Email-based worm propagation properties

Description

DESCRIPTION OF DRAWINGS

FIG. 1 is a block diagram of a network including anomaly detection.

FIG. 2A is a block diagram depicting exemplary details of a worm detection system.

FIG. 2B is a block diagram depicting exemplary details of a worm signature distribution system.

FIG. 3 is a block diagram depicting an aggregator.

FIG. 4 is a flow chart of a mitigation process.

FIG. 5 is a flowchart of a worm detection and signature generation process.

FIG. 6 is a flow chart of a worm signature distribution process.

FIG. 7 is a block diagram of traffic attributes.

FIG. 8 is a flow chart of a worm detection process.

FIG. 9 is a flow chart of a signature detection process.

FIG. 10 is a flow chart of an anomaly detection process.

FIG. 11 is a flow chart of a tree generation process.

FIG. 12 is a flow chart of a connectedness determination process.

FIG. 13 is a flow chart of a signature consolidation process.

FIG. 14 is a block diagram of email traffic attributes.

FIG. 15 is a flow chart of an email-based worm detection process.

FIG. 16 is a flow chart of a signature detection process.

FIG. 17 is a flow chart of an anomaly detection process.

FIG. 18 is a flow chart of a signature consolidation process.

Claims

1. A computer program product residing on a computer readable medium for intrusion detection, the computer program product comprising instructions for causing a processor to: identify a signature representing content prevalent in email-based network traffic;generate a client list for the identified signature;determine if a number of clients included in the client list exceeds a threshold; andgenerate a worm signature based on the identified signature if the number of clients included in the client list exceeds the threshold.
2. The computer program product of claim 1 wherein the instructions to identify a signature representing content prevalent in email traffic comprise instructions to: receive packet payload data; andanalyze the packet payload data to identify recurring sets of bits.
3. The computer program product of claim 2 wherein the instructions to analyze the packet payload data to identify recurring sets of bits comprises instructions to: extract a plurality of sets of bits having a predetermined length;compute a hash of each of the plurality of sets of bits; andcount the number of times a particular hash value occurs during a period of time.
4. The computer program product of claim 1 wherein the computer program product further comprises instructions for causing a processor to: clear the client list for the identified signature after a predetermined length of time.
5. The computer program product of claim 1 wherein the computer program product further comprises instructions for causing a processor to: determine if the email-based network traffic comprises traffic from an external client; andif the email-based network traffic comprises traffic from an external client, exclude the external client from the client list.
6. The computer program product of claim 1 wherein the computer program product further comprises instructions for causing a processor to: determine if the email-based network traffic comprises traffic from a mail server; andif the email-based network traffic comprises traffic from the mail server, exclude the mail server from the client list.
7. The computer program product of claim 1 wherein the computer program product further comprises instructions for causing a processor to: determine if the email-based network traffic comprises traffic from an automated mail application; andif the email-based network traffic comprises traffic from the automated mail application, exclude the automated mail application from the client list.
8. The computer program product of claim 1 wherein the computer program product further comprises instructions for causing a processor to: determine if an average frequency exceeds a frequency threshold; andgenerate a worm signature if the average frequency exceeds the frequency threshold.
9. The computer program product of claim 1 wherein the computer program product further comprises instructions for causing a processor to: determine if an average number of distinct servers contacted exceeds a number of servers threshold; andgenerate a worm signature if the number of distinct servers contacted exceeds the number of servers threshold.
10. The computer program product of claim 1 wherein the computer program product further comprises instructions for causing a processor to: detect exploit-based worms.
11. The computer program product of claim 10 wherein the instructions for causing a processor to detect exploit-based worms comprise instructions for causing a processor to: identify a signature representing content prevalent in network traffic;determine if the traffic including the identified signature exhibits propagation;determine if the traffic including the identified signature exhibits connectedness; andgenerate a worm signature based on the identified signature if the signature exhibits both connectedness and propagation.
12. A method comprising: identifying a signature representing content prevalent in email-based network traffic;generating a client list for the identified signature;determining if a number of clients included in the client list exceeds a threshold; andgenerating a worm signature based on the identified signature if the number of clients included in the client list exceeds the threshold.
13. The method of claim 12, wherein identifying a signature representing content prevalent in email traffic comprises: receiving packet payload data; andanalyzing the packet payload data to identify recurring sets of bits;extracting a plurality of sets of bits having a predetermined length;computing a hash of each of the plurality of sets of bits; andcounting the number of times a particular hash value occurs during a period of time.
14. The method of claim 12, further comprising clearing the client list for the identified signature after a predetermined length of time.
15. The method of claim 12, further comprising: determining if the email-based network traffic comprises traffic from an external client; andif the email-based network traffic comprises traffic from an external client, excluding the external client from the client list.
16. The method of claim 12, further comprising: determining if the email-based network traffic comprises traffic from a mail server; andif the email-based network traffic comprises traffic from the mail server, excluding the mail server from the client list.
17. The method of claim 12, further comprising: determining if the email-based network traffic comprises traffic from an automated mail application; and if the email-based network traffic comprises traffic from the automated mail application,excluding the automated mail application from the client list.
18. The method of claim 12, further comprising: determining if an average frequency exceeds a frequency threshold; andgenerating a worm signature if the average frequency exceeds the frequency threshold.
19. The method of claim 12, further comprising: determining if an average number of distinct servers contacted exceeds a number of servers threshold; andgenerating a worm signature if the number of distinct servers contacted exceeds the number of servers threshold.
20. The method of claim 12, further comprising: detecting exploit-based worms.
21. An intrusion detection system, comprising: a profiler configured to:identify a signature representing content prevalent in email-based network traffic;generate a client list for the identified signature;determine if a number of clients included in the client list exceeds a threshold; andgenerate a worm signature based on the identified signature if the number of clients included in the client list exceeds the threshold.
22. The system of claim 21 wherein the profiler is further configured to: receive packet payload data;analyze the packet payload data to identify recurring sets of bitsextract a plurality of sets of bits having a predetermined length;compute a hash of each of the plurality of sets of bits; andcount the number of times a particular hash value occurs during a period of time.
23. The system of claim 21 wherein the profiler is further configured to: determine if the email-based network traffic comprises traffic from an external client; andif the email-based network traffic comprises traffic from an external client, exclude the external client from the client list.
24. The system of claim 21 wherein the profiler is further configured to: determine if the email-based network traffic comprises traffic from a mail server; andif the email-based network traffic comprises traffic from the mail server, exclude the mail server from the client list.
25. The system of claim 21 wherein the profiler is further configured to: determine if the email-based network traffic comprises traffic from an automated mail application; andif the email-based network traffic comprises traffic from the automated mail application, exclude the automated mail application from the client list.
26. The system of claim 21 wherein the profiler is further configured to: determine if an average frequency exceeds a frequency threshold; andgenerate a worm signature if the average frequency exceeds the frequency threshold.
27. The system of claim 21 wherein the profiler is further configured to: determine if an average number of distinct servers contacted exceeds a number of servers threshold; andgenerate a worm signature if the number of distinct servers contacted exceeds the number of servers threshold.

Email-based worm propagation properties

Information

Publication Number

Date Filed

Date Published

Inventors

CPC

US Classifications

International Classifications

Abstract

Description

Claims