Hash-based systems and methods for detecting, preventing, and tracing network worms and viruses
Abstract
A system ( 126 - 129 ) detects transmission of potentially malicious packets. The system ( 126 - 129 ) receives packets and generates hash values corresponding to each of the packets. The system ( 126 - 129 ) may then compare the generated hash values to hash values corresponding to prior packets. The system ( 126 - 129 ) determines that one of the packets is a potentially malicious packet when the generated hash value corresponding to the one packet matches one of the hash values corresponding to one of the prior packets and the one prior packet was received within a predetermined amount of time of the one packet. The system ( 126 - 129 ) may also facilitate the tracing of the path taken by a potentially malicious packet. In this case, the system ( 126 - 129 ) may receive a message that identifies a potentially malicious packet, generate hash values from the potentially malicious packet, and determine whether one or more of the generated hash values match hash values corresponding to previously-received packets. The system ( 126 - 129 ) may then identify the potentially malicious packet as one of the previously-received packets when one or more of the generated hash values match the hash value corresponding to the one previously-received packet.
Claims
exact text as granted — not AI-modified1 . A method for detecting transmission of malicious packets, comprising:
receiving a plurality of packets; generating hash values corresponding to the packets; comparing the generated hash values to hash values corresponding to prior packets; and determining that one of the packets is a potentially malicious packet when the generated hash value corresponding to the one packet matches one of the hash values corresponding to one of the prior packets and the one prior packet was received within a predetermined amount of time of the one packet.
2 . The method of claim 1 , wherein the generating hash values includes:
hashing a payload field in each of the packets to generate the hash values.
3 . The method of claim 2 , wherein the hashing a payload field includes:
hashing successive fixed-sized blocks in the payload field in each of the packets.
4 . The method of claim 1 , further comprising:
storing a plurality of hash values corresponding to known malicious packets.
5 . The method of claim 4 , further comprising:
comparing the generated hash values to the hash values corresponding to the known malicious packets; and declaring that one of the packets is a malicious packet when one or more of the generated hash values corresponding to the one packet matches one or more of the hash values corresponding to the known malicious packets.
6 . The method of claim 5 , further comprising:
taking remedial action when the one packet is declared a malicious packet.
7 . The method of claim 6 , wherein the taking remedial action includes at least one of:
raising a warning, delaying transmission of the one packet, requiring human examination of the one packet, dropping the one packet, dropping other packets originating from a same address as the one packet, sending a Transmission Control Protocol (TCP) close message to a sender of the one packet, disconnecting a link on which the one packet was received, and corrupting the one packet
8 . The method of claim 1 , further comprising:
determining whether more than a predefined number of the prior packets with the matching hash value was received.
9 . The method of claim 8 , wherein the determining that one of the packets is a potentially malicious packet includes:
identifying the one packet as a potentially malicious packet when more than the predefined number of the prior packets was received within the predetermined amount of time of the one packet.
10 . The method of claim 8 , further comprising:
recording the generated hash value corresponding to the one packet when no more than the predefined number of the prior packets was received.
11 . The method of claim 1 , wherein the potentially malicious packet is associated with one of a virus and a worm.
12 . The method of claim 1 , further comprising:
taking remedial action when the one packet is determined to be a potentially malicious packet.
13 . The method of claim 12 , wherein the taking remedial action includes at least one of:
raising a warning, delaying transmission of the one packet, requiring human examination of the one packet, dropping the one packet, dropping other packets originating from a same address as the one packet, sending a Transmission Control Protocol (TCP) close message to a sender of the one packet, disconnecting a link on which the one packet was received, and corrupting the one packet.
14 . The method of claim 12 , wherein the taking remedial action includes at least one of:
determining a probability value associated with whether the one packet is a potentially malicious packet, and performing a remedial action when the probability value is above a threshold.
15 . The method of claim 1 , further comprising:
comparing a source address associated with the one packet to addresses of legitimate replicators, and determining that the one packet is not malicious when the source address matches one of the addresses of legitimate replicators.
16 . A system for hampering transmission of a potentially malicious packet, comprising:
means for receiving a packet; means for generating one or more hash values from the packet; means for comparing the generated one or more hash values to hash values corresponding to prior packets; means for determining that the packet is a potentially malicious packet when the generated one or more hash values match one or more of the hash values corresponding to at least one of the prior packets and the at least one of the prior packets was received within a predetermined amount of time of the packet; and means for hampering transmission of the packet when the packet is determined to be a potentially malicious packet.
17 . A system for detecting transmission of potentially malicious packets, comprising:
a plurality of input ports configured to receive a plurality of packets; a plurality of output ports configured to transmit the packets; a hash processor configured to:
observe each of the packets received at the input ports,
generate hash values corresponding to the packets,
compare the generated hash values to hash values corresponding to previous packets, and
determine that one of the packets is a potentially malicious packet when one or more of the generated hash values corresponding to the one packet matches one or more of the hash values corresponding to one of the previous packets and the one previous packet was received within a predetermined amount of time of the one packet.
18 . The system of claim 17 , wherein when generating hash values, the hash processor is configured to hash a payload field in each of the packets.
19 . The system of claim 18 , wherein when hashing the payload field, the hash processor is configured to hash successive fixed-sized blocks in the payload field in each of the packets.
20 . The system of claim 17 , further comprising:
a hash memory configured to store a plurality of hash values corresponding to known malicious packets.Join the waitlist — get patent alerts
Track US2009158435A1 — get alerts on status changes and closely related new filings.
We store only your email — no account needed. See our privacy policy.