Interdicting malicious file propagation

US 8,839,438 B2
Filed: 09/11/2012
Issued: 09/16/2014
Est. Priority Date: 12/03/2009
Status: Expired due to Fees

First Claim

Patent Images

1. A method for determining if a message is malicious, the method comprising the steps of:

(a) a computer scanning an Nth packet of an actual sequence of packets in the message beginning with N=1, determining whether the Nth packet and prior packets, if any, in the actual sequence, match corresponding packet(s) in one of a set of messages predetermined to be malicious, and determining whether N is before a last packet in the actual sequence, and if N is before the last packet in the actual sequence, the computer passing the Nth packet to a destination of the message; and

(b) the computer incrementing N and repeating step (a) and the incrementing of N until either (i) N equals the last packet in the actual sequence or (ii) the Nth packet, which is before the last packet in the actual sequence, and all prior packets in the actual sequence do not match a corresponding segment of any of the set of messages predetermined to be malicious, and if N equals the last packet in the actual sequence and the Nth packet and all prior packets in the actual sequence match the corresponding packets in one of the set of messages predetermined to be malicious, the computer blocking the last packet in the sequence from being sent to the destination, if N equals the last packet in the actual sequence and the Nth packet and all prior packets in the actual sequence do not match a corresponding segment of any of the set of messages predetermined to be malicious, the computer passing the last packet in the actual sequence to the destination, or if N is before the last packet in the actual sequence, the computer passing substantially all subsequent packets in the actual sequence to the destination without scanning said subsequent packets.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An approach is provided for interdicting malicious file propagation. Packets of a message being transferred to a destination device are received. In response to packet(s) of the message being received, the packet(s) are scanned by determining whether the packet(s) match a corresponding portion of a malicious file. If any of the scanned packet(s) do not match the corresponding portion of the malicious file, a transfer of subsequent packet(s) of the message to the destination device is permitted without performing a scan of the subsequent packet(s). If the scanned packet(s) including a last one or more packets of the message match corresponding portions of the malicious file, a transfer of the scanned packet(s) to the destination device is permitted, except a transfer of the last one or more packets of the message to the destination device is not permitted.

10 Citations

9 Claims

1. A method for determining if a message is malicious, the method comprising the steps of:
- (a) a computer scanning an Nth packet of an actual sequence of packets in the message beginning with N=1, determining whether the Nth packet and prior packets, if any, in the actual sequence, match corresponding packet(s) in one of a set of messages predetermined to be malicious, and determining whether N is before a last packet in the actual sequence, and if N is before the last packet in the actual sequence, the computer passing the Nth packet to a destination of the message; and
  
  (b) the computer incrementing N and repeating step (a) and the incrementing of N until either (i) N equals the last packet in the actual sequence or (ii) the Nth packet, which is before the last packet in the actual sequence, and all prior packets in the actual sequence do not match a corresponding segment of any of the set of messages predetermined to be malicious, and if N equals the last packet in the actual sequence and the Nth packet and all prior packets in the actual sequence match the corresponding packets in one of the set of messages predetermined to be malicious, the computer blocking the last packet in the sequence from being sent to the destination, if N equals the last packet in the actual sequence and the Nth packet and all prior packets in the actual sequence do not match a corresponding segment of any of the set of messages predetermined to be malicious, the computer passing the last packet in the actual sequence to the destination, or if N is before the last packet in the actual sequence, the computer passing substantially all subsequent packets in the actual sequence to the destination without scanning said subsequent packets.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, further comprising the steps of:
    - the computer determining N equals the last packet in the actual sequence and the Nth packet and all prior packets in the actual sequence match the corresponding packets in one of the set of messages predetermined to be malicious; and
      
      based on N equaling the last packet in the actual sequence and the Nth packet and all prior packets in the actual sequence matching the corresponding packets in one of the set of messages predetermined to be malicious, the computer providing an indication to the destination to render the message harmless to the destination by discarding all packet(s) of the message that were passed to the destination.
  - 3. The method of claim 1, wherein the step of scanning and the step of repeating step (a) include applying a hash function to the Nth packet and to prior packets, if any, to determine a signature of the Nth packet and the prior packets, andwherein the step of determining whether the Nth packet and the prior packets, if any, match the corresponding packet(s) in one of the set of messages predetermined to be malicious includes the computer determining a signature of the corresponding packet(s) in one of the set of messages predetermined to be malicious, and the computer determining whether the signature of the packet(s) of the Nth packet and the prior packets matches the signature of the corresponding packet(s) in one of the set of messages predetermined to be malicious.

4. A computer system for determining if a message is malicious, the computer system comprising:
- one or more processors;
  
  one or more computer-readable memories;
  
  one or more computer-readable, storage devices; and
  
  program instructions stored on the one or more storage devices for execution by the one or more processors via the one or more memories, the program instructions comprising;
  
  first program instructions to scan an Nth packet of an actual sequence of packets in the message beginning with N=1, determine whether the Nth packet and prior packets, if any, in the actual sequence, match corresponding packet(s) in one of a set of messages predetermined to be malicious, and determine whether N is before a last packet in the actual sequence, and if N is before the last packet in the actual sequence, pass the Nth packet to a destination of the message; and
  
  second program instructions to increment N and repeating an execution of the first program instructions and an incrementing of N by the second program instructions until either (i) N equals the last packet in the actual sequence or (ii) the Nth packet, which is before the last packet in the actual sequence, and all prior packets in the actual sequence do not match a corresponding segment of any of the set of messages predetermined to be malicious, and if N equals the last packet in the actual sequence and the Nth packet and all prior packets in the actual sequence match the corresponding packets in one of the set of messages predetermined to be malicious, block the last packet in the sequence from being sent to the destination, if N equals the last packet in the actual sequence and the Nth packet and all prior packets in the actual sequence do not match a corresponding segment of any of the set of messages predetermined to be malicious, pass the last packet in the actual sequence to the destination, or if N is before the last packet in the actual sequence, pass substantially all subsequent packets in the actual sequence to the destination without a scan of the subsequent packets.
- View Dependent Claims (5, 6)
- - 5. The computer system of claim 4, further comprising:
    - third program instructions, stored on the one or more storage devices for execution by the one or more processors via the one or more memories, to determine N equals the last packet in the actual sequence and the Nth packet and all prior packets in the actual sequence match the corresponding packets in one of the set of messages predetermined to be malicious; and
      
      fourth program instructions, stored on the one or more storage devices for execution by the one or more processors via the one or more memories, to provide, based on N equaling the last packet in the actual sequence and the Nth packet and all prior packets in the actual sequence matching the corresponding packets in one of the set of messages predetermined to be malicious, an indication to the destination to render the message harmless to the destination by discarding all packet(s) of the message that were passed to the destination by an execution of the first and second program instructions.
  - 6. The computer system of claim 4, wherein the first program instructions to scan and second program instructions to repeat the execution of the first program instructions apply a hash function to the Nth packet and to prior packets, if any, to determine a signature of the Nth packet and the prior packets, andwherein the first program instructions to determine whether the Nth packet and the prior packets, if any, match the corresponding packet(s) in one of the set of messages predetermined to be malicious determine a signature of the corresponding packet(s) in one of the set of messages predetermined to be malicious, anddetermine whether the packet(s) of the message match the corresponding portion of the malicious file by determining whether the signature of the packet(s) of the Nth packet and the prior packets matches the signature of the corresponding packet(s) in one of the set of messages predetermined to be malicious.

7. A computer program product for determining if a message is malicious, the computer program product comprising:
- computer-readable, storage device(s); and
  
  program instructions stored on the computer-readable storage device(s), the program instructions comprising;
  
  program instructions to scan, an Nth packet of an actual sequence of packets in the message beginning with N=1, determine whether the Nth packet and prior packets, if any, in the actual sequence, match corresponding packet(s) in one of a set of messages predetermined to be malicious, and determine whether N is before a last packet in the actual sequence, and if N is before the last packet in the actual sequence, pass the Nth packet to a destination of the message; and
  
  program instructions to increment N and repeating an execution of the program instructions to scan, determine whether the Nth packet and prior packets match the corresponding packet(s), and determine whether N is before the last packet, and to increment N by the second program instructions until either (i) N equals the last packet in the actual sequence or (ii) the Nth packet, which is before the last packet in the actual sequence, and all prior packets in the actual sequence do not match a corresponding segment of any of the set of messages predetermined to be malicious, and if N equals the last packet in the actual sequence and the Nth packet and all prior packets in the actual sequence match the corresponding packets in one of the set of messages predetermined to be malicious, block the last packet in the sequence from being sent to the destination, if N equals the last packet in the actual sequence and the Nth packet and all prior packets in the actual sequence do not match a corresponding segment of any of the set of messages predetermined to be malicious, pass the last packet in the actual sequence to the destination, or if N is before the last packet in the actual sequence, pass substantially all subsequent packets in the actual sequence to the destination without a scan of the subsequent packets.
- View Dependent Claims (8, 9)
- - 8. The program product of claim 7, further comprising:
    - program instructions, stored on the storage device(s), to determine N equals the last packet in the actual sequence and the Nth packet and all prior packets in the actual sequence match the corresponding packets in one of the set of messages predetermined to be malicious; and
      
      program instructions, stored on the storage device(s), to provide, based on N equaling the last packet in the actual sequence and the Nth packet and all prior packets in the actual sequence matching the corresponding packets in one of the set of messages predetermined to be malicious, an indication to the destination to render the message harmless to the destination by discarding all packet(s) of the message that were passed to the destination by an execution of the program instructions to pass the Nth packet to the destination and the program instructions to pass substantially all subsequent packets in the actual sequence to the destination.
  - 9. The program product of claim 7, wherein the program instructions to scan and the program instructions to repeat apply a hash function to the Nth packet and to prior packets, if any, to determine a signature of the Nth packet and the prior packets, andwherein the program instructions to determine whether the Nth packet and the prior packets, if any, match the corresponding packet(s) in one of the set of messages predetermined to be malicious determine a signature of the corresponding packet(s) in one of the set of messages predetermined to be malicious, and determine whether the signature of the packet(s) of the Nth packet and the prior packets matches the signature of the corresponding packet(s) in one of the set of messages predetermined to be malicious.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Franklin, Douglas North, Mays, Richard C.
Primary Examiner(s)
Yalew, Fikremariam A

Application Number

US13/609,308
Publication Number

US 20130007884A1
Time in Patent Office

735 Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/564   by virus signature recognition

H04L 63/145   the attack involving the pr...

H04L 9/08   Key distribution or managem...

Interdicting malicious file propagation

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

10 Citations

9 Claims

Specification

Use Cases

Quick Links

Others

Interdicting malicious file propagation

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

9 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others