System and method to emulate mobile logic in a communication system

US 7,814,550 B2
Filed: 10/26/2004
Issued: 10/12/2010
Est. Priority Date: 10/26/2004
Status: Active Grant

First Claim

Patent Images

1. A system to emulate a worm, comprising:

a first host that provides a test description, wherein said test description defines one or more emulated worms, and propagation characteristics of said emulated worms, said test description being a non-executable specification;

one or more participating hosts in a network that have previously agreed to participate in a test of said emulated worms, and that receive said test description, wherein said participating hosts generate said emulated worms according to said test description, said participating hosts having been pre-loaded with client software required to participate in said test; and

one or more virtual vulnerable services in each of said participating hosts that operate according to said client software during said test to thereby generate and propagate messages over said network according to said test description, said virtual vulnerable services representing services in said participating hosts affected by said emulated worms, said messages transmitted by said emulated worms and acting to propagate said emulated worms to other participating hosts according to said test description, such that operation of said participating hosts during said test in response to said emulated worms is defined according to said test description, wherein operation of a non-participating host would not be defined by said test description when said non-participating host is not executing said client software upon receipt of messages from said emulated worms.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system includes hosts that may be infected with mobile logic. One type of mobile logic is a worm, which can be a process that is capable of causing a (possibly evolved) copy of itself to execute on one or more hosts of the system. An infected host of the system can infect other hosts based on criteria, such as targeting, visibility, vulnerability, or infectability of the other hosts. A worm can be represented as a Turing Machine whose state can be determined using computational methods. A worm can be emulated in the system to determine worm detection capabilities of the system. Emulating the worm can allow the system to be tested with less negative impact than using the actual worm.

Citations

41 Claims

1. A system to emulate a worm, comprising:
- a first host that provides a test description, wherein said test description defines one or more emulated worms, and propagation characteristics of said emulated worms, said test description being a non-executable specification;
  
  one or more participating hosts in a network that have previously agreed to participate in a test of said emulated worms, and that receive said test description, wherein said participating hosts generate said emulated worms according to said test description, said participating hosts having been pre-loaded with client software required to participate in said test; and
  
  one or more virtual vulnerable services in each of said participating hosts that operate according to said client software during said test to thereby generate and propagate messages over said network according to said test description, said virtual vulnerable services representing services in said participating hosts affected by said emulated worms, said messages transmitted by said emulated worms and acting to propagate said emulated worms to other participating hosts according to said test description, such that operation of said participating hosts during said test in response to said emulated worms is defined according to said test description, wherein operation of a non-participating host would not be defined by said test description when said non-participating host is not executing said client software upon receipt of messages from said emulated worms.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The system of claim 1, further comprising one or more control servers, wherein said control servers are configured to limit propagation of said messages in response to an input from said first host or said participating hosts if impact of said emulated worms on said participating hosts exceeds a threshold.
  - 3. The system of claim 1, wherein said messages are transmitted to and received at ports associated with said participating hosts or said first host.
  - 4. The system of claim 1, wherein each virtual vulnerable service is associated with one or more of said emulated worms.
  - 5. The system of claim 1, wherein each virtual vulnerable service is based on said test description.
  - 6. The system of claim 1, wherein each virtual vulnerable service receives messages from any one of said participating hosts.
  - 7. The system of claim 1, wherein said emulated worms are initiated by said virtual vulnerable services.
  - 8. The system of claim 1, wherein said emulated worms are initiated based on said test description at a test initialization time.
  - 9. The system of claim 1, wherein a first virtual vulnerable service in a first participating host receives a message from a first emulated worm residing in a second participating host, wherein in response to said message, said first virtual vulnerable service generates a second emulated worm in said first participating host, wherein said second emulated worm transmits messages to one or more virtual vulnerable services in one or more participating hosts.
  - 10. The system of claim 1, wherein a first virtual vulnerable service in a first participating host receives a message from a first emulated worm residing in a second participating host, wherein in response to said message, said first virtual vulnerable service generates a second emulated worm in said first participating host, wherein said second emulated worm transmits messages to a third virtual vulnerable service in a third participating host.
  - 11. The system of claim 10, wherein said second emulated worm stops transmitting messages in response to receiving a command from a control server associated with said first participating host.
  - 12. The system of claim 10, wherein said second emulated worm stops transmitting messages in response to a lapse of a predetermined amount of time.
  - 13. The system of claim 1, wherein said first host receives information relating at least to propagation of said messages and said emulated worms from said participating hosts.
  - 14. The system of claim 1, wherein said messages are to be transmitted at a frequency or byte rate no greater than a threshold number.

15. A method of emulating a worm in a system, comprising:
- providing, using a first host, a test description to one or more participating hosts in a network, wherein said test description defines one or more emulated worms, and propagation characteristics of said emulated worms, said test description being a non-executable specification;
  
  generating said emulated worms based on said test description at said participating hosts, said participating hosts having previously agreed to participate in a test of said emulated worms, said participating hosts having been pre-loaded with client software required to participate in said test; and
  
  instantiating one or more virtual vulnerable services based on said test description at each of said participating hosts that operate according to said client software during said test to thereby generate and propagate messages over the network according to said test description, said virtual vulnerable services representing services in said participating hosts affected by said emulated worms, said messages transmitted by said emulated worms and acting to propagate said emulated worms to other participating hosts according to said test description, such that operation of said participating hosts during said test in response to said emulated worms is defined according to said test description, wherein operation of a non-participating host would not be defined by said test description when said non-participating host is not executing said client software upon receipt of messages from said emulated worms.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 16. The method of claim 15, further comprising transmitting or receiving said messages at one or more ports associated with said participating hosts.
  - 17. The method of claim 15, further comprising controlling propagation of said messages in response to an input from said first host a or said participating hosts if impact of said emulated worms on said participating hosts exceeds a threshold.
  - 18. The method of claim 17, wherein said controlling step includes stopping transmission of said messages after a predetermined amount of time.
  - 19. The method of claim 15, further comprising receiving said messages at each virtual vulnerable service from any one of said participating hosts or said first host.
  - 20. The method of claim 15, further comprising initiating an emulated worm using each virtual vulnerable service.
  - 21. The method of claim 15, further comprising receiving a message at a first virtual vulnerable service in a first participatinghost from a first emulated worm residing in a second participating host and generating a second emulated worm in said first participating host.
  - 22. The method of claim 21, further comprising transmitting messages to one or more virtual vulnerable services in one or more participating hosts.
  - 23. The method of claim 21, further comprising transmitting messages to a third virtual vulnerable service in a third participating host by said second emulated worm.
  - 24. The method of claim 23, further comprising stopping transmission of said messages in response to a command from a control server associated with said first participating host.
  - 25. The method of claim 23, further comprising stopping transmission of said messages after a lapse of a predetermined amount of time.
  - 26. The method of claim 23, further comprising stopping transmission of said messages based on an input at said participating hosts from a user.
  - 27. The method of claim 15, further comprising receiving information related at least to propagation of said messages from said participating hosts.
  - 28. The method of claim 15, further comprising limiting a frequency at which said one or more messages are transmitted by each emulated worm to a threshold number.
  - 29. The method of claim 15, further comprising limiting bandwidth used by said one or more messages transmitted by each emulated worm to a threshold number.

30. An article of manufacture storing a non-transitory computer-usable medium having instructions stored thereon that, when executed by a computing device, cause said computing device to perform operations comprising:
- providing, using a first host, a test description to one or more participating hosts in a network, wherein said test description defines one or more emulated worms, and propagation characteristics of said emulated worms, said test description being a non-executable specification;
  
  generating said emulated worms based on said test description at said participating hosts, said participating hosts having previously agreed to participate in a test of said emulated worms, said participating hosts having been pre-loaded with client software required to participate in said test; and
  
  instantiating one or more virtual vulnerable services based on said test description at each of said participating hosts that operate according to said client software during said test to thereby generate and propagate messages over the network according to said test description, said virtual vulnerable services representing services in said participating hosts affected by said emulated worms, said messages transmitted by said emulated worms and acting to propagate said emulated worms to other participating hosts according to said test description, such that operation of said participating hosts during said test in response to said emulated worms is defined according to said test description, wherein operation of a non-participating host would not be defined by said test description when said non-participating host is not executing said client software upon receipt of messages from said emulated worms.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 31. The article of manufacture of claim 30, said operations further comprising:
    - transmitting or receiving said messages at one or more ports associated with said participating hosts.
  - 32. The article of manufacture of claim 31, said operations further comprising:
    - limiting a frequency at which said messages are transmitted at any one of said ports to no greater than a threshold number.
  - 33. The article of manufacture of claim 31, said operations further comprising:
    - limiting bandwidth used by said messages transmitted at any one of said ports to no greater than a threshold number.
  - 34. The article of manufacture of claim 30, said operations further comprising:
    - receiving said messages from said participating hosts or said first host at said virtual vulnerable services.
  - 35. The article of manufacture of claim 30, said operations further comprising:
    - initiating an emulated worm using each virtual vulnerable service.
  - 36. The article of manufacture of claim 30, said operations further comprising:
    - receiving a message from a first emulated worm residing in a second participating host, wherein in response to said message, said first virtual vulnerable generates a second emulated worm in a first participating host, wherein said second emulated worm transmits messages to one or more virtual vulnerable services in a plurality of participating hosts.
  - 37. The article of manufacture of claim 36, said operations further comprising:
    - stopping said second emulated worm from transmitting said messages in response to receiving a command from a control server associated with said first participating host.
  - 38. The article of manufacture of claim 36, said operations further comprising:
    - stopping said second emulated worm from transmitting said messages in response to a lapse of a predetermined amount of time.
  - 39. The article of manufacture of claim 30, said operations further comprising:
    - receiving a message from a first emulated worm residing in a second participating host, wherein in response to said message, said first virtual vulnerable generates a second emulated worm in a first participating host, wherein said second emulated transmits messages to a third virtual vulnerable service in a participating third host.
  - 40. The article of manufacture of claim 30, said operations further comprising:
    - receiving information relating to propagation of said messages or said emulated worms from said participating hosts.
  - 41. The article of manufacture of claim 30, said operations further comprising:
    - limiting propagation of said messages in response to an input from said first host or said hosts if impact of said emulated worms on said participating hosts exceeds a threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Mitre Corporation
Original Assignee
Mitre Corporation
Inventors
Ellis, Daniel R.
Primary Examiner(s)
Smithers, Matthew B
Assistant Examiner(s)
Khoshnoodi, Nadia

Application Number

US10/972,785
Publication Number

US 20060090205A1
Time in Patent Office

2,177 Days
Field of Search

None
US Class Current

726/25
CPC Class Codes

G06F 21/562   Static detection

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

System and method to emulate mobile logic in a communication system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

41 Claims

Specification

Solutions

Use Cases

Quick Links

System and method to emulate mobile logic in a communication system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

41 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links