Identifying source of malicious network messages

US 9,455,995 B2
Filed: 10/26/2015
Issued: 09/27/2016
Est. Priority Date: 09/08/2005
Status: Active Grant

First Claim

Patent Images

1. A method for identifying a source of malicious network messages, said method comprising steps implemented by a computer of:

responsive to identifying, from a plurality of destination locations having a same internet protocol (IP) address, one destination location subject to malicious messages, identifying a subset of a multiplicity of source networks, said subset including one or more source networks which have sent messages to said one destination location, wherein identifying said subset comprises;

the computer determining for each of said multiplicity of source networks whether there are fewer intervening hops from said each source network to said one destination location than from said each source network to other of said plurality of destination locations, andresponsive to a determination that there are fewer intervening hops for said each source network of said multiplicity of source networks, the computer identifying said each source network as included in said subset, andresponsive to determining there are not fewer intervening hops for said each source network of said multiplicity of source networks, the computer not identifying said each source network as included in said subset, wherein the determining step comprises steps of;

collecting from routers information indicating a routing path from each of said multiplicity of source networks to each of said plurality of destination locations, anddetermining from said router paths a number of hops from each of said multiplicity of source networks to each of said plurality of destination locations; and

notifying an administrator of said each source network included in said subset.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System, method and program for identifying a subset of a multiplicity of source networks. The subset including one or more source networks which have sent messages to one of a plurality of destination locations having a same IP address. For each of the multiplicity of source networks, a determination is made whether there are fewer intervening hops from the source network to the one destination location than from the source network to other of the plurality of destination locations. If so, the source network is included in the subset. If not, the source network is not included in the subset. One application of the present invention is to identify a source of a denial of service attack. After the subset is identified, filters can be sequentially applied to block messages from respective source networks in the subset to determine which source network in the subset is sending the messages.

Citations

9 Claims

1. A method for identifying a source of malicious network messages, said method comprising steps implemented by a computer of:
- responsive to identifying, from a plurality of destination locations having a same internet protocol (IP) address, one destination location subject to malicious messages, identifying a subset of a multiplicity of source networks, said subset including one or more source networks which have sent messages to said one destination location, wherein identifying said subset comprises;
  
  the computer determining for each of said multiplicity of source networks whether there are fewer intervening hops from said each source network to said one destination location than from said each source network to other of said plurality of destination locations, andresponsive to a determination that there are fewer intervening hops for said each source network of said multiplicity of source networks, the computer identifying said each source network as included in said subset, andresponsive to determining there are not fewer intervening hops for said each source network of said multiplicity of source networks, the computer not identifying said each source network as included in said subset, wherein the determining step comprises steps of;
  
  collecting from routers information indicating a routing path from each of said multiplicity of source networks to each of said plurality of destination locations, anddetermining from said router paths a number of hops from each of said multiplicity of source networks to each of said plurality of destination locations; and
  
  notifying an administrator of said each source network included in said subset.
- View Dependent Claims (2, 3)
- - 2. A method as set forth in claim 1 wherein one or more source networks are continuing to send messages to said one destination location, and further comprising the step of sequentially applying filters to block messages from respective source networks in said subset to determine which source network in said subset is sending said messages.
  - 3. A method as set forth in claim 1 wherein said one destination location has received many messages from a source network in said subset as part of a denial of service attack.

4. A system for identifying a source of malicious network messages, said system comprising:
- a CPU, a computer readable memory and a computer readable storage media;
  
  program instructions, responsive to identifying, from a plurality of destination locations having a same internet protocol (IP) address, a destination location subject to malicious messages, to identify a subset of a multiplicity of source networks, said subset including one or more source networks which have sent messages to said one destination location, wherein said program instructions to identify said subset comprises;
  
  first program instructions to determine for each of said multiplicity of source networks whether there are fewer intervening hops from said each source network to said one destination location than from said each source network to other of said plurality of destination locations; and
  
  second program instructions, responsive to a determination that there are fewer intervening hops from said each source network to said one destination location than from said each source network to other of said plurality of destination locations, to identify said each source network as included in said subset, and responsive to a determination that there are not fewer intervening hops from said each source network to said one destination location than from said each source network to other of said plurality of destination locations, for not identifying said each source network as included in said subset;
  
  wherein said first program instructions comprises;
  
  program instructions to collect from routers information indicating a routing path from each of said multiplicity of source networks to each of said plurality of destination locations, andprogram instructions to determine from said router paths a number of hops from each of said multiplicity of source networks to each of said plurality of destination locations; and
  
  program instructions to notify an administrator of said each source network included in said subset; and
  
  whereinthe first and second program instructions are stored on the computer readable storage media for execution by the CPU via the computer readable memory.
- View Dependent Claims (5, 6)
- - 5. A system as set forth in claim 4 wherein one or more source networks are continuing to send messages to said one destination location, and further comprising program instructions to sequentially apply filters to block messages from respective source networks in said subset to determine which source network in said subset is sending said messages.
  - 6. A system as set forth in claim 4 wherein said one destination location has received many messages from a source network in said subset as part of a denial of service attack.

7. A computer program product for identifying a source of malicious network messages, said computer program product comprising:
- a non-transitory computer readable storage medium;
  
  program instructions, responsive to identifying, from a plurality of destination locations having a same internet protocol (IP) address, a destination location subject to malicious messages, to identify a subset of a multiplicity of source networks, said subset including one or more source networks which have sent messages to said one destination location, wherein said program instructions to identify said subset comprises;
  
  first program instructions to determine for each of said multiplicity of source networks whether there are fewer intervening hops from said each source network to said one destination location than from said each source network to other of said plurality of destination locations; and
  
  second program instructions, responsive to a determination that there are fewer intervening hops from said each source network to said one destination location than from said each source network to other of said plurality of destination locations, to identify said each source network as included in said subset, and responsive to a determination that there are not fewer intervening hops from said each source network to said one destination location than from said each source network to other of said plurality of destination locations, to not identify said each source network as included in said subset;
  
  wherein said first program instructions comprises;
  
  instructions to collect from routers information indicating a routing path from each of said multiplicity of source networks to each of said plurality of destination locations, andinstructions to determine from said router paths a number of hops from each of said multiplicity of source networks to each of said plurality of destination locations; and
  
  program instructions to notify an administrator of said each source network included in said subset; and
  
  whereinsaid first and second program instructions are stored on said medium.
- View Dependent Claims (8, 9)
- - 8. A computer program product as set forth in claim 7 wherein one or more source networks are continuing to send messages to said one destination location, and further comprising third program instructions to sequentially apply filters to block messages from respective source networks in said subset to determine which source network in said subset is sending said messages;
    - and wherein said third program instructions are stored on said medium.
  - 9. A computer program product as set forth in claim 7 wherein said one destination location has received many messages from a source network in said subset as part of a denial of service attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated (Kyndryl Holdings, Inc.)
Original Assignee
International Business Machines Corporation
Inventors
Nesbitt, Richard E., O'Connell, Brian M., Pearthree, Herbert D., Vaughan, Kevin E.
Primary Examiner(s)
Schmidt, Kari

Application Number

US14/922,553
Publication Number

US 20160044053A1
Time in Patent Office

337 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 2101/668   Internet protocol [IP] addr...

H04L 2463/141   Denial of service attacks a...

H04L 2463/146   Tracing the source of attacks

H04L 63/1408   by monitoring network traff...

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

Identifying source of malicious network messages

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Identifying source of malicious network messages

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links