Evaluation of a fast and robust worm detection algorithm
First Claim
Patent Images
1. A method of detecting worm propagation, comprising:
- using a processor foridentifying unsolicited traffic within traffic in a network;
isolating the unsolicited traffic;
determining an arrival rate of unsolicited traffic based on at leasta cumulative summing value that indicates unsolicited traffic arrival andan exponentially weighted moving average estimate of the arrival rate;
determining whether the cumulative summing value exceeds a selected threshold;
determining a local maximum of the cumulative summing value;
determining whether the cumulative summing value decreases with respect to the local maximum; and
identifying worm propagation based on the cumulative summing value increasing or remaining essentially the same with respect to the local maximum for a plurality of sequential cumulative summing values.
8 Assignments
0 Petitions
Accused Products
Abstract
A method and computer product are presented for identifying Internet worm propagation based upon changes in packet arrival rates at a network connection. First, unsolicited (i.e., packets that were not requested by the receiver) traffic is separated from solicited traffic at the network connection. The unsolicited traffic arrival patterns are monitored and analyzed for any changes. Once changes in the unsolicited traffic arrival patterns are detected, the changes are mathematically analyzed to detect growth trends. The presence of growth trends that follow certain key characteristics indicate whether the changes are due to worm propagation.
14 Citations
7 Claims
-
1. A method of detecting worm propagation, comprising:
-
using a processor for identifying unsolicited traffic within traffic in a network; isolating the unsolicited traffic; determining an arrival rate of unsolicited traffic based on at least a cumulative summing value that indicates unsolicited traffic arrival and an exponentially weighted moving average estimate of the arrival rate; determining whether the cumulative summing value exceeds a selected threshold; determining a local maximum of the cumulative summing value; determining whether the cumulative summing value decreases with respect to the local maximum; and identifying worm propagation based on the cumulative summing value increasing or remaining essentially the same with respect to the local maximum for a plurality of sequential cumulative summing values. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeWSOU Investments, LLC (WSOU Holdings, LLC)
-
Original AssigneeAlcatel-Lucent SA (Nokia Corporation)
-
InventorsBu, Tian, Woo, Thomas, VANDER WIEL, Scott Alan, Chen, Aiyou
-
Primary Examiner(s)Zand, Kambiz
-
Assistant Examiner(s)Tran, Tongoc
-
Application NumberUS14/096,145Publication NumberTime in Patent Office573 DaysField of Search726 22- 26US Class Current1/1CPC Class CodesG06F 21/561 Virus type analysisH04L 63/1425 Traffic logging, e.g. anoma...H04L 63/145 the attack involving the pr...
