Propagation of viruses through an information technology network

US 9,197,602 B2
Filed: 06/09/2003
Issued: 11/24/2015
Est. Priority Date: 06/07/2002
Status: Active Grant

First Claim

Patent Images

1. A method of restricting propagation of viruses in a network having a plurality of hosts, said method comprising the steps of:

monitoring network traffic from a first host of the plurality of hosts and establishing a record which is at least indicative of identities of hosts to whom data has been sent by the first host; and

limiting, at the first host, sending of data from the first host to other hosts within the network over the course of a first time interval, so that during the first time interval the first host is able to send data to no more than a predetermined, greater than zero, number of hosts not in the record.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Requests to send data from a first host within a network of hosts are monitored against a record of destination hosts that have been sent data in accordance with a predetermined policy. Destination host identities (not the record) are stored in a buffer. The buffer size is monitored to determine whether requests from the first host are pursuant to viral activity therein.

22 Citations

35 Claims

1. A method of restricting propagation of viruses in a network having a plurality of hosts, said method comprising the steps of:
- monitoring network traffic from a first host of the plurality of hosts and establishing a record which is at least indicative of identities of hosts to whom data has been sent by the first host; and
  
  limiting, at the first host, sending of data from the first host to other hosts within the network over the course of a first time interval, so that during the first time interval the first host is able to send data to no more than a predetermined, greater than zero, number of hosts not in the record.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 2. A method according to claim 1 wherein the record is established by monitoring the identities of hosts to which data has been sent by the first host over the course of a further time interval which precedes the first time interval.
  - 3. A method according to claim 2 further comprising the step of updating the record to include the identity of at least one host to which data was sent by the first host during the first time interval and which was not in the record during the further time interval.
  - 4. A method according to claim 3 wherein the record contains a predetermined number of identities, and upon updating the record with the identity of a host not previously in the record, the identity of a host previously stored in the record is deleted from the record.
  - 5. A method according to claim 2 wherein the first and further time intervals are of predetermined duration.
  - 6. A method according to claim 5 wherein the first and further time intervals are of equal duration.
  - 7. A method according to claim 1, wherein the method further includes the step of generating at least one request to send data from the first host to a second host within the network, and wherein identities of hosts to whom data has been sent from the first host are monitored by monitoring said at least one request.
  - 8. A method according to claim 7 further comprising the step of determining whether said at least one request includes at least one sub-request to send further data from the first host to a further host on whose behalf a destination host specified in the request acts as a proxy for receipt of the further data.
  - 9. A method according to claim 8, further comprising establishing a further record of other hosts within the network having an identity specified in the at least one sub-request, andlimiting, at the first host, sending passage of further data from the first host to other hosts within the network during the first time interval, so that during the first time interval the first host is able to send further data to no more than a predetermined number, greater than zero, of hosts not in the further record.
  - 10. A method according to claim 1 further comprising the step of diverting requests to contact hosts not in the record to a delay buffer.
  - 11. A method according to claim 10 further comprising the step of, at the end of the first time interval, transmitting the predetermined number of requests from the delay buffer.
  - 12. A method according to claim 11 further comprising the step of generating a virus warning signal in response to a determination indicating the size of a delay buffer exceeds a predetermined size.
  - 13. A method according to claim 10 further comprising the step of generating a virus warning signal in response to a determination indicating the rate of increase of the size of the delay buffer exceeds a predetermined rate.
  - 14. A method according to claim 10 further comprising the step of generating a virus warning signal in response to a determination indicating there is an increase in the size of the delay buffer per time interval that exceeds a predetermined size.
  - 15. A method according to claim 10 further comprising the step of generating a signal in response to a determination indicating the size of the delay buffer exceeds a predetermined size for a predetermined number of successive time intervals.
  - 16. A method according to claim 1 further comprising the steps of:
    - determining the value of a parameter “
      
      slack”
      
      based upon a number of successive time periods that pass when no new requests are made to send data from the first hosts to hosts not in the record; and
      
      allowing un-impeded passage of data from the first host to other hosts not in the record in response to said slack exceeding a predetermined value.
  - 17. A method as claimed in claim 16, further comprising the step of diverting requests to contact hosts not in the record to a delay buffer, and determining said slack based upon a number of successive time periods during which the buffer is empty.
  - 18. A method as claimed in claim 16, wherein said slack has a predetermined maximum value.
  - 19. A method as claimed in claim 16, further comprising decrementing said slack each time an un-impeded passage of data form the first host to a host not in the record is allowed.
  - 20. A method according to claim 16, wherein said time periods have the same duration as at least one of said time intervals.
  - 21. A method as claimed in claim 1, further including varying with time at least one parameter selected from the group consisting of:
    - number of hosts in the record; and
      
      the predetermined numbers of hosts not in the record.
  - 22. A method as claimed in claim 21, wherein at least one of the parameters is varied as a function of the time of day.
  - 23. A method as claimed in claim 21, wherein at least one of the parameters is varied in response to a perceived threat level.
  - 24. A method as claimed in claim 21, wherein at least one of the parameters is changed between a first set of values and a second set of values at a predetermined rate.
  - 25. A method as claimed in claim 21, wherein at least one value of at least one of the parameters is randomly changed according to a predetermined probability distribution as a function of time.
  - 26. A method as claimed in claim 1, further including varying at least one parameter selected from the group consisting of:
    - (a) number of hosts in the record; and
      
      (b) the predetermined numbers of hosts not in the record; and
      
      determining the value of at least on of the parameters by performing an automated search on a set of data indicative of normal network traffic.
  - 27. A method according to claim 1 further comprising the steps of:
    - receiving a request to send a multiple recipient email from the first host,determining the value of a mslack parameter based upon a number of successive time periods that pass when no multiple recipient emails are sent from the first host; and
      
      allowing un-impeded passage of the multiple recipient email in response to said mslack parameter exceeding a predetermined value.
  - 28. A method according to claim 27, further comprising allowing the multiple recipient email to have un-impeded passage in response to said mslack parameter being greater than or equal to a number of intended recipients of the email.
  - 29. A method as claimed in claim 27, further including setting said mslack parameter to zero in response to the multiple recipient email being sent.
  - 30. A method as claimed in claim 27, wherein said mslack parameter has a predetermined maximum value.
  - 31. A method according to claim 27, wherein said time periods are of equal duration to at least one of said time intervals.

32. A host having a gateway for outbound data intended for destination hosts, the gateway being adapted to:
- monitor internal requests to send data from said host to the destination hosts;
  
  maintain a record of identities of destination hosts in a network to which data has been sent from said host; and
  
  prevent dispatch of data from said host, over the course of a first time interval, to more than a predetermined, non-zero number of destination hosts whose identities are not in the record.
- View Dependent Claims (33, 34)
- - 33. A host according to claim 32 wherein the gateway is adapted to:
    - monitor the internal requests to send data from said host to a destination over the course of a series of time intervals,maintain said record on a first-in first-out basis, andprevent, during each said time interval, the dispatch of data from said host to no more than said predetermined, non-zero number of destination hosts whose identities are not currently in the record.
  - 34. A host according to claim 33 wherein the gateway is adapted to divert to a delay buffer, requests to send data from said host to destination hosts whose identities are not currently in the record.

35. A method of restricting propagation of viruses from a first host in a network having a plurality of hosts, said method comprising the steps of:
- providing, at the first host, a gateway for limiting sending of data from the first host to other hosts of said plurality;
  
  monitoring network traffic from the first host and establishing a record which is at least indicative of identities of hosts to which the gateway has allowed the first host to send data; and
  
  controlling the gateway to limit the sending of data from the first host to other hosts within the network over the course of a first time interval, so that during the first time interval the first host is allowed to send data to no more than a predetermined number, greater than zero, of hosts not in the record.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Williamson, Matthew Murray, Brawn, John Melvin
Primary Examiner(s)
SALL, EL HADJI MALICK

Application Number

US10/457,091
Publication Number

US 20040103159A1
Time in Patent Office

4,551 Days
Field of Search

709/224, 709/225, 709/232, 709/206, 726/13, 726/27, 726/31, 726/22, 726/24
US Class Current

1/1
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 63/145 the attack involving the pr...

Propagation of viruses through an information technology network

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Propagation of viruses through an information technology network

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links