling the computer worm or repairing damage caused by the computer worm. The blocking system is configured to use the computer worm identifier to protect another computer network. The blocking system can also use the recovery script to disable a computer worm within the other network and to repair damage caused to the network by the worm.

484 Citations

54 Claims

1. A computer worm containment system in communication with a real communication network, the system comprising:
- a computer worm detection system includinga traffic analysis device coupled in communication with the real communication network and configured to identify and copy network traffic having characteristics associated with a computer worm in the real communication network,a hidden computer network configured to detect anomalies, anda controller coupled to the hidden computer network, the controller being configured to (a) receive the copied network traffic, (b) replay the copied network traffic and a plurality of network activities generated within the hidden computer network in accordance with an identified pattern of activities, (c) monitor behavior of the hidden network in response to the replay of the copied network traffic and the plurality of network activities, and (d) determine an identifier of a computer worm based on anomalous behavior caused within the hidden computer network by the computer worm, the identifier associated with anomalous character of the computer worm and the anomalous character of the computer worm being determined by comparing the monitored behavior in the hidden computer network with behavior expected from the identified pattern of activities; and
  
  a computer worm blocking system configured to receive the identifier and use the identifier to block the computer worm from propagating within the real communication network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 38, 44)
- - 2. The computer worm containment system of claim 1 wherein the traffic analysis device, including hardware for coupling to the real communication network, is configured to duplicate a portion of the network traffic traveling over the real communication network as the copied network traffic and provide the copied network traffic with the characteristics associated with the computer worm.
  - 3. The computer worm containment system of claim 1 wherein the identified pattern of activities comprises one or more computing services to be performed in the hidden computer network.
  - 4. The computer worm containment system of claim 1 wherein the anomalous behavior includes a communication anomaly.
  - 5. The computer worm containment system of claim 1 wherein the anomalous behavior includes an execution anomaly.
  - 6. The computer worm containment system of claim 1 wherein the identifier includes a signature.
  - 7. The computer worm containment system of claim 6 wherein the signature includes a destination port and a sequence of tokens.
  - 8. The computer worm containment system of claim 1 wherein the identifier includes a vector.
  - 9. The computer worm containment system of claim 1 wherein the controller is further configured to generate a recovery script.
  - 10. The computer worm containment system of claim 9 wherein the computer worm blocking system is further configured to use the recovery script to disable the computer worm within the real communication network.
  - 11. The computer worm containment system of claim 9 wherein the computer worm blocking system is further configured to use the recovery script to repair damage caused by the computer worm within the real communication network.
  - 12. The computer worm containment system of claim 9 wherein the recovery script includes a detection process for detecting the computer worm and a recovery process for disabling the computer worm.
  - 13. The computer worm containment system of claim 1 wherein the computer worm blocking system includes a blocking device integrated within a computing service of the real communication network.
  - 14. The computer worm containment system of claim 1 wherein the computer worm blocking system includes multiple blocking devices and a computer worm blocking manager that coordinates operations between the blocking devices.
  - 15. The computer worm containment system of claim 1 wherein the computer worm detection system and the computer worm blocking system are collocated.
  - 16. The computer worm containment system of claim 1 wherein communications between the computer worm detection system and the computer worm blocking system are cryptographically authenticated.
  - 17. The computer worm containment system of claim 1 wherein the computer worm blocking system is configured to load a signature into a content filter to block the computer worm.
  - 18. The computer worm containment system of claim 1 wherein the computer worm blocking system is configured to block a computer worm transportation vector by using a transport level action control list.
  - 19. The computer worm containment system of claim 1 wherein the computer worm blocking system includes an inline signature based Intrusion Detection and Protection system.
  - 20. The computer worm containment system of claim 1 wherein the computer worm blocking system includes a router that employs Network Based Application Recognition to classify and apply a policy to data packets.
  - 21. The computer worm containment system of claim 1 wherein the hidden computer network is transparent to the real communication network.
  - 22. The computer worm containment system of claim 1 wherein the hidden computer network is a virtual computer network that comprises one or more virtual computing systems.
  - 23. The computer worm containment system of claim 1 wherein being configured to replay includes being configured to configure destination addresses of the network traffic for compatibility with the hidden computer network.
  - 24. The computer worm containment system of claim 1 wherein the identifier characterizes the anomalous behavior.
  - 25. The computer worm containment system of claim 24 wherein the anomalous behavior comprises an unexpected occurrence in the monitored behavior.
  - 26. The computer worm containment system of claim 1 wherein the anomalous character of the computer worm comprises being statistically correlated to suspicious network traffic and not being statistically correlated to benign network traffic.
  - 27. The computer worm containment system of claim 26 wherein the suspicious network traffic includes an unusual byte sequence.
  - 28. The computer worm containment system of claim 1 wherein the network traffic that is characteristic of a computer worm is configured to duplicate itself for propagation.
  - 29. The computer worm containment system of claim 1 wherein the computer worm is executable malicious code associated with the copied network traffic.
  - 30. The computer worm containment system of claim 1 wherein the computer worm is a passive computer worm being information attached to the network traffic and propagated along with the network traffic and the copied network traffic.
  - 31. The computer worm containment system of claim 1 wherein the hidden computer network comprises one or more virtual computing systems, the one or more virtual computing systems being configured to detect the anomalous character of the computer worm.
  - 32. The computer worm containment system of claim 31, wherein the controller comprises a replayer that is configured to receive the copied network traffic and to replay the plurality of network activities in the hidden computer network.
  - 33. The computer worm containment system of claim 32, wherein the replayer comprises a protocol sequence replayer that receives data packets being part of the copied network traffic from the traffic analysis device and controls a duplication of network operations including the plurality of network activities on the data packets by a first virtual computing system of the one or more virtual computing systems.
  - 34. The computer worm containment system of claim 32, wherein the replayer comprises a protocol sequence replayer that receives the copied network traffic from the traffic analysis device and conducts the plurality of network activities on one or more data packets of the copied network traffic within a first virtual computing system of the one or more virtual computing systems.
  - 35. The computer worm containment system of claim 31, wherein each of the one or more virtual computing systems includes a different software profile.
  - 36. The computer worm containment system of claim 35, wherein a first virtual computing system of the one or more virtual computing systems includes a browser as a software profile to replay operations similar to operations by a web browser operating in the real communication network.
  - 38. The method of claim 22 wherein identifying the network traffic within the real communication network that is characteristic of the computer worm includes using a heuristic analysis technique.
  - 44. The method of claim 22 wherein the network traffic that is characteristic of a computer worm is configured to duplicate itself for propagation.

37. A method of containing a computer worm, the method comprising:
- detecting the computer worm byidentifying and copying network traffic within a real communication network that is characteristic of a computer worm,replaying the copied network traffic in accordance with a plurality of network activities within a hidden computer network configured to detect anomalies,monitoring behavior of the hidden computer network in response to the replay of the copied network traffic and the plurality of network activities, anddetermining an identifier of the computer worm based on anomalous behavior caused within the hidden computer network by the computer worm, using a controller coupled to the hidden computer network for the determining, the identifier associated with anomalous character of the computer worm and the anomalous character of the computer worm being determined by comparing monitored behavior in the hidden computer network with behavior expected after conducting the plurality of network activities;
  
  providing the identifier to a computer worm blocking system of the real communication network; and
  
  blocking the computer worm from propagating within the real communication network using the identifier.
- View Dependent Claims (39, 40, 41, 42, 43, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54)
- - 39. The method of claim 37 further comprising generating a recovery script a and providing the recovery script to the computer worm blocking system.
  - 40. The method of claim 37 wherein the identifier characterizes the anomalous behavior.
  - 41. The method of claim 40 wherein the anomalous behavior comprises an unexpected occurrence in the monitored behavior.
  - 42. The method of claim 37 wherein the anomalous character of the computer worm comprises being statistically correlated to suspicious network traffic and not being statistically correlated to benign network traffic.
  - 43. The computer worm containment system of claim 42 wherein the suspicious network traffic includes an unusual byte sequence.
  - 45. The method of claim 37 wherein the copying of the network traffic is conducted by a traffic analysis device that includes hardware for coupling to the real communication network, the traffic analysis device is configured to duplicate a portion of the network traffic traveling over the real communication network as the copied network traffic and provide the copied network traffic with the characteristics associated with the computer worm.
  - 46. The method of claim 37 wherein the plurality of network activities comprises one or more computing services to be performed in the hidden computer.
  - 47. The method of claim 37 wherein the computer worm is malicious code associated with the copied network traffic.
  - 48. The method of claim 37 wherein the computer worm is a passive computer worm being information attached to the network traffic and propagated along with the network traffic and the copied network traffic.
  - 49. The method of claim 37 wherein the hidden computer network comprises one or more virtual computing systems, the one or more virtual computing systems being configured to detect the anomalous character of the computer worm.
  - 50. The method of claim 49, wherein the controller comprises a replayer that is configured to receive the copied network traffic and to replay the plurality of network activities in the hidden computer network.
  - 51. The method of claim 50, wherein the replayer comprises a protocol sequence replayer that receives data packets being part of the copied network traffic from the traffic analysis device and controls a duplication of network operations including the plurality of network activities on the data packets by a first virtual computing system of the one or more virtual computing systems.
  - 52. The method of claim 50, wherein the replayer comprises a protocol sequence replayer that receives the copied network traffic from the traffic analysis device and conducts the plurality of network activities on one or more data packets of the copied network traffic within a first virtual computing system of the one or more virtual computing systems.
  - 53. The method of claim 49, wherein each of the one or more virtual computing systems includes a different software profile.
  - 54. The method of claim 53, wherein a first virtual computing system of the one or more virtual computing systems includes a browser as a software profile to replay operations of a web browser operating in the real communication network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Aziz, Ashar
Primary Examiner(s)
Chea, Philip
Assistant Examiner(s)
Traore, Fatoumata

Application Number

US11/151,812
Publication Number

US 20110099633A1
Time in Patent Office

3,032 Days
Field of Search

None
US Class Current

726/23
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/568   eliminating virus, restorin...

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

System and method of containing computer worms

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

484 Citations

54 Claims

Specification

Solutions

Use Cases

Quick Links

System and method of containing computer worms

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

484 Citations

54 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links