Virus epidemic damage control system and method for network environment

US 20030115483A1
Filed: 07/22/2002
Published: 06/19/2003
Est. Priority Date: 12/04/2001
Status: Active Grant

First Claim

Patent Images

1. A computer virus damage control method in a network system having a plurality of device, the said method comprising the steps of:

(a1) detecting traffic flow in said device nodes;

(a2) determining a neighborhood having unpredicted traffic flow from said device nodes;

(a3) designating those of said device nodes having unpredicted traffic flow as abnormal device nodes and those of said device nodes having predicted traffic flow as normal device nodes;

(a4) detecting traffic flow of said abnormal device nodes for a predetermined time interval;

(a5) partially isolating a segment including said abnormal device nodes;

(a6) reducing the size of said isolated segment therein by rejecting any normal device nodes (a7) transferring an antivirus task into said isolated segment for pinpointing a computer virus; and

(a8) eradicating said virus using said antivirus task.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for providing damage control caused by a virus epidemic in a network environment are advantageously provided according to the intention. The system according to a preferred embedment of the invention effectively and rapidly distributes antivirus protection and cure measures within the network so as to reduce the level of damage during the virus epidemic. The method according to the invention contains the spread of a computer virus in a network system by detecting the traffic flow and analyzing the identical sections in files modified in a short time period. The network system accordingly includes a management server, a management information database (MIB) having a plurality of tasks for performing work in the network system, and a plurality of device node. Each network task corresponds to an event occurring in the system. Damage control caused by a virus epidemic in a network environment is controlled and level of damage is accordingly reduced.

347 Citations

40 Claims

1. A computer virus damage control method in a network system having a plurality of device, the said method comprising the steps of:
- (a1) detecting traffic flow in said device nodes;
  
  (a2) determining a neighborhood having unpredicted traffic flow from said device nodes;
  
  (a3) designating those of said device nodes having unpredicted traffic flow as abnormal device nodes and those of said device nodes having predicted traffic flow as normal device nodes;
  
  (a4) detecting traffic flow of said abnormal device nodes for a predetermined time interval;
  
  (a5) partially isolating a segment including said abnormal device nodes;
  
  (a6) reducing the size of said isolated segment therein by rejecting any normal device nodes (a7) transferring an antivirus task into said isolated segment for pinpointing a computer virus; and
  
  (a8) eradicating said virus using said antivirus task.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1 further comprising the step of determining said traffic flow by volume of said traffic flow.
  - 3. The method of claim 1, wherein said traffic flow is abnormal if volume of said unpredicted traffic flow is larger than volume of said predicted traffic flow with a predetermined value for a predetermined time period.
  - 4. The method of claim 1 further comprising the steps of:
    - analyzing a format of said traffic flow; and
      
      designating said traffic flow as abnormal if said format does not conform with predetermined formats.
  - 5. The method of claim 1 further comprising the a step of mapping predetermined patterns to said traffic flow.
  - 6. The method of claim 1 further comprising the step of assigning at least one listening device in said network system for deterring said traffic flow.
  - 7. The method of claim 1 further comprising the step of dividing said device nodes into a plurality of divided segments.
  - 8. The method of claim 7 further comprising the step of designating a task leader in one of said divided segments including said abnormal device nodes wherein said task leader executes work originally performed by a management server in said network system.
  - 9. The method of claim 8 wherein said task leader executes work assigned by said management server.
  - 10. The method of claim 9 wherein said management server transfers tasks to said task leader.
  - 11. The method of claim 10 wherein each of said tasks is formed by a plurality of cures each designating at least one instruction to be executed.
  - 12. The method of claim 10 wherein a task is dynamically formed in response to a breakout virus and an alert of a non-breakout virus.
  - 13. The method of claim 10 wherein at least one of said tasks is a security task for assuring security of communication channels between said management server and said device nodes.
  - 14. The method of claim 11 wherein said tasks and said cures are transferred from a task provider connected to said management server.
  - 15. The method of claim 1 further comprising the step of locating at least one listening device in said abnormal device nodes.
  - 16. The method of claim 6, further comprising the step of locating said listening device in said isolated segment.
  - 17. The method of claim 1 further comprising the step of reporting said detected traffic flow of said abnormal device nodes to a management server in said network system.
  - 18. The method of claim 1 wherein instructions from and results assigned by a management server in said network system are excluded in said isolated segment.
  - 19. The method of claim 1 further comprising the step of de-isolating said isolated segment after said virus is eradicated.
  - 20. The method of claim 1 wherein said network system comprises a local area network (LAN), mobile network, wired and wireless communications network.

21. A computer virus damage control method in a network system having a plurality of device nodes, the method comprising the steps of:
- (b1) finding a file having been modified in a predetermined time interval;
  
  (b2) determining first modified sections of said modified file, (b3) finding a second file having been modified in said predetermined time interval;
  
  (b4) determining second modified sections in said second file;
  
  (b5) comparing said first modified file and said second modified file;
  
  (b6) repeating steps (b3), (b4) and (b5) for other files being modified in said predetermined time period;
  
  (b7) reporting to a management server in said network system that no virus is found when all said modified sections from said modified files are not identical nor similar;
  
  (b8) reporting to a management server that a computer virus attack is possibly initiated when a specific number of said modified sections from said modified files are generally identical or similar;
  
  (b9) quarantining an area containing those of said device nodes having files with said modified sections; and
  
  (b10) transferring an antivirus task into said quarantined area for finding a computer virus and eradicating said virus.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The method of claim 21, further comprising the step of de-isolating said quarantined area after said virus is eradicated.
  - 23. The method of claim 21 further comprising the step of designating a task leader in wherein said task leader executes work originally performed by said management server.
  - 24. The method of claim 23, wherein said task leader executes works assigned by said management server.
  - 25. The method of claim 23, wherein said management server transfers tasks to said task leader.
  - 26. The method of claim 21 further comprising the step of providing a plurality of tasks for performing work in said network system.
  - 27. The method of claim 26, wherein each of said tasks is formed by a plurality of cures each designating at least one instruction.
  - 28. The method of claim 26, wherein at least one of said tasks is a security task for assuring security of communication channels between said management server and said device nodes.
  - 29. The method of claim 26, wherein each of said tasks is formed by a plurality of cures which are instruction sets to be performed in selected ones of said device nodes.
  - 30. The method of claim 29, wherein said tasks and said cures are transferred from a task provider connected to said management server.

31. A network system comprising:
- a management server connected to a plurality of device nodes;
  
  a management information database (MIB) connected to said management server;
  
  a task database in said MIB recording a plurality of tasks capable of being performed in said network system;
  
  a cure database stored in said MIB recording a plurality of cures for forming said tasks, an area of said device nodes isolated for having unpredicted traffic flow; and
  
  an antivirus task transformed into said isolated area for pinpointing a computer virus and eradicating said virus.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 32. The system of claim 31 wherein said management server designates a task leader in said isolated area wherein said task leader executes work originally performed by said management server.
  - 33. The system of claim 32 wherein said task leader is dynamically designated in a task executing period.
  - 34. The system of claim 33 wherein said task leader designates a sub-task leader in said task executing period.
  - 35. The system of claim 31, wherein said tasks further comprise executing tasks and control tasks corresponding to said executing tasks, wherein said control tasks are stored in said task leaders executing management work for said device nodes;
    - wherein said executing tasks are sent to said task leader and device nodes for performing said executing tasks based on corresponding cures formed therein.
  - 36. The system of claim 31 wherein said cures further comprise control cures and executing cures wherein said control cures are contained in a control task for controlling said device nodes in a task coverage corresponding to said task leader and said executing cures define actions being performed by said device nodes.
  - 37. The system of claim 31 further comprising a task provider which provides tasks and cures not included in said MIB to said management server.
  - 38. The system of claim 37 wherein said management server stores said task and said cures from said task provider in said MIB.
  - 39. The system of claim 31 wherein each of said device nodes further comprises has an agent for performing work from said management server.
  - 40. The system of claim 39 wherein each of said device further comprises an agent MIB corresponding to said agent of each of said device node for storing said work performed by said agent.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
Trend Micro Inc.
Inventors
Liang, Yung Chang

Granted Patent

US 7,062,553 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/145 the attack involving the pr...

Virus epidemic damage control system and method for network environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

347 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Virus epidemic damage control system and method for network environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

347 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links