Interdicting malicious file propagation
First Claim
1. A method for determining if a message is malicious, the method comprising the steps of:
- (a) a computer scanning an Nth packet of an actual sequence of packets in the message beginning with N=1, determining whether the Nth packet and prior packets, if any, in the actual sequence, match corresponding packet(s) in one of a set of messages predetermined to be malicious, and determining whether N is before a last packet in the actual sequence, and if N is before the last packet in the actual sequence, the computer passing the Nth packet to a destination of the message; and
(b) the computer incrementing N and repeating step (a) and the incrementing of N until either (i) N equals the last packet in the actual sequence or (ii) the Nth packet, which is before the last packet in the actual sequence, and all prior packets in the actual sequence do not match a corresponding segment of any of the set of messages predetermined to be malicious, and if N equals the last packet in the actual sequence and the Nth packet and all prior packets in the actual sequence match the corresponding packets in one of the set of messages predetermined to be malicious, the computer blocking the last packet in the sequence from being sent to the destination, if N equals the last packet in the actual sequence and the Nth packet and all prior packets in the actual sequence do not match a corresponding segment of any of the set of messages predetermined to be malicious, the computer passing the last packet in the actual sequence to the destination, or if N is before the last packet in the actual sequence, the computer passing substantially all subsequent packets in the actual sequence to the destination without scanning said subsequent packets.
0 Assignments
0 Petitions
Accused Products
Abstract
An approach is provided for interdicting malicious file propagation. Packets of a message being transferred to a destination device are received. In response to packet(s) of the message being received, the packet(s) are scanned by determining whether the packet(s) match a corresponding portion of a malicious file. If any of the scanned packet(s) do not match the corresponding portion of the malicious file, a transfer of subsequent packet(s) of the message to the destination device is permitted without performing a scan of the subsequent packet(s). If the scanned packet(s) including a last one or more packets of the message match corresponding portions of the malicious file, a transfer of the scanned packet(s) to the destination device is permitted, except a transfer of the last one or more packets of the message to the destination device is not permitted.
10 Citations
9 Claims
-
1. A method for determining if a message is malicious, the method comprising the steps of:
-
(a) a computer scanning an Nth packet of an actual sequence of packets in the message beginning with N=1, determining whether the Nth packet and prior packets, if any, in the actual sequence, match corresponding packet(s) in one of a set of messages predetermined to be malicious, and determining whether N is before a last packet in the actual sequence, and if N is before the last packet in the actual sequence, the computer passing the Nth packet to a destination of the message; and (b) the computer incrementing N and repeating step (a) and the incrementing of N until either (i) N equals the last packet in the actual sequence or (ii) the Nth packet, which is before the last packet in the actual sequence, and all prior packets in the actual sequence do not match a corresponding segment of any of the set of messages predetermined to be malicious, and if N equals the last packet in the actual sequence and the Nth packet and all prior packets in the actual sequence match the corresponding packets in one of the set of messages predetermined to be malicious, the computer blocking the last packet in the sequence from being sent to the destination, if N equals the last packet in the actual sequence and the Nth packet and all prior packets in the actual sequence do not match a corresponding segment of any of the set of messages predetermined to be malicious, the computer passing the last packet in the actual sequence to the destination, or if N is before the last packet in the actual sequence, the computer passing substantially all subsequent packets in the actual sequence to the destination without scanning said subsequent packets. - View Dependent Claims (2, 3)
-
-
4. A computer system for determining if a message is malicious, the computer system comprising:
-
one or more processors; one or more computer-readable memories; one or more computer-readable, storage devices; and program instructions stored on the one or more storage devices for execution by the one or more processors via the one or more memories, the program instructions comprising; first program instructions to scan an Nth packet of an actual sequence of packets in the message beginning with N=1, determine whether the Nth packet and prior packets, if any, in the actual sequence, match corresponding packet(s) in one of a set of messages predetermined to be malicious, and determine whether N is before a last packet in the actual sequence, and if N is before the last packet in the actual sequence, pass the Nth packet to a destination of the message; and second program instructions to increment N and repeating an execution of the first program instructions and an incrementing of N by the second program instructions until either (i) N equals the last packet in the actual sequence or (ii) the Nth packet, which is before the last packet in the actual sequence, and all prior packets in the actual sequence do not match a corresponding segment of any of the set of messages predetermined to be malicious, and if N equals the last packet in the actual sequence and the Nth packet and all prior packets in the actual sequence match the corresponding packets in one of the set of messages predetermined to be malicious, block the last packet in the sequence from being sent to the destination, if N equals the last packet in the actual sequence and the Nth packet and all prior packets in the actual sequence do not match a corresponding segment of any of the set of messages predetermined to be malicious, pass the last packet in the actual sequence to the destination, or if N is before the last packet in the actual sequence, pass substantially all subsequent packets in the actual sequence to the destination without a scan of the subsequent packets. - View Dependent Claims (5, 6)
-
-
7. A computer program product for determining if a message is malicious, the computer program product comprising:
-
computer-readable, storage device(s); and program instructions stored on the computer-readable storage device(s), the program instructions comprising; program instructions to scan, an Nth packet of an actual sequence of packets in the message beginning with N=1, determine whether the Nth packet and prior packets, if any, in the actual sequence, match corresponding packet(s) in one of a set of messages predetermined to be malicious, and determine whether N is before a last packet in the actual sequence, and if N is before the last packet in the actual sequence, pass the Nth packet to a destination of the message; and program instructions to increment N and repeating an execution of the program instructions to scan, determine whether the Nth packet and prior packets match the corresponding packet(s), and determine whether N is before the last packet, and to increment N by the second program instructions until either (i) N equals the last packet in the actual sequence or (ii) the Nth packet, which is before the last packet in the actual sequence, and all prior packets in the actual sequence do not match a corresponding segment of any of the set of messages predetermined to be malicious, and if N equals the last packet in the actual sequence and the Nth packet and all prior packets in the actual sequence match the corresponding packets in one of the set of messages predetermined to be malicious, block the last packet in the sequence from being sent to the destination, if N equals the last packet in the actual sequence and the Nth packet and all prior packets in the actual sequence do not match a corresponding segment of any of the set of messages predetermined to be malicious, pass the last packet in the actual sequence to the destination, or if N is before the last packet in the actual sequence, pass substantially all subsequent packets in the actual sequence to the destination without a scan of the subsequent packets. - View Dependent Claims (8, 9)
-
Specification