US2013014261A1PendingUtilityA1

Hash-based systems and methods for detecting and preventing transmission of polymorphic network worms and viruses

56
Assignee: STRAGENT LLCPriority: Jun 19, 2000Filed: Sep 14, 2012Published: Jan 10, 2013
Est. expiryJun 19, 2020(expired)· nominal 20-yr term from priority
H04L 51/212H04L 63/145G06F 21/562
56
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A system ( 200 ) detects transmission of potentially malicious packets. The system ( 200 ) receives, or otherwise observes, packets and generates hash values based on variable-sized blocks of the packets. The system ( 200 ) then compares the generated hash values to hash values associated with prior packets. The system ( 200 ) determines that one of the received packets is a potentially malicious packet when one or more of the generated hash values associated with the received packet match one or more of the hash values associated with the prior packets.

Claims

exact text as granted — not AI-modified
1 . A method for detecting transmission of potentially malicious packets, comprising:
 receiving a plurality of packets;   generating hash values, as generated hash values, based on variable-sized blocks of the plurality of packets;   comparing the generated hash values to hash values associated with prior packets; and   determining that one of the plurality of packets is a potentially malicious packet when one or more of the generated hash values associated with the one of the plurality of packets match one or more of the hash values associated with the prior packets.   
     
     
         2 . The method of  claim 1 , wherein the generating hash values includes:
 hashing variable-sized blocks in a payload field of the plurality of packets to generate the hash values.   
     
     
         3 . The method of  claim 2 , wherein the hashing variable-sized blocks includes:
 performing a plurality of hashes covering each byte of the payload field.   
     
     
         4 . The method of  claim 2 , wherein the hashing variable-sized blocks includes:
 selecting a first block of a first block size, and   hashing the first block using a plurality of different hash functions.   
     
     
         5 . The method of  claim 4 , wherein the hashing variable-sized blocks further includes:
 selecting a second block of a second block size, and   hashing the second block using the plurality of different hash functions.   
     
     
         6 . The method of  claim 4  wherein the hashing variable-sized blocks includes:
 selecting a plurality of blocks of a plurality of different block sizes, and 
 hashing the blocks using a plurality of different hash functions. 
 
     
     
         7 . The method of  claim 6 , wherein the hashing variable-sized blocks further includes:
 selecting a next plurality of blocks of a next plurality of different block sizes, and   hashing the next plurality of blocks using the plurality of different hash functions.   
     
     
         8 . The method of  claim 1 , further comprising:
 storing a plurality of hash values corresponding to known malicious packets.   
     
     
         9 . The method of  claim 8 , further comprising:
 comparing the generated hash values to the hash values corresponding to the known malicious packets; and   identifying one of the plurality of packets as a potentially malicious packet when one or more generated hash values corresponding to the one of the plurality of packets match one or more of the hash values corresponding to the known malicious packets.   
     
     
         10 . The method of  claim 1 , further comprising:
 determining whether more than a predefined number of the prior packets with the one or more of the hash values was received.   
     
     
         11 . The method of  claim 10 , wherein the determining that one of the plurality of packets is a potentially malicious packet includes:
 identifying the one of the plurality of packets as a potentially malicious packet when more than the predefined number of the prior packets were received within a predetermined amount of time of the one of the plurality of packets.   
     
     
         12 . The method of  claim 1 , wherein the one or more generated hash values corresponding to the one of the plurality of packets include a plurality of generated hash values; and
 wherein the determining that one of the plurality of packets is a potentially malicious packet includes:   identifying the one of the plurality of packets as a potentially malicious packet when at least a predetermined number of the plurality of generated hash values match the hash values associated with the prior packets.   
     
     
         13 . The method of  claim 1 , wherein the potentially malicious packet is associated with one of a polymorphic virus and a polymorphic worm. 
     
     
         14 . The method of  claim 1 , further comprising:
 taking remedial action when the one of the plurality of packets determined to be a potentially malicious packet.   
     
     
         15 . The method of  claim 14 , wherein the taking remedial action includes at least one of:
 raising a warning,   delaying transmission of the one of the plurality of packets,   capturing the one of the plurality of packets for human or automated analysis,   dropping the one of the plurality of packets,   dropping other packets originating from a same address as the one of the plurality of packets,   sending a Transmission Control Protocol (TCP) close message to a sender of the one of the plurality of packets,   disconnecting a link on which the one of the plurality of packets was received,   corrupting the one of the plurality of packets, and   probabilistically dropping or corrupting the one of the plurality of packets.   
     
     
         16 . A system for hampering transmission of potentially malicious packets, comprising:
 means for observing a plurality of packets;   means for generating hash values, as generated hash values, based on variable-sized blocks of the plurality of packets;   means for comparing the generated hash values to hash values corresponding to prior packets;   means for identifying one of the plurality of packets as a potentially malicious packet when the generated hash values corresponding to the one of the plurality of packets match the hash values corresponding to the prior packets; and   means for at least one of hampering transmission of the one of the plurality of packets and capturing a copy of the one of the plurality of packets for analysis when the one of the plurality of packets is identified as a potentially malicious packet.   
     
     
         17 . A device for detecting transmission of malicious packets, comprising:
 a hash memory configured to store information associated with a plurality of hash values corresponding to a plurality of prior packets; and   a hash processor configured to:
 observe a packet, 
 generate one or more hash values, as one or more generated hash values, based on variable-sized blocks of the packet, 
 compare the one or more generated hash values to the hash values corresponding to the plurality of prior packets, and 
 identify the packet as a potentially malicious packet when a predetermined number of the one or more generated hash values match the hash values corresponding to the plurality of prior packets. 
   
     
     
         18 . The device of  claim 17 , wherein when generating one or more hash values, the hash processor is configured to hash variable-sized blocks in a payload field of the packet. 
     
     
         19 . The device of  claim 18 , wherein when hashing variable-sized blocks, the hash processor is configured to perform a plurality of hashes covering each byte of the payload field. 
     
     
         20 . The device of  claim 18 , wherein when hashing variable-sized blocks, the hash processor is configured to:
 select a first block of a first block size, and   hash the first block using a plurality of different hash functions.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.