US2008263668A1PendingUtilityA1

Automatic Client Responses To Worm Or Hacker Attacks

53
Assignee: IBMPriority: Dec 17, 2002Filed: Jul 8, 2008Published: Oct 23, 2008
Est. expiryDec 17, 2022(expired)· nominal 20-yr term from priority
H04L 63/145G06F 21/554
53
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A system in which a networked device automatically evaluates hacker attack notification information and, based thereon, selects and executes responses to the attack. The notification may include information such as the address of the infected system, identification of the specific worm, and a list of vulnerable applications and operating systems. The evaluation is based on factors including criticality and vulnerability of applications running on the system and connectivity of the device. A variety of automatic responses can be selected, including notification of network administration, shutdown of the device or services running on the device, updating and activation of anti-virus software, and selective handling of data sent from the address of the suspect network device. The selection of responses can occur automatically based on rules input during setup or by intervention of network administration.

Claims

exact text as granted — not AI-modified
1 - 11 . (canceled) 
   
   
       12 . A computer program stored on a storage medium for storing computer executable management agent program code, capable of invoking an automatic client response to worm and hacker attacks within a local area network, comprising:
 program code means for evaluating a notification of a worm or hacker attack, wherein the code means for evaluating the notification is based at least in part b factors selected from the group of:
 a criticality of the applications running on the evaluating device; 
 vulnerability of the applications running on the individual device to a given type of attack; 
 connectivity of the device to the network and other individual devices; and 
 the operating system of the individual network device; 
   program code means for selecting an automatic client response to reduce the vulnerability of the network device to the worm or hacker attack, wherein the code means for selecting one or more automatic client responses include program code means selected from:
 program code means for notifying of network administration; 
 program code means for immediately shutting down said device; 
 program code means for staged shutdown of said device; 
 program code means for shutdown of selected services running on said device; 
 program code means for updating anti-virus software on said device; 
 program code means for activation of anti-virus software; and 
 program code means for selective handling of data sent from an address of a network device identified as compromised; 
   code means for selective handling of data sent from an address of the network device identified as compromised includes code means selected from:
 code means for removing data sent from the address of the device identified as compromised; 
 code means for quarantining data sent from the address of the device identified as compromised; and 
 code means for filtering data sent from the address of the device identified as compromised; and 
   program code means for executing selected automatic responses by the network device.   
   
   
       13 . The computer program product of  claim 12 , wherein the notification information to be evaluated by the program code contains information selected from:
 at least one network address of a system on the network suspected of being compromised;   an identification of specific software associated with the attack; and   a list of vulnerable applications and operating systems.   
   
   
       14 . (canceled) 
   
   
       15 . (canceled) 
   
   
       16 . The computer program product of  claim 15 , wherein the program code means for selecting executes automatically based on rules input by network administration during a setup process. 
   
   
       17 . The computer program product of  claim 12 , further comprising program code means for updating of anti-virus software by a request to a server on the network, on which network anti-virus software for updated virus definitions resides. 
   
   
       18 . (canceled) 
   
   
       19 . The computer program product of  claim 12 , wherein the code means for executing selected responses executes immediately upon selection. 
   
   
       20 . A computer network, comprising one or more network devices wherein at least one of said network devices, comprises:
 means for evaluating attack notification information received from another device on the network, wherein the network device evaluates the notification based at least in part on factors selected from:
 a criticality of the applications running on the evaluating device; 
 vulnerability of the applications running on the individual device to a given type of attack; 
 connectivity of the device to the network and other individual devices; and 
 the operating system of the individual network device; 
   means for selecting an automatic client response to reduce or eliminate the device's vulnerability to the attack, wherein the automatic responses selected by the network device comprise actions selected from the group comprising:
 notifying network administration; 
 immediately shutting down said device; 
 stated shutdown of said device; 
 shutdown of selected services running on said device; 
 updating of anti-virus software; 
 activation of anti-virus software; and 
 selective handling of data sent from an address associated with the network device identified as compromised; 
   selective handling by the network device of data sent from the address of the network device identified as compromised is an action selected from a list comprised of:
 removing data sent from the address of the device identified as compromised; 
 quarantining data sent from the address of the device identified as compromised; and 
 filtering data sent from the address of the device identified as compromised; and 
   means for executing the selected automatic response.   
   
   
       21 . The computer network of  claim 20  wherein the notification information to be evaluated by at least one device on the network contains information selected from:
 at least one network addresses of a system on the network suspected of being compromised;   an identification of the specific worm software; and   a list of vulnerable applications and operating systems.   
   
   
       22 . (canceled) 
   
   
       24 . (canceled) 
   
   
       25 . The computer network of  claim 20 , wherein the network device selects a response automatically based on rules input by network administration during a setup process. 
   
   
       26 . The computer network of  claim 20 , wherein the network device updates anti-virus software by a request to another device on the network, such as a server, on which may reside network anti-virus software for updated virus definitions. 
   
   
       27 . The computer network of  claim 20 , wherein the network device updates anti-virus software by a request to a device outside of the local area network on which resides updated virus definitions and anti-virus software. 
   
   
       28 . (canceled)

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.