Hash-based systems and methods for detecting and preventing transmission of polymorphic network worms and viruses

Description

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates generally to network security and, more particularly, to systems and methods for detecting and/or preventing the transmission of malicious packets, such as polymorphic worms and viruses.

2. Description of Related Art

Availability of low cost computers, high speed networking products, and readily available network connections has helped fuel the proliferation of the Internet. This proliferation has caused the Internet to become an essential tool for both the business community and private individuals. Dependence on the Internet arises, in part, because the Internet makes it possible for multitudes of users to access vast amounts of information and perform remote transactions expeditiously and efficiently. Along with the rapid growth of the Internet have come problems caused by malicious individuals or pranksters launching attacks from within the network. As the size of the Internet continues to grow, so does the threat posed by these individuals.

The ever-increasing number of computers, routers, and connections making up the Internet increases the number of vulnerable points from which these malicious individuals can launch attacks. These attacks can be focused on the Internet as a whole or on specific devices, such as hosts or computers, connected to the network. In fact, each router, switch, or computer connected to the Internet may be a potential entry point from which a malicious individual can launch an attack while remaining largely undetected. Attacks carried out on the Internet often consist of malicious packets being injected into the network. Malicious packets can be injected directly into the network by a computer, or a device attached to the network, such as a router or switch, can be compromised and configured to place malicious packets onto the network.

One particularly troublesome type of attack is a self-replicating network-transferred computer program, such as a virus or worm, that is designed to annoy network users, deny network service by overloading the network, or damage target computers (e.g., by deleting files). A virus is a program that infects a computer or device by attaching itself to another program and propagating itself when that program is executed, possibly destroying files or wiping out memory devices. A worm, on the other hand, is a program that can make copies of itself and spread itself through connected systems, using up resources in affected computers or causing other damage.

Various defenses, such as e-mail filters, anti-virus programs, and firewall mechanisms, have been employed against viruses and worms. Unfortunately, many viruses and worms are polymorphic. Polymorphic viruses and worms include viruses and worms that deliberately have a different set of bytes in each copy, as opposed to being substantially similar in each copy, to make them difficult to detect. Detection techniques based on byte sequence comparison, including older virus-detection techniques, may be generally ineffective in detecting polymorphic viruses and worms.

Accordingly, there is a need for new defenses to thwart the attack of polymorphic viruses and worms.

SUMMARY OF THE INVENTION

Systems and methods consistent with the present invention address these and other needs by providing a new defense that attacks malicious packets, such as polymorphic viruses and worms, at their most common denominator (i.e., the need to transfer a copy of their code over a network to multiple target systems).

In accordance with an aspect of the invention as embodied and broadly described herein, a method for detecting transmission of potentially malicious packets is provided. The method includes receiving packets; generating hash values based on variable-sized blocks of the received packets; comparing the generated hash values to hash values associated with prior packets; and determining that one of the received packets is a potentially malicious packet when one or more of the generated hash values associated with the received packet match one or more of the hash values associated with the prior packets.

In accordance with another aspect of the invention, a system for hampering transmission of potentially malicious packets is provided. The system includes means for observing packets, means for generating hash values based on variable-sized blocks of the observed packets, and means for comparing the generated hash values to hash values corresponding to prior packets. The system further includes means for identifying one of the observed packets as a potentially malicious packet when the generated hash values corresponding to the observed packet match the hash values corresponding to the prior packets, and means for hampering transmission of the observed packet when the observed packet is identified as a potentially malicious packet.

In accordance with yet another aspect of the invention, a device for detecting transmission of malicious packets is provided. The device includes a hash memory and a hash processor. The hash memory is configured to store information associated with hash values corresponding to prior packets. The hash processor is configured to observe a packet and generate one or more hash values based on variable-sized blocks of the packet. The hash processor is further configured to compare the one or more generated hash values to the hash values corresponding to the prior packets and identify the packet as a potentially malicious packet when a predetermined number of the one or more generated hash values match the hash values corresponding to the prior packets.

In accordance with a further aspect of the invention, a method for detecting transmission of a potentially malicious packet is provided. The method includes receiving a packet, selecting blocks of received packet of random block sizes, and performing multiple different hash functions on each of the blocks to generate multiple hash values. The method further includes comparing the generated hash values to hash values associated with prior packets, and identifying the received packet as a potentially malicious packet when one or more of the generated hash values correspond to one or more of the hash values associated with the prior packets.

In accordance with another aspect of the invention, a method for detecting transmission of a potentially malicious packet is provided. The method includes receiving a packet, selecting multiple blocks of the received packet of different block sizes, and performing a different hash function on each of the blocks to generate multiple hash values. The method further includes comparing the generated hash values to hash values associated with prior packets, and identifying the received packet as a potentially malicious packet when one or more of the generated hash values correspond to one or more of the hash values associated with the prior packets.

In accordance with yet another aspect of the invention, a method for detecting files suspected of containing a virus or worm on a computer is provided. The method includes receiving one or more first hash values associated with the virus or worm, hashing one or more variable-sized portions of the files to generate second hash values, comparing the second hash values to the one or more first hash values, and identifying one of the files as a file suspected of containing the virus or worm when one or more of the second hash values correspond to at least one of the one or more first hash values.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate the invention and, together with the description, explain the invention. In the drawings,

FIG. 1 is a diagram of a system in which systems and methods consistent with the present invention may be implemented;

FIG. 2 is an exemplary diagram of packet detection logic according to an implementation consistent with the principles of the invention;

FIGS. 3A-3C illustrate three possible data structures that may be used within the hash memory of FIG. 2 in implementations consistent with the principles of the invention; and

DETAILED DESCRIPTION

The following detailed description of the invention refers to the accompanying drawings. The same reference numbers in different drawings may identify the same or similar elements. Also, the following detailed description does not limit the invention. Instead, the scope of the invention is defined by the appended claims and equivalents.

Systems and methods consistent with the present invention provide mechanisms to detect and/or prevent the transmission of malicious packets. Malicious packets, as used herein, may include polymorphic viruses and worms, but may also apply to non-polymorphic viruses and worms and possibly other types of data with duplicated content, such as illegal mass e-mail (e.g., spam), that are repeatedly transmitted through a network.

Polymorphic viruses and worms are generally composed of two pieces: an obscured payload (which contains the majority of the virus/worm), and a decoding bootstrap that must be initially executable by the victim machine “as is,” and turns the obscured payload into the executable remainder of the virus/worm. The design of the polymorphic viruses and worms are such that the contents of the obscured payload are essentially undetectable (e.g., by strong encryption), leaving two basic ways to detect the virus/worm: (1) detect it after the decoding bootstrap has run, which is a technique employed by many of today's virus detection software; and (2) detect the decoding bootstrap in a manner consistent with the principles of the invention.

While the decoding bootstrap must be executable by the target machine, it does not have to be the exact same code for every copy of the virus/worm. In other words, it can be made arbitrarily variable, as long as the effect of executing it results in the decoding of the obscured payload.

The most sophisticated polymorphic viruses/worms employ techniques, such as the interspersal of “no-ops” or other code that does not affect the decoding process, but adds to the variability of the byte string making up the decoder bootstrap. Another technique includes changing details of instructions in the actual decoder code, such as changing which registers are employed by the decoding code, or stringing small code fragments together with “branch” or “jump” instructions, allowing the execution sequence of the instructions to be relatively independent of the sequence of bytes making up the decoder bootstrap. “Dead” code, or gibberish bytes, can also be inserted between active code segments strung together this way.

Thus, detecting the decoder bootstrap of a polymorphic virus/worm is a very difficult task. It is most difficult when only one copy of the virus/worm is examined. When many potential copies of the virus/worm can be observed, however, certain similarities between various copies will eventually emerge, because there are only a finite set of transformations that the decoding bootstrap can be put through and still function properly. This opens up the opportunity to detect such viruses/worms in places where many copies can be observed over time, such as in the network nodes (and links) through which they propagate.

Another vulnerability to detection that some e-mail-based viruses/worms have is that they require user interaction with the message carrying the virus/worm in order to be executed. Thus, they are often accompanied by a text message in the body of the e-mail that is designed to entice the user into performing the necessary action to execute the virus/worm (usually opening a file attached to the e-mail message). A polymorphic virus/worm could relatively easily change the e-mail text used in minor ways, but to make substantial changes would likely render the message incoherent to the receiver and, thus, either make him suspicious or unlikely to perform the action needed for the virus/worm to execute. Systems and methods consistent with the principles of the invention can also detect the text of the e-mail message as possibly related to a virus/worm attack.

Systems and methods consistent with the principles of the invention hash incoming packets, using a varying hash-block size, varying between a minimum and a maximum value. The hash block size may be chosen randomly within this interval for each block, but other methods of varying the block size could also be used, as long as the method was not easily predictable by an attacker.

This serves two purposes. First, it reduces the need to hash multiple copies of non-polymorphic viruses/worms for pretraining, because each packet would now have a finite chance of sharing a block with previous packets, rather than no chance, if it did not share a prior copy's alignment within a packet. Second, it allows relatively short sequences of bytes to be hashed sometimes, greatly improving the chances of catching a fixed segment of a polymorphic virus/worm.

Exemplary System Configuration

FIG. 1 is a diagram of an exemplary system 100 in which systems and methods consistent with the present invention may be implemented. System 100 includes autonomous systems (ASs) 110-140 connected to public network (PN) 150. Connections made in system 100 may be via wired, wireless, and/or optical communication paths. While FIG. 1 shows four autonomous systems connected to a single public network, there can be more or fewer systems and networks in other implementations consistent with the principles of the invention.

Public network 150 may include a collection of network devices, such as routers (R1-R5) or switches, that transfer data between autonomous systems, such as autonomous systems 110-140. In an implementation consistent with the present invention, public network 150 takes the form of the Internet, an intranet, a public telephone network, a wide area network (WAN), or the like.

An autonomous system is a network domain in which all network devices (e.g., routers) in the domain can exchange routing tables. Often, an autonomous system can take the form of a local area network (LAN), a WAN, a metropolitan area network (MAN), etc. An autonomous system may include computers or other types of communication devices (referred to as “hosts”) that connect to public network 150 via an intruder detection system (IDS); a firewall, one or more border routers, or a combination of these devices.

Autonomous system 110, for example, includes hosts (H) 111-113 connected in a LAN configuration. Hosts 111-113 connect to public network 150 via an intruder detection system (IDS) 114. Intruder detection system 114 may include a commercially-available device that uses rule-based algorithms to determine if a given pattern of network traffic is abnormal. The general premise used by an intruder detection system is that malicious network traffic will have a different pattern from normal, or legitimate, network traffic.

Using a rule set, intruder detection system 114 monitors inbound traffic to autonomous system 110. When a suspicious pattern or event is detected, intruder detection system 114 may take remedial action, or it can instruct a border router or firewall to modify operation to address the malicious traffic pattern. For example, remedial actions may include disabling the link carrying the malicious traffic, discarding packets corning from a particular source address, or discarding packets addressed to a particular destination.

Autonomous system 120 contains different devices from autonomous system 110. These devices aid autonomous system 120 in identifying and/or preventing the transmission of potentially malicious packets within autonomous system 120 and tracing the propagation of the potentially malicious packets through autonomous system 120 and, possibly, public network 150. While FIG. 1 shows only autonomous system 120 as containing these devices, other autonomous systems, including autonomous system 110, may include them.

Autonomous system 120 includes hosts (H) 121-123, intruder detection system (IDS) 124, and security server (SS) 125 connected to public network 150 via a collection of devices, such as security routers (SR11-SR14) 126-129. Hosts 121-123 may include computers or other types of communication devices connected, for example, in a LAN configuration. Intruder detection system 124 may be configured similar to intruder detection system 114.

Security server 125 may include a device, such as a general-purpose computer or a server, that performs source path identification when a malicious packet is detected by intruder detection system 124 or a security router 126-129. While security server 125 and intruder detection system 124 are shown as separate devices in FIG. 1, they can be combined into a single unit performing both intrusion detection and source path identification in other implementations consistent with the present invention.

Security routers 126-129 may include network devices, such as routers, that may detect and/or prevent the transmission of malicious packets and perform source path identification functions. Security routers 127-129 may include border routers for autonomous system 120 because these routers include connections to public network 150. As a result, security routers 127-129 may include routing tables for routers outside autonomous system 120.

FIG. 2 is an exemplary functional block diagram of packet detection logic 200 according to an implementation consistent with the principles of the invention. Packet detection logic 200 may be implemented within a device that taps one or more bidirectional links of a router, such as security routers 126-129, an intruder detection system, such as intruder detection systems 114 and 124, a security server, such as security server 125, a host, such as hosts 111-113 and 121-123, or another type of device. In another implementation, packet detection logic 200 may be implemented within one of these devices. In the discussion that follows, it may be assumed that packet detection logic 200 is implemented within a security router.

Packet detection logic 200 may include hash processor 210 and hash memory 220. Hash processor 210 may include a conventional processor, an application specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or some other type of device that generates one or more representations for each received packet and records the packet representations in hash memory 220.

A packet representation will likely not be a copy of the entire packet, but rather it may include a portion of the packet or some unique value representative of the packet. Because modern routers can pass gigabits of data per second, storing complete packets is not practical because memories would have to be prohibitively large. By contrast, storing a value representative of the contents of a packet uses memory in a much more efficient manner. By way of example, if incoming packets range in size from 256 bits to 1000 bits, a fixed width number may be computed across blocks making up the content (or payload) of a packet in a manner that allows the entire packet to be identified.

To further illustrate the use of representations, a 32-bit hash value, or digest, may be computed across blocks of each packet. Then, the hash value may be stored in hash memory 220 or may be used as an index, or address, into hash memory 220. Using the hash value, or an index derived therefrom, results in efficient use of hash memory 220 while still allowing the content of each packet passing through packet detection logic 200 to be identified.

Systems and methods consistent with the present invention may use any storage scheme that records information about each packet in a space-efficient fashion, that can definitively determine if a packet has not been observed, and that can respond positively (i.e., in a predictable way) when a packet has been observed. Although systems and methods consistent with the present invention can use virtually any technique for deriving representations of packets, the remaining discussion will use hash values as exemplary representations of packets having passed through a participating router.

Hash processor 210 may determine one or more hash values over variable-sized blocks of bytes in the payload field (i.e., the contents) of an observed packet. When multiple hashes are employed, they may, but need not, be done on the same block of payload bytes. As described in more detail below, hash processor 210 may use the hash results of the hash operation to recognize duplicate occurrences of packet content and raise a warning if it detects packets with replicated content within a short period of time. Hash processor 210 may also use the hash results for tracing the path of a malicious packet through the network.

According to implementations consistent with the present invention, the content (or payload) of a packet may be hashed to detect the packet or trace the packet through a network. In other implementations, the header of a packet may be hashed. In yet other implementations, some combination of the content and the header of a packet may be hashed.

In one implementation consistent with the principles of the invention, hash processor 210 may perform three hashes covering each byte of the payload field. Thus, a hash block size may be chosen uniformly from a range of 4 to 128 bytes, in 4-byte increments (to accommodate a common data-path granularity in high-speed network devices). At the start of the packet payload, hash processor 210 may select a random block size from this range and hash the block with the three different hash functions, or hash processor 210 may select a different block size for each hash function. In the former case, a new block size may be chosen when the first block finishes, and all three hash functions may start at the same place on the new block. In the latter case, as each hash function completes its current block, it selects a random size for the next block it will hash.

Each hash value may be determined by taking an input block of data and processing it to obtain a numerical value that represents the given input data. Suitable hash functions are readily known in the art and will not be discussed in detail herein. Examples of hash functions include the Cyclic Redundancy Check (CRC) and Message Digest 5 (MD5). The resulting hash value, also referred to as a message digest or hash digest, may include a fixed length value. The hash value may serve as a signature for the data over which it was computed. For example, incoming packets could have fixed hash value(s) computed over their content.

The hash value essentially acts as a fingerprint identifying the input block of data over which it was computed. Unlike fingerprints, however, there is a chance that two very different pieces of data will hash to the same value, resulting in a hash collision. An acceptable hash function should provide a good distribution of values over a variety of data inputs in order to prevent these collisions. Because collisions occur when different input blocks result in the same hash value, an ambiguity may arise when attempting to associate a result with a particular input.

Hash processor 210 may store a representation of each packet it observes in hash memory 220. Hash processor 210 may store the actual hash values as the packet representations or it may use other techniques for minimizing storage requirements associated with retaining hash values and other information associated therewith. A technique for minimizing storage requirements may use one or more bit arrays or Bloom filters.

Rather than storing the actual hash value, which can typically be on the order of 32 bits or more in length, hash processor 210 may use the hash value as an index for addressing a bit array within hash memory 220. In other words, when hash processor 210 generates a hash value for a block of a packet, the hash value serves as the address location into the bit array. At the address corresponding to the hash value, one or more bits may be set at the respective location thus indicating that a particular hash value, and hence a particular data packet content, has been seen by hash processor 210. For example, using a 32-bit hash value provides on the order of 4.3 billion possible index values into the bit array. Storing one bit per block rather than storing the block itself, which can be 512 bits long, produces a compression factor of 1:512. While bit arrays are described by way of example, it will be appreciated by those skilled in the relevant art, that other storage techniques may be employed without departing from the spirit of the invention.

FIGS. 3A-3C illustrate three possible data structures that may be used within hash memory 220 in implementations consistent with the principles of the invention. As shown in FIG. 3A, hash memory 220 may include indicator fields 312 addressable by corresponding hash addresses 314. Hash addresses 314 may correspond to possible hash values generated by hash processor 210. Indicator field 312 may store one or more bits that indicate whether a packet block with the corresponding hash value has been observed by hash processor 210. In this case, a packet may be deemed suspicious if, during the hashing process, a significant number of the packet's hash values collide in hash memory 220. Shorter block sizes are more likely to be repeated in totally random traffic, leading to an increase in the generation of “false alarm” matches. To account for this, the threshold number of matches for “suspicion” may need to be configured somewhat higher.

As shown in FIG. 3B, hash memory 220 may alternatively include counter fields 322 addressable by corresponding hash addresses 314. Counter field 322 may record the number of occurrences of packet blocks with the corresponding hash value. Counter field 322 may be incremented on each hit. The more hits a counter receives, the more important the hit should be considered in determining the overall suspiciousness of the packet.

As shown in FIG. 3C, hash memory 220 may store additional information relating to a packet. For example, hash memory 220 may include link identifier (ID) fields 332 and status fields 334. Link ID field 332 may store information regarding the particular link upon which the packet arrived at packet detection logic 200. Status field 334 may store information to aid in monitoring the status of packet detection logic 200 or the link identified by link ID field 332.

Because shorter block sizes are more likely to be repeated in totally random traffic, another variation might include the use of different memories for different block sizes. Thus, a given count level for a shorter block size may be less reason for suspicion than the same count level found in a longer block size.

In an alternate implementation consistent with the principles of the invention, hash memory 220 may be preprogrammed to store hash values corresponding to known malicious packets, such as known viruses and worms. Hash memory 220 may store these hash values separately from the hash values of observed packets. In this case, hash processor 210 may compare a hash value for a received packet to not only the hash values of previously observed packets, but also to hash values of known malicious packets.

In yet another implementation consistent with the principles of the invention, hash memory 220 may be preprogrammed to store source addresses of known sources of legitimate duplicated content, such as packets from a multicast server, a popular page on a web server, an output from a mailing list “exploder” server, or the like. In this case, hash processor 210 may compare the source address for a received packet to the source addresses of known sources of legitimate duplicated content.

Over time, hash memory 220 may fill up and the possibility of overwriting an existing index value increases. The risk of overwriting an index value may be reduced if the bit array is periodically flushed to other storage media, such as a magnetic disk drive, optical media, solid state drive, or the like. Alternatively, the bit array may be slowly and incrementally erased. To facilitate this, a time-table may be established for flushing/erasing the bit array. If desired, the flushing/erasing cycle can be reduced by computing hash values only for a subset of the packets passing through the router. While this approach reduces the flushing/erasing cycle, it increases the possibility that a target packet may be missed (i.e., a hash value is not computed over a portion of it).

When hash memory 220 includes counter fields 322, non-zero storage locations may be decremented periodically rather than being erased. This may ensure that the “random noise” from normal packets would not remain in the bit array indefinitely. Replicated traffic (e.g., from a virus/worm propagating repeatedly across the network), however, would normally cause the relevant storage locations to stay substantially above the “background noise” level.

Exemplary Processing for Malicious Packet Detection/Prevention

FIG. 4 is a flowchart of exemplary processing for detecting and/or preventing transmission of a malicious packet, such as a polymorphic virus or worm, according to an implementation consistent with the principles of the invention. The processing of FIG. 4 may be performed by packet detection logic 200 within a tap device, a security router, such as security router 126, an IDS, such as IDS 124, a LAN switch, or other devices configured to detect and/or prevent transmission of malicious packets. In other implementations, one or more of the described acts may be performed by other systems or devices within system 100.

Processing may begin when packet detection logic 200 receives, or otherwise observes, a packet (act 405). Hash processor 210 may generate one or more hash values by hashing variable-sized blocks from the packet's payload field (act 410). Hash processor 210 may use one or more conventional techniques to perform the hashing operation.

In one implementation consistent with the principles of the invention, three hashes may be performed covering each byte of the payload field. A hash block size may be chosen uniformly from a range of 4 to 128 bytes, in 4-byte increments. At the start of the packet payload, a random block size may be selected from this range and the block may be hashed with the three different hash functions. A new block size may then be chosen when the first block finishes, and all three hash functions may start at the same place on the new block. Alternatively, a different block size may be selected for each hash function. In this case, as each hash function completes its current block, it selects a random size for the next block it will hash.

Hash processor 210 may optionally compare the generated hash value(s) to hash values of known viruses and/or worms within hash memory 220 (act 415). In this case, hash memory 220 may be preprogrammed to store hash values corresponding to known viruses and/or worms. If one or more of the generated hash values match one of the hash values of known viruses and/or worms, hash processor 210 may take remedial actions (acts 420 and 425). The remedial actions may include raising a warning for a human operator, delaying transmission of the packet, capturing a copy of the packet for human or automated analysis, dropping the packet and possibly other packets originating from the same Internet Protocol (IP) address as the packet, sending a Transmission Control Protocol (TCP) close message to the sender thereby preventing complete transmission of the packet, disconnecting the link on which the packet was received, and/or corrupting the packet content in a way likely to render any code contained therein inert (and likely to cause the receiver to drop the packet). Some of the remedial actions, such as dropping or corrupting the packet, may be performed probabilistically based, for example, on the count value in counter field 322 (FIGS. 3B and 3C), which may also be used to determine a probability that the packet is potentially malicious.

If the generated hash value(s) do not match any of the hash values of known viruses and/or worms, or if such a comparison was not performed, hash processor 210 may optionally determine whether the packet's source address indicates that the packet was sent from a legitimate source of duplicated packet content (i.e., a legitimate “replicator”) (act 430). For example, hash processor 210 may maintain a list of legitimate replicators in hash memory 220 and check the source address of the packet with the addresses of legitimate replicators on the list. If the packet's source address matches the address of one of the legitimate replicators, then hash processor 210 may end processing of the packet. For example, processing may return to act 405 to await receipt of the next packet.

Otherwise, hash processor 210 may record the generated hash value(s) in hash memory 220 (act 435). For example, hash processor 210 may set the one or more bits stored in indicator field 312 (FIGS. 3A-3C) or increment the count value in counter field 322 (FIGS. 3B and 3C), corresponding to each of the generated hash values, to indicate that the corresponding packet was observed by hash processor 210.

Hash processor 210 may then determine whether any prior packets with the same hash value(s) have been received (act 440). For example, hash processor 210 may use each of the generated hash value(s) as an address into hash memory 220. Hash processor 210 may then examine indicator field 312 at each address to determine whether the one or more bits stored therein indicate that a prior packet has been received. Alternatively, hash processor 210 may examine counter field 322 to determine whether the count value indicates that a prior packet has been received.

If there were no prior packets received with the same hash value(s), then processing may return to act 405 to await receipt of the next packet. If hash processor 210 determines that a prior packet has been observed with the same hash value, however, hash processor 210 may determine whether the packet is potentially malicious (act 445). Hash processor 210 may use a set of rules to determine whether to identify a packet as potentially malicious. For example, the rules might specify that more than x (where x>1) packets with the same hash value have to be observed by hash processor 210 before the packets are identified as potentially malicious. The rules might also specify that these packets have to have been observed by hash processor 210 within a specified period of time of one another. The reason for the latter rule is that, in the case of malicious packets, such as polymorphic viruses and worms, multiple packets will likely pass through packet detection logic 200 within a short period of time.

A packet may contain multiple hash blocks that partially match hash blocks associated with prior packets. For example, a packet that includes multiple hash blocks may have somewhere between one and all of its hashed content blocks match hash blocks associated with prior packets. The rules might specify the number of blocks and/or the number and/or length of sequences of blocks that need to match before hash processor 210 identifies the packet as potentially malicious. The rules might differ for different block sizes.

When hash processor 210 determines that the packet is not malicious (e.g., not a polymorphic worm or virus), such as when less than x number of packets with the same hash value or less than a predetermined number of the packet blocks with the same hash values are observed or when the packets are observed outside the specified period of time, processing may return to act 405 to await receipt of the next packet. When hash processor 210 determines that the packet may be malicious, however, hash processor 210 may take remedial actions (act 450). In some cases, it may not be possible to determine whether the packet is actually malicious because there is some probability that there was a false match or a legitimate replication. As a result, hash processor 210 may determine the probability of the packet actually being malicious based on information gathered by hash processor 210.

The remedial actions may include raising a warning for a human operator, saving the packet for human analysis, dropping the packet, corrupting the packet content in a way likely to render any code contained therein inert (and likely to cause the receiver to drop the packet), delaying transmission of the packet, capturing a copy of the packet for human or automated analysis, dropping other packets originating from the same IP address as the packet, sending a TCP close message to the sender thereby preventing complete transmission of the packet, and/or disconnecting the link on which the packet was received. Some of the remedial actions, such as dropping or corrupting the packet, may be performed probabilistically based, for example, on the count value in counter field 322 (FIGS. 3B and 3C), which may also be used to determine a probability that the packet is potentially malicious. This may greatly slow the spread rate of a virus or worm without completely stopping legitimate traffic that happened to match a suspect profile.

Once a malicious packet, such as a polymorphic virus or worm, has been identified, the path taken by the malicious packet may be traced. To do this, processing similar to that described in U.S. patent application Ser. No. 10/251,403, from which this application claims priority and which has been previously incorporated by reference, may be performed.

CONCLUSION

Systems and methods consistent with the present invention provide mechanisms to detect and/or prevent transmission of malicious packets, such as polymorphic viruses and worms.

Systems and methods consistent with the principles of the invention detect polymorphic viruses and worms with some finite probability, which may depend on the size of the decoder bootstrap code segment and the techniques used to obscure it (such as code rearrangement and the insertion of gibberish bytes). Also, the number of virus and worm examples that must be seen before detection becomes probable depends on the threshold settings, the degree to which different copies of the virus/worm resemble each other, the minimum hash block size used, and the rate at which copies arrive. Essentially, what happens is that short code sequences of the virus/worm decoder bootstrap will occasionally be in a single hash block, without any of the obscuring “cover” of gibberish bytes.

If the bootstrap is only obscured by inserted no-ops or irrelevant code sequences, packet detection logic 200 may eventually see samples of all variants of these in various lengths, and also in conjunction with the active code, and will actually recognize the virus/worm more easily, though usually after seeing many samples.

In either case, some set of byte sequences commonly found in the virus/worm, and found much less commonly in other network traffic, may be detected often enough that these sequences will rise above the “noise” level of the data stored in hash memory 220 and, thus, be detectable. Not every packet containing the virus/worm decoder bootstrap, however, will be detected this way, since it may be that none of the hash blocks in the particular packet isolated the fixed, active code elements. Thus, systems and methods consistent with the principles of the invention may be used to provide a warning that a virus/worm is potentially propagating and capture suspicious packets for human analysis.

Non-polymorphic viruses and worms may also be detected somewhat more quickly by these techniques because block alignment is not the same in every packet and partial matches will be more common early in the appearance of the virus/worm in the network, at least for longer packets. The certainty of detection will be correspondingly lower. So, it may take somewhat more examples of the virus/worm to reach the same degree of certainty of detection of the virus/worm, as with the fixed-length hash blocks, due to the randomness introduced into the hash-sampling process.

The foregoing description of preferred embodiments of the present invention provides illustration and description, but is not intended to be exhaustive or to limit the invention to the precise form disclosed. Modifications and variations are possible in light of the above teachings or may be acquired from practice of the invention.

For example, systems and methods have been described with regard to network-level devices. In other implementations, the systems and methods described herein may be used with a stand-alone device at the input or output of a network link or at other protocol levels, such as in mail relay hosts (e.g., Simple Mail Transfer Protocol (SMTP) servers).

To this regard, the variable-sized block hashing technique described previously can be used in conjunction with traditional host-based virus scanning software. For example, training data may be obtained from a network application and the hash memory contents may then be transmitted to one or more hosts to aid in looking for the suspected virus or worm on the host. In other words, the host may receive hash values associated with the suspected virus or worm from the network application. The host may hash one or more variable-sized portions of the files stored in its memory to generate hash values associated with these files. The host may compare the generated hash values to the hash values associated with the suspected virus or worm and identify one or more files that may contain the suspected virus or worm when the hash values match. The technique may be used as a prioritization stage to determine which files most likely contain a virus or worm. The virus scanning software could then use other, more expensive, techniques to scan these files.

The variable-sized block hashing technique may also be used in conjunction with network-based applications, where suspicious messages are delivered to a reassembly process and the resulting messages scanned by a more conventional (e.g., execution simulating) virus detector.

While a series of acts has been described with regard to the flowchart of FIG. 4, the order of the acts may differ in other implementations consistent with the principles of the invention. In addition, non-dependent acts may be performed concurrently.

Further, certain portions of the invention have been described as “logic” that performs one or more functions. This logic may include hardware, such as an ASIC or a FPGA, software, or a combination of hardware and software.

No element, act, or instruction used in the description of the present application should be construed as critical or essential to the invention unless explicitly described as such. Also, as used herein, the article “a” is intended to include one or more items. Where only one item is intended, the term “one” or similar language is used. The scope of the invention is defined by the claims and their equivalents.

Claims

1. In a network carrying a plurality of packets over at least one network link, the network including a first network component having memory and a processor and configured to store information in the memory about at least one of the plurality of packets, a method for detecting a target packet comprising: receiving at least one of the plurality of packets over the link to obtain a received packet;determining a representation of at least a portion of the received packet;identifying a location in the memory;associating a value with the location in the memory;receiving a query message identifying a target packet at the first network component;the first network component using the value associated with the location in the memory in processing the query message to determine if the target packet has been encountered;creating a reply if the target packet has been encountered; andthe first network component making the reply available to the network if the target packet has been encountered;wherein the reply is capable of being used as part of a method for locating an intrusion point of the target packet in the network.
2. The method of claim 1, wherein the making the reply available to the network includes forwarding the reply to a second network component.
3. The method of claim 2, wherein the second network component is a computer.
4. The method of claim 1, wherein the reply contains a network address for the first network component.
5. The method of claim 1, wherein the representation is determined over the entire received packet.
6. The method of claim 1, further comprising: determining if the received packet has undergone a transformation, such transformation having occurred if a first hash value of at least a portion of the received packet computed at a first time is not equal to a second hash value of at least a portion of the received packet computed at a second time, the second time occurring after the first time.
7. The method of claim 1, wherein the network is an Internet Protocol (IP) network.
8. The method of claim 1, wherein the link is a wireless link.
9. The method of claim 1, wherein the first network component is a router.
10. In a network carrying a plurality of packets over at least one link, the network including a network component operatively coupled to the link and having a memory and a processor, a method for storing information about a plurality of packets received over the network, at least a portion of the information being used to locate an intrusion point for a first one of the plurality of packets, the method comprising: receiving the first one of the plurality of packets;determining a first representation of the first one of the plurality of packets over at least a portion thereof;identifying a first location in the memory;associating a value with the first location in the memory;receiving a second one of the plurality of packets;processing the second one of the plurality of packets to obtain information contained therein;using the information contained in the second one of the plurality of packets to determine if the first one of the plurality of packets has been observed; andmaking a reply available to the network, in response to receiving a query message identifying a target packet, if the information contained in the second one of the plurality of packets indicates that the first one of the plurality of packets has been observed, the reply capable of being used as part of a method for locating the intrusion point for the first one of the plurality of packets to assist in determining a source location of an intrusion point of the target packet in the network.
11. A system comprising: a first interface for receiving at least one of a plurality of packets to obtain at least one received packet from a network;a second interface for placing at least a subset of the at least one received packet onto a link;a bus communicatively coupled to the first interface and the second interface;a memory communicatively coupled to the bus, the memory for storing information about the at least one received packet in a machine-readable form;a processor communicatively coupled to the bus and the memory, the processor configured for executing machine-readable instructions for processing the at least one received packet;wherein the system is operable such that the memory is capable of storing the information in a form of one or more first representations for the at least one received packet, each of the one or more first representations determined from a corresponding one of the at least one received packet respectively;wherein the system is operable to receive a query message including a second representation associated with a target packet in the network and use the stored one or more first representations in the memory in processing the query message to determine if the target packet has been encountered; andwherein the system is operable to generate a reply after comparing the second representation to the stored one or more first representations; wherein the reply is capable of being used for locating an intrusion point associated with the target packet in the network.
12. The system of claim 11, wherein the first interface and the second interface are combined into a single bi-directional interface.
13. The system of claim 11, wherein the reply is made available to another network.
14. The system of claim 11, wherein the network is a wireless network.
15. The system of claim 11, wherein the network is an Internet Protocol (IP) network.
16. The system of claim 11, wherein the processor is an ASIC.
17. The system of claim 11, wherein the reply is a positive reply if the second representation matches at least one of the plurality of first representations.
18. The system of claim 11, wherein the reply is forwarded to those of a plurality of devices one hop away in the network.
19. The system of claim 11, wherein the system is operable such that the reply is forwarded to an isolation server responsive to operation of an intrusion detection system, for isolating a malicious packet.
20. The system of claim 19, wherein the system is operable such that the reply is related to building a trace of potential paths taken by the malicious packet.
21. The system of claim 11, wherein the system is operable such that the first representations include hash values.
22. The system of claim 11, wherein the system is operable such that the processor executes machine-readable instructions for establishing a bit map of the first representations representative of the at least one received packet.
23. The system of claim 11, wherein the system is operable such that the second representation is a hash of at least a portion of the at least one received packet.
24. The system of claim 11, wherein the system is operable such that the processor executes machine-readable instructions for determining whether a target packet has been encountered in the network.
25. The system of claim 24, wherein the system is operable such that the determining is accomplished using a source path isolation technique.
26. The system of claim 25, wherein the system is operable such that the source path isolation technique includes a breadth-first search.
27. The system of claim 25, wherein the system is operable such that the source path isolation technique includes a depth-first search.
28. The system of claim 11, wherein the reply is used to determine a point of entry of at least one target packet.
29. The system of claim 28, wherein the at least one target packet is a malicious packet.
30. The system of claim 11, wherein the information includes a time-of-arrival.
31. The system of claim 11, wherein the information includes encapsulation link information.
32. The system of claim 11, wherein the comparing the second representation to the one or more of the plurality of first representations includes using a bit map of hash values representative of the one or more of the plurality of first representations.
33. The system of claim 11, wherein the reply includes an address of a router.
34. The system of claim 33, wherein the router is the system.
35. The system of claim 11, wherein the reply includes information about observed packets.
36. The system of claim 11, wherein the reply includes information about transformed packets.
37. The system of claim 36, wherein the transformed packets have passed through the system.
38. The system of claim 11, wherein the system is operable to receive at least one executable instruction for instructing the system to modify the operation of the system, and wherein the at least one executable instruction facilitates a response to network intrusion.

RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No. 12/249,823, filed Oct. 10, 2008, which, in turn, is a continuation of U.S. patent application Ser. No. 10/654,771, filed Sep. 4, 2003, which, in turn, claims priority under 35 U.S.C. §119 based on U.S. Provisional Application No. 60/407,975, filed Sep. 5, 2002, all of which are incorporated herein by reference.

US Referenced Citations (935)

Number	Name	Date	Kind
3956615	Anderson et al.	May 1976	A
4104721	Markstein et al.	Aug 1978	A
4177510	Appell et al.	Dec 1979	A
4200770	Hellman et al.	Apr 1980	A
4289930	Connolly et al.	Sep 1981	A
4384325	Slechta, Jr. et al.	May 1983	A
4386233	Smid et al.	May 1983	A
4386416	Giltner et al.	May 1983	A
4405829	Rivest et al.	Sep 1983	A
4442484	Childs, Jr. et al.	Apr 1984	A
4532588	Foster	Jul 1985	A
4584639	Hardy	Apr 1986	A
4590470	Koenig	May 1986	A
4607137	Jansen et al.	Aug 1986	A
4621321	Boebert et al.	Nov 1986	A
4641274	Swank	Feb 1987	A
4648031	Jenner	Mar 1987	A
4701840	Boebert et al.	Oct 1987	A
4710763	Franke et al.	Dec 1987	A
4713753	Boebert et al.	Dec 1987	A
4713780	Schultz et al.	Dec 1987	A
4754428	Schultz et al.	Jun 1988	A
4837798	Cohen et al.	Jun 1989	A
4853961	Pastor	Aug 1989	A
4864573	Horsten	Sep 1989	A
4868877	Fischer	Sep 1989	A
4870571	Frink	Sep 1989	A
4885789	Burger et al.	Dec 1989	A
4910774	Barakat	Mar 1990	A
4914568	Kodosky et al.	Apr 1990	A
4926480	Chaum	May 1990	A
4947430	Chaum	Aug 1990	A
4951196	Jackson	Aug 1990	A
4975950	Lentz	Dec 1990	A
4979210	Nagata et al.	Dec 1990	A
4996711	Chaum	Feb 1991	A
5005200	Fischer	Apr 1991	A
5008814	Mathur	Apr 1991	A
5020059	Gorin et al.	May 1991	A
5051886	Kawaguchi et al.	Sep 1991	A
5054096	Beizer	Oct 1991	A
5070528	Hawe et al.	Dec 1991	A
5093914	Coplien et al.	Mar 1992	A
5105184	Pirani et al.	Apr 1992	A
5119465	Jack et al.	Jun 1992	A
5124984	Engel	Jun 1992	A
5144557	Wang et al.	Sep 1992	A
5144659	Jones	Sep 1992	A
5144660	Rose	Sep 1992	A
5144665	Takaragi et al.	Sep 1992	A
5153918	Tuai	Oct 1992	A
5164988	Matyas et al.	Nov 1992	A
5167011	Priest	Nov 1992	A
5191611	Lang	Mar 1993	A
5200999	Matyas et al.	Apr 1993	A
5204961	Barlow	Apr 1993	A
5210795	Lipner et al.	May 1993	A
5210824	Putz et al.	May 1993	A
5210825	Kavaler	May 1993	A
5214702	Fischer	May 1993	A
5224163	Gasser et al.	Jun 1993	A
5226080	Cole et al.	Jul 1993	A
5228083	Lozowick et al.	Jul 1993	A
5235642	Wobber et al.	Aug 1993	A
5239466	Morgan et al.	Aug 1993	A
5241594	Kung	Aug 1993	A
5247661	Hager et al.	Sep 1993	A
5263147	Francisco et al.	Nov 1993	A
5263157	Janis	Nov 1993	A
5265163	Golding et al.	Nov 1993	A
5265164	Matyas et al.	Nov 1993	A
5267313	Hirata	Nov 1993	A
5272754	Boerbert	Dec 1993	A
5276735	Boebert et al.	Jan 1994	A
5276736	Chaum	Jan 1994	A
5276737	Micali	Jan 1994	A
5276869	Forrest et al.	Jan 1994	A
5276901	Howell et al.	Jan 1994	A
5278901	Shieh et al.	Jan 1994	A
5280527	Gullman et al.	Jan 1994	A
5283887	Zachery	Feb 1994	A
5293250	Okumura et al.	Mar 1994	A
5299263	Beller et al.	Mar 1994	A
5303303	White	Apr 1994	A
5305385	Schanning et al.	Apr 1994	A
5311591	Fischer	May 1994	A
5311593	Carmi	May 1994	A
5313521	Torii et al.	May 1994	A
5313637	Rose	May 1994	A
5315657	Abadi et al.	May 1994	A
5315658	Micali	May 1994	A
5319776	Hile et al.	Jun 1994	A
5325370	Cleveland et al.	Jun 1994	A
5329623	Smith et al.	Jul 1994	A
5333266	Boaz et al.	Jul 1994	A
5341426	Barney et al.	Aug 1994	A
5347578	Duxbury	Sep 1994	A
5351293	Michener et al.	Sep 1994	A
5355472	Lewis	Oct 1994	A
5355474	Thuraisngham et al.	Oct 1994	A
5359659	Rosenthal	Oct 1994	A
5361002	Casper	Nov 1994	A
5367621	Cohen et al.	Nov 1994	A
5371794	Diffie et al.	Dec 1994	A
5377354	Scannell et al.	Dec 1994	A
5379340	Overend et al.	Jan 1995	A
5379374	Ishizaki et al.	Jan 1995	A
5386470	Carter et al.	Jan 1995	A
5388189	Kung	Feb 1995	A
5404231	Bloomfield	Apr 1995	A
5406557	Baudoin	Apr 1995	A
5406628	Beller et al.	Apr 1995	A
5410326	Goldstein	Apr 1995	A
5414650	Hekhuis	May 1995	A
5414833	Hershey et al.	May 1995	A
5416842	Aziz	May 1995	A
5418908	Keller et al.	May 1995	A
5424724	Williams et al.	Jun 1995	A
5432932	Chen et al.	Jul 1995	A
5436972	Fischer	Jul 1995	A
5440723	Arnold et al.	Aug 1995	A
5455828	Zisapel	Oct 1995	A
5479411	Klein	Dec 1995	A
5481312	Cash et al.	Jan 1996	A
5481613	Ford et al.	Jan 1996	A
5483466	Kawahara et al.	Jan 1996	A
5485409	Gupta et al.	Jan 1996	A
5485460	Schrier et al.	Jan 1996	A
5491750	Bellare et al.	Feb 1996	A
5495610	Shing et al.	Feb 1996	A
5499294	Friedman	Mar 1996	A
5504454	Daggett et al.	Apr 1996	A
5509074	Choudhury et al.	Apr 1996	A
5511122	Atkinson	Apr 1996	A
5511163	Lerche et al.	Apr 1996	A
5513126	Harkins et al.	Apr 1996	A
5513323	Williams et al.	Apr 1996	A
5521910	Matthews	May 1996	A
5530852	Meske, Jr. et al.	Jun 1996	A
5535276	Ganesan	Jul 1996	A
5537533	Staheli et al.	Jul 1996	A
5539824	Bjorklund et al.	Jul 1996	A
5541993	Fan et al.	Jul 1996	A
5544320	Konrad	Aug 1996	A
5548646	Aziz et al.	Aug 1996	A
5550984	Gelb	Aug 1996	A
5550994	Tashiro et al.	Aug 1996	A
5553145	Micali	Sep 1996	A
5555309	Kruys	Sep 1996	A
5557346	Lipner et al.	Sep 1996	A
5557742	Smaha et al.	Sep 1996	A
5557765	Lipner et al.	Sep 1996	A
5561703	Arledge et al.	Oct 1996	A
5564106	Puhl et al.	Oct 1996	A
5566170	Bakke et al.	Oct 1996	A
5572590	Chess	Nov 1996	A
5572643	Judson	Nov 1996	A
5577209	Boyle et al.	Nov 1996	A
5583940	Vidrascu et al.	Dec 1996	A
5583995	Gardner et al.	Dec 1996	A
5586260	Hu	Dec 1996	A
5602918	Chen et al.	Feb 1997	A
5604490	Blakley, III et al.	Feb 1997	A
5606668	Shwed	Feb 1997	A
5608819	Ikeuchi	Mar 1997	A
5608874	Ogawa et al.	Mar 1997	A
5615340	Dai et al.	Mar 1997	A
5619648	Canale et al.	Apr 1997	A
5621579	Yuen	Apr 1997	A
5621889	Lermuzeaux et al.	Apr 1997	A
5623598	Voigt et al.	Apr 1997	A
5623600	Ji et al.	Apr 1997	A
5623601	Vu	Apr 1997	A
5623637	Jones et al.	Apr 1997	A
5625695	M'Raihi et al.	Apr 1997	A
5627977	Hickey et al.	May 1997	A
5629982	Micali	May 1997	A
5631961	Mills et al.	May 1997	A
5632011	Landfield et al.	May 1997	A
5636371	Yu	Jun 1997	A
5638487	Chigier	Jun 1997	A
5640454	Lipner et al.	Jun 1997	A
5644404	Hashimoto et al.	Jul 1997	A
5644571	Seaman	Jul 1997	A
5647000	Leighton	Jul 1997	A
5649095	Cozza	Jul 1997	A
5655081	Bonnell et al.	Aug 1997	A
5657461	Harkins et al.	Aug 1997	A
5666416	Micali	Sep 1997	A
5666530	Clark et al.	Sep 1997	A
5671279	Elgamal	Sep 1997	A
5673322	Pepe et al.	Sep 1997	A
5675507	Bobo, II	Oct 1997	A
5675733	Williams	Oct 1997	A
5677955	Doggett et al.	Oct 1997	A
5684951	Goldman et al.	Nov 1997	A
5687235	Perlman et al.	Nov 1997	A
5689565	Spies et al.	Nov 1997	A
5689566	Nguyen	Nov 1997	A
5694616	Johnson et al.	Dec 1997	A
5696822	Nachenberg	Dec 1997	A
5699431	Van Oorschot et al.	Dec 1997	A
5699513	Feigen et al.	Dec 1997	A
5706442	Anderson et al.	Jan 1998	A
5706507	Schloss	Jan 1998	A
5708780	Levergood et al.	Jan 1998	A
5708826	Ikeda et al.	Jan 1998	A
5710883	Hong et al.	Jan 1998	A
5717757	Micali	Feb 1998	A
5717758	Micali	Feb 1998	A
5724428	Rivest	Mar 1998	A
5724512	Winterbottom	Mar 1998	A
5727156	Herr-Hoyman et al.	Mar 1998	A
5740231	Cohn et al.	Apr 1998	A
5742759	Nessett et al.	Apr 1998	A
5742769	Lee et al.	Apr 1998	A
5745573	Lipner et al.	Apr 1998	A
5745574	Muftic	Apr 1998	A
5751956	Kirsch	May 1998	A
5758343	Vigil et al.	May 1998	A
5761531	Ohmura et al.	Jun 1998	A
5764906	Edelstein et al.	Jun 1998	A
5765030	Nachenberg et al.	Jun 1998	A
5768388	Goldwasser et al.	Jun 1998	A
5768528	Stumm	Jun 1998	A
5769942	Maeda	Jun 1998	A
5771348	Kubatzki et al.	Jun 1998	A
5778372	Cordell et al.	Jul 1998	A
5781729	Baker et al.	Jul 1998	A
5781735	Southard	Jul 1998	A
5781857	Hwang et al.	Jul 1998	A
5781901	Kuzma	Jul 1998	A
5790664	Coley et al.	Aug 1998	A
5790789	Suarez	Aug 1998	A
5790790	Smith et al.	Aug 1998	A
5790793	Higley	Aug 1998	A
5790856	Lillich	Aug 1998	A
5793763	Mayes et al.	Aug 1998	A
5793868	Micali	Aug 1998	A
5793954	Baker et al.	Aug 1998	A
5793972	Shane	Aug 1998	A
5796830	Johnson et al.	Aug 1998	A
5796942	Esbensen	Aug 1998	A
5796948	Cohen	Aug 1998	A
5798706	Kraemer et al.	Aug 1998	A
5799083	Brothers et al.	Aug 1998	A
5801700	Ferguson	Sep 1998	A
5802178	Holden et al.	Sep 1998	A
5802277	Cowlard	Sep 1998	A
5802371	Meier	Sep 1998	A
5805719	Pare, Jr. et al.	Sep 1998	A
5805801	Holloway et al.	Sep 1998	A
5812398	Nielsen	Sep 1998	A
5812763	Teng	Sep 1998	A
5812776	Gifford	Sep 1998	A
5812844	Jones et al.	Sep 1998	A
5815573	Johnson et al.	Sep 1998	A
5815657	Williams et al.	Sep 1998	A
5821398	Speirs et al.	Oct 1998	A
5822526	Waskiewicz	Oct 1998	A
5822527	Post	Oct 1998	A
5826013	Nachenberg	Oct 1998	A
5826014	Coley et al.	Oct 1998	A
5826022	Nielsen	Oct 1998	A
5826029	Gore, Jr. et al.	Oct 1998	A
5828832	Holden et al.	Oct 1998	A
5828893	Wied et al.	Oct 1998	A
5832208	Chen et al.	Nov 1998	A
5835087	Herz et al.	Nov 1998	A
5835090	Clark et al.	Nov 1998	A
5835600	Rivest	Nov 1998	A
5835758	Nochur et al.	Nov 1998	A
5842216	Anderson et al.	Nov 1998	A
5845084	Cordell et al.	Dec 1998	A
5850442	Muftic	Dec 1998	A
5852665	Gressel et al.	Dec 1998	A
5855020	Kirsch	Dec 1998	A
5857022	Sudia	Jan 1999	A
5859966	Hayman et al.	Jan 1999	A
5860068	Cook	Jan 1999	A
5862325	Reed et al.	Jan 1999	A
5864667	Barkan	Jan 1999	A
5864683	Boebert et al.	Jan 1999	A
5864852	Luotonen	Jan 1999	A
5872844	Yacobi	Feb 1999	A
5872849	Sudia	Feb 1999	A
5872931	Chivaluri	Feb 1999	A
5878230	Weber et al.	Mar 1999	A
5884033	Duvall et al.	Mar 1999	A
5889943	Ji et al.	Mar 1999	A
5892825	Mages et al.	Apr 1999	A
5892903	Klaus	Apr 1999	A
5892904	Atkinson et al.	Apr 1999	A
5893114	Hashimoto et al.	Apr 1999	A
5896499	McKelvey	Apr 1999	A
5898830	Wesinger, Jr. et al.	Apr 1999	A
5898836	Freivald et al.	Apr 1999	A
5901227	Perlman	May 1999	A
5903651	Kocher	May 1999	A
5903723	Beck et al.	May 1999	A
5903882	Asay et al.	May 1999	A
5905859	Holloway et al.	May 1999	A
5907618	Gennaro et al.	May 1999	A
5907620	Klemba et al.	May 1999	A
5911776	Guck	Jun 1999	A
5912972	Barton	Jun 1999	A
5919257	Trostle	Jul 1999	A
5919258	Kayashima et al.	Jul 1999	A
5920630	Wertheimer et al.	Jul 1999	A
5922074	Richard et al.	Jul 1999	A
5923846	Gage et al.	Jul 1999	A
5923885	Johnson et al.	Jul 1999	A
5928329	Clark et al.	Jul 1999	A
5930479	Hall	Jul 1999	A
5933478	Ozaki et al.	Aug 1999	A
5933498	Schneck et al.	Aug 1999	A
5933647	Aronberg et al.	Aug 1999	A
5937066	Gennaro et al.	Aug 1999	A
5937164	Mages et al.	Aug 1999	A
5940591	Boyle et al.	Aug 1999	A
5941998	Tillson	Aug 1999	A
5946679	Ahuja et al.	Aug 1999	A
5948062	Tzelnic et al.	Sep 1999	A
5948104	Gluck et al.	Sep 1999	A
5950195	Stockwell et al.	Sep 1999	A
5951644	Creemer	Sep 1999	A
5951698	Chen et al.	Sep 1999	A
5956403	Lipner et al.	Sep 1999	A
5956481	Walsh et al.	Sep 1999	A
5958005	Thorne et al.	Sep 1999	A
5958010	Agarwal et al.	Sep 1999	A
5959976	Kuo	Sep 1999	A
5960170	Chen et al.	Sep 1999	A
5963915	Kirsch	Oct 1999	A
5964889	Nachenberg	Oct 1999	A
5970248	Meier	Oct 1999	A
5974141	Saito	Oct 1999	A
5978799	Hirsch	Nov 1999	A
5983012	Bianchi et al.	Nov 1999	A
5983228	Kobayashi et al.	Nov 1999	A
5987606	Cirasole et al.	Nov 1999	A
5987609	Hasebe	Nov 1999	A
5991406	Lipner et al.	Nov 1999	A
5991807	Schmidt et al.	Nov 1999	A
5991879	Still	Nov 1999	A
5991881	Conklin et al.	Nov 1999	A
5996011	Humes	Nov 1999	A
5996077	Williams	Nov 1999	A
5999723	Nachenberg	Dec 1999	A
5999932	Paul	Dec 1999	A
5999967	Sundsted	Dec 1999	A
6000041	Baker et al.	Dec 1999	A
6003027	Prager	Dec 1999	A
6006329	Chi	Dec 1999	A
6009103	Woundy	Dec 1999	A
6009274	Fletcher et al.	Dec 1999	A
6009462	Birrell et al.	Dec 1999	A
6012144	Pickett	Jan 2000	A
6014651	Crawford	Jan 2000	A
6021510	Nachenberg	Feb 2000	A
6023723	McCormick et al.	Feb 2000	A
6026414	Anglin	Feb 2000	A
6029256	Kouznetsov	Feb 2000	A
6035423	Hodges et al.	Mar 2000	A
6038233	Hamamoto et al.	Mar 2000	A
6049789	Frison et al.	Apr 2000	A
6052531	Waldin, Jr. et al.	Apr 2000	A
6052709	Paul	Apr 2000	A
6052788	Wesinger, Jr. et al.	Apr 2000	A
6055519	Kennedy et al.	Apr 2000	A
6058381	Nelson	May 2000	A
6058482	Liu	May 2000	A
6061448	Smith et al.	May 2000	A
6061722	Lipa et al.	May 2000	A
6067410	Nachenberg	May 2000	A
6070243	See et al.	May 2000	A
6072942	Stockwell et al.	Jun 2000	A
6073140	Morgan et al.	Jun 2000	A
6075863	Krishnan et al.	Jun 2000	A
6078929	Rao	Jun 2000	A
6085320	Kaliski, Jr.	Jul 2000	A
6088803	Tso et al.	Jul 2000	A
6088804	Hill et al.	Jul 2000	A
6092067	Girling et al.	Jul 2000	A
6092102	Wagner	Jul 2000	A
6092114	Shaffer et al.	Jul 2000	A
6092191	Shimbo et al.	Jul 2000	A
6092194	Touboul	Jul 2000	A
6092201	Turnbull et al.	Jul 2000	A
6094277	Toyoda	Jul 2000	A
6094731	Waldin et al.	Jul 2000	A
6097811	Micali	Aug 2000	A
6104500	Alam et al.	Aug 2000	A
6108683	Kamada et al.	Aug 2000	A
6108688	Nielsen	Aug 2000	A
6108691	Lee et al.	Aug 2000	A
6108786	Knowlson	Aug 2000	A
6112181	Shear et al.	Aug 2000	A
6118856	Paarsmarkt et al.	Sep 2000	A
6119137	Smith et al.	Sep 2000	A
6119142	Kosaka	Sep 2000	A
6119157	Traversat et al.	Sep 2000	A
6119165	Li et al.	Sep 2000	A
6119230	Carter	Sep 2000	A
6119231	Foss et al.	Sep 2000	A
6119236	Shipley	Sep 2000	A
6122661	Stedman et al.	Sep 2000	A
6123737	Sadowsky	Sep 2000	A
6134550	Van Oorschot et al.	Oct 2000	A
6134551	Aucsmith	Oct 2000	A
6138254	Voshell	Oct 2000	A
6141695	Sekiguchi et al.	Oct 2000	A
6141778	Kane et al.	Oct 2000	A
6144744	Smith, Sr. et al.	Nov 2000	A
6145083	Shaffer et al.	Nov 2000	A
6151643	Cheng et al.	Nov 2000	A
6151675	Smith	Nov 2000	A
6154769	Cherkasova et al.	Nov 2000	A
6154844	Touboul et al.	Nov 2000	A
6154879	Pare et al.	Nov 2000	A
6161130	Horvitz et al.	Dec 2000	A
6161137	Ogdon et al.	Dec 2000	A
6167407	Nachenberg et al.	Dec 2000	A
6167438	Yates et al.	Dec 2000	A
6169969	Cohen	Jan 2001	B1
6178242	Tsuria	Jan 2001	B1
6178509	Nardone et al.	Jan 2001	B1
6182142	Win et al.	Jan 2001	B1
6182226	Reid et al.	Jan 2001	B1
6185678	Arbaugh et al.	Feb 2001	B1
6185682	Tang	Feb 2001	B1
6185689	Todd, Sr. et al.	Feb 2001	B1
6192360	Dumais et al.	Feb 2001	B1
6192407	Smith et al.	Feb 2001	B1
6199102	Cobb	Mar 2001	B1
6202157	Brownlie et al.	Mar 2001	B1
6215763	Doshi et al.	Apr 2001	B1
6216265	Roop et al.	Apr 2001	B1
6219706	Fan et al.	Apr 2001	B1
6219714	Inhwan et al.	Apr 2001	B1
6223094	Muehleck et al.	Apr 2001	B1
6223172	Hunter et al.	Apr 2001	B1
6223213	Cleron et al.	Apr 2001	B1
6226666	Chang et al.	May 2001	B1
6230190	Edmonds et al.	May 2001	B1
6230194	Frailong et al.	May 2001	B1
6230266	Perlman et al.	May 2001	B1
6233577	Ramasubramani et al.	May 2001	B1
6240401	Oren et al.	May 2001	B1
6243815	Antur et al.	Jun 2001	B1
6249575	Heilmann et al.	Jun 2001	B1
6249585	McGrew et al.	Jun 2001	B1
6249807	Shaw et al.	Jun 2001	B1
6253337	Maloney et al.	Jun 2001	B1
6260043	Puri et al.	Jul 2001	B1
6260142	Thakkar et al.	Jul 2001	B1
6266337	Marco	Jul 2001	B1
6266668	Vanderveldt et al.	Jul 2001	B1
6266692	Greenstein	Jul 2001	B1
6266700	Baker et al.	Jul 2001	B1
6266774	Sampath et al.	Jul 2001	B1
6269380	Terry et al.	Jul 2001	B1
6269447	Maloney et al.	Jul 2001	B1
6269456	Hodges et al.	Jul 2001	B1
6272532	Feinleib	Aug 2001	B1
6272632	Carman et al.	Aug 2001	B1
6275937	Hailpern et al.	Aug 2001	B1
6275942	Bernhard et al.	Aug 2001	B1
6275977	Nagai et al.	Aug 2001	B1
6279113	Vaidya	Aug 2001	B1
6279133	Vafai et al.	Aug 2001	B1
6282565	Shaw et al.	Aug 2001	B1
6285991	Powar	Sep 2001	B1
6289214	Backstrom	Sep 2001	B1
6292833	Liao et al.	Sep 2001	B1
6298445	Shostack et al.	Oct 2001	B1
6301668	Gleichauf et al.	Oct 2001	B1
6301699	Hollander et al.	Oct 2001	B1
6304898	Shiigi	Oct 2001	B1
6304904	Sathyanarayan et al.	Oct 2001	B1
6304973	Williams	Oct 2001	B1
6311207	Mighdoll et al.	Oct 2001	B1
6311273	Helbig et al.	Oct 2001	B1
6314190	Zimmermann	Nov 2001	B1
6317829	Van Oorschot	Nov 2001	B1
6320948	Heilmann et al.	Nov 2001	B1
6321267	Donaldson	Nov 2001	B1
6324569	Ogilvie et al.	Nov 2001	B1
6324647	Bowman-Amuah	Nov 2001	B1
6324656	Gleichauf et al.	Nov 2001	B1
6327579	Crawford	Dec 2001	B1
6327594	Van Huben et al.	Dec 2001	B1
6327620	Tams et al.	Dec 2001	B1
6327652	England et al.	Dec 2001	B1
6330551	Burchetta et al.	Dec 2001	B1
6330589	Kennedy	Dec 2001	B1
6330670	England et al.	Dec 2001	B1
6332163	Bowman-Amuah	Dec 2001	B1
6338141	Wells	Jan 2002	B1
6341369	Degenaro et al.	Jan 2002	B1
6347374	Drake et al.	Feb 2002	B1
6347375	Reinert et al.	Feb 2002	B1
6353886	Howard et al.	Mar 2002	B1
6356859	Talbot et al.	Mar 2002	B1
6356935	Gibbs	Mar 2002	B1
6357008	Nachenberg	Mar 2002	B1
6362836	Shaw et al.	Mar 2002	B1
6363489	Comay et al.	Mar 2002	B1
6367009	Davis et al.	Apr 2002	B1
6367012	Atkinson et al.	Apr 2002	B1
6370648	Diep	Apr 2002	B1
6373950	Rowney	Apr 2002	B1
6381694	Yen	Apr 2002	B1
6385596	Wiser et al.	May 2002	B1
6385655	Smith et al.	May 2002	B1
6389419	Wong et al.	May 2002	B1
6393465	Leeds	May 2002	B2
6393568	Ranger et al.	May 2002	B1
6397259	Lincke et al.	May 2002	B1
6397335	Franczek et al.	May 2002	B1
6400804	Bilder	Jun 2002	B1
6401210	Templeton	Jun 2002	B1
6405318	Rowland	Jun 2002	B1
6411716	Brickell	Jun 2002	B1
6424650	Yang et al.	Jul 2002	B1
6430184	Robins et al.	Aug 2002	B1
6430688	Kohl et al.	Aug 2002	B1
6434536	Geiger	Aug 2002	B1
6438549	Aldred et al.	Aug 2002	B1
6438576	Huang et al.	Aug 2002	B1
6438612	Ylonen et al.	Aug 2002	B1
6442588	Clark et al.	Aug 2002	B1
6442686	McArdle et al.	Aug 2002	B1
6442688	Moses et al.	Aug 2002	B1
6442689	Kocher	Aug 2002	B1
6446109	Gupta	Sep 2002	B2
6449367	Van Wie et al.	Sep 2002	B2
6449640	Haverstock et al.	Sep 2002	B1
6452613	Lefebvre et al.	Sep 2002	B1
6453345	Trcka et al.	Sep 2002	B2
6453352	Wagner et al.	Sep 2002	B1
6453419	Flint et al.	Sep 2002	B1
6460050	Pace et al.	Oct 2002	B1
6460141	Olden	Oct 2002	B1
6469969	Carson et al.	Oct 2002	B2
6470086	Smith	Oct 2002	B1
6477651	Teal	Nov 2002	B1
6484203	Porras et al.	Nov 2002	B1
6487599	Smith et al.	Nov 2002	B1
6487658	Micali	Nov 2002	B1
6487666	Shanklin et al.	Nov 2002	B1
6496974	Sliger et al.	Dec 2002	B1
6496979	Chen et al.	Dec 2002	B1
6499107	Gleichauf et al.	Dec 2002	B1
6502191	Smith et al.	Dec 2002	B1
6507851	Fujiwara et al.	Jan 2003	B1
6510431	Eichstaedt et al.	Jan 2003	B1
6510464	Grantges, Jr. et al.	Jan 2003	B1
6510466	Cox et al.	Jan 2003	B1
6516316	Ramasubramani et al.	Feb 2003	B1
6516411	Smith	Feb 2003	B2
6519264	Carr et al.	Feb 2003	B1
6519703	Joyce	Feb 2003	B1
6526171	Furukawa	Feb 2003	B1
6529498	Cheng	Mar 2003	B1
6539430	Humes	Mar 2003	B1
6546416	Kirsch	Apr 2003	B1
6546493	Magdych et al.	Apr 2003	B1
6550012	Villa et al.	Apr 2003	B1
6560632	Chess et al.	May 2003	B1
6574611	Matsuyama et al.	Jun 2003	B1
6574737	Kingsford et al.	Jun 2003	B1
6577920	Hypponen et al.	Jun 2003	B1
6578025	Pollack et al.	Jun 2003	B1
6578147	Shanklin et al.	Jun 2003	B1
6584488	Brenner et al.	Jun 2003	B1
6584564	Olkin et al.	Jun 2003	B2
6587949	Steinberg	Jul 2003	B1
6606708	Devine et al.	Aug 2003	B1
6609196	Dickinson, III et al.	Aug 2003	B1
6609205	Bernhard et al.	Aug 2003	B1
6611869	Eschelbeck et al.	Aug 2003	B1
6611925	Spear	Aug 2003	B1
6615242	Riemers	Sep 2003	B1
6622150	Kouznetsov et al.	Sep 2003	B1
6647400	Moran	Nov 2003	B1
6650890	Irlam et al.	Nov 2003	B1
6654787	Aronson et al.	Nov 2003	B1
6658568	Ginter et al.	Dec 2003	B1
6662230	Eichstaedt et al.	Dec 2003	B1
6668269	Kamada et al.	Dec 2003	B1
6675153	Cook et al.	Jan 2004	B1
6675209	Britt	Jan 2004	B1
6678270	Garfinkel	Jan 2004	B1
6681331	Munson et al.	Jan 2004	B1
6684335	Epstein, III et al.	Jan 2004	B1
6687687	Smadja	Feb 2004	B1
6687732	Bector et al.	Feb 2004	B1
6691156	Drummond et al.	Feb 2004	B1
6694023	Kim	Feb 2004	B1
6697950	Ko	Feb 2004	B1
6701440	Kim et al.	Mar 2004	B1
6704874	Porras et al.	Mar 2004	B1
6707915	Jobst et al.	Mar 2004	B1
6711127	Gorman et al.	Mar 2004	B1
6711679	Guski et al.	Mar 2004	B1
6715082	Chang et al.	Mar 2004	B1
6721721	Bates et al.	Apr 2004	B1
6725223	Abdo et al.	Apr 2004	B2
6725377	Kouznetsov	Apr 2004	B1
6728886	Ji et al.	Apr 2004	B1
6731756	Pizano et al.	May 2004	B1
6732101	Cook	May 2004	B1
6732149	Kephart	May 2004	B1
6732157	Gordon et al.	May 2004	B1
6735700	Flint et al.	May 2004	B1
6735703	Kilpatrick et al.	May 2004	B1
6738462	Brunson	May 2004	B1
6738814	Cox et al.	May 2004	B1
6738932	Price	May 2004	B1
6741595	Maher, III et al.	May 2004	B2
6742015	Bowman-Amuah	May 2004	B1
6742124	Kilpatrick et al.	May 2004	B1
6742128	Joiner	May 2004	B1
6745192	Libenzi	Jun 2004	B1
6748531	Epstein	Jun 2004	B1
6754705	Joiner et al.	Jun 2004	B2
6757830	Tarbotton et al.	Jun 2004	B1
6760765	Asai et al.	Jul 2004	B1
6760845	Cafarelli et al.	Jul 2004	B1
6766450	Micali	Jul 2004	B2
6768991	Hearnden	Jul 2004	B2
6769016	Rothwell et al.	Jul 2004	B2
6772334	Glawitsch	Aug 2004	B1
6772346	Chess et al.	Aug 2004	B1
6775657	Baker	Aug 2004	B1
6775704	Watson et al.	Aug 2004	B1
6779033	Watson et al.	Aug 2004	B1
6782503	Dawson	Aug 2004	B1
6785728	Schneider et al.	Aug 2004	B1
6785732	Bates et al.	Aug 2004	B1
6785818	Sobel et al.	Aug 2004	B1
6789202	Ko et al.	Sep 2004	B1
6792546	Shanklin et al.	Sep 2004	B1
6799197	Shetty et al.	Sep 2004	B1
6802002	Corella	Oct 2004	B1
6804237	Luo et al.	Oct 2004	B1
6804778	Levi et al.	Oct 2004	B1
6804783	Wesinger, Jr. et al.	Oct 2004	B1
6826698	Minkin et al.	Nov 2004	B1
6842860	Branstad et al.	Jan 2005	B1
6842861	Cox et al.	Jan 2005	B1
6845449	Carman et al.	Jan 2005	B1
6847888	Fox et al.	Jan 2005	B2
6851057	Nachenberg	Feb 2005	B1
6859793	Lambiase	Feb 2005	B1
6862581	Lambiase	Mar 2005	B1
6870849	Callon et al.	Mar 2005	B1
6883101	Fox et al.	Apr 2005	B1
6892178	Zacharia	May 2005	B1
6892179	Zacharia	May 2005	B1
6892237	Gai et al.	May 2005	B1
6892241	Kouznetsov et al.	May 2005	B2
6895385	Zacharia et al.	May 2005	B1
6895436	Caillau et al.	May 2005	B1
6907430	Chong et al.	Jun 2005	B2
6909205	Corcoran et al.	Jun 2005	B2
6910134	Maher, III et al.	Jun 2005	B1
6910135	Grainger	Jun 2005	B1
6915426	Carman et al.	Jul 2005	B1
6922776	Cook et al.	Jul 2005	B2
6928550	Le Pennec et al.	Aug 2005	B1
6928556	Black et al.	Aug 2005	B2
6934857	Bartleson et al.	Aug 2005	B1
6941348	Petry et al.	Sep 2005	B2
6941467	Judge et al.	Sep 2005	B2
6944673	Malan et al.	Sep 2005	B2
6947442	Sato et al.	Sep 2005	B1
6947936	Suermondt et al.	Sep 2005	B1
6950933	Cook et al.	Sep 2005	B1
6952776	Chess	Oct 2005	B1
6954775	Shanklin et al.	Oct 2005	B1
6968336	Gupta	Nov 2005	B1
6968461	Lucas et al.	Nov 2005	B1
6971019	Nachenberg	Nov 2005	B1
6976168	Branstad et al.	Dec 2005	B1
6976271	Le Pennec et al.	Dec 2005	B1
6978223	Milliken	Dec 2005	B2
6981146	Sheymov	Dec 2005	B1
6981158	Sanchez et al.	Dec 2005	B1
6985923	Bates et al.	Jan 2006	B1
6993660	Libenzi et al.	Jan 2006	B1
7010696	Cambridge et al.	Mar 2006	B1
7055173	Chaganty et al.	May 2006	B1
7058974	Maher, III et al.	Jun 2006	B1
7080000	Cambridge	Jul 2006	B1
7085934	Edwards	Aug 2006	B1
7093002	Wolff et al.	Aug 2006	B2
7107618	Gordon et al.	Sep 2006	B1
7117358	Bandini et al.	Oct 2006	B2
7117533	Libenzi	Oct 2006	B1
7120252	Jones et al.	Oct 2006	B1
7127743	Khanolkar et al.	Oct 2006	B1
7134141	Crosbie et al.	Nov 2006	B2
7136487	Schon et al.	Nov 2006	B1
7150042	Wolff et al.	Dec 2006	B2
7159237	Schneier et al.	Jan 2007	B2
7181015	Matt	Feb 2007	B2
7213260	Judge	May 2007	B2
7222157	Sutton et al.	May 2007	B1
7225255	Favier et al.	May 2007	B2
7225466	Judge	May 2007	B2
7234168	Gupta et al.	Jun 2007	B2
7308715	Gupta et al.	Dec 2007	B2
7310818	Parish et al.	Dec 2007	B1
7328349	Milliken	Feb 2008	B2
7366764	Vollebregt	Apr 2008	B1
7409714	Gupta et al.	Aug 2008	B2
7458098	Judge et al.	Nov 2008	B2
7519994	Judge et al.	Apr 2009	B2
7533272	Gordon et al.	May 2009	B1
7624274	Alspector et al.	Nov 2009	B1
7693945	Dulitz et al.	Apr 2010	B1
20010005889	Albrecht	Jun 2001	A1
20010009580	Ikeda	Jul 2001	A1
20010011308	Clark et al.	Aug 2001	A1
20010034839	Karjoth et al.	Oct 2001	A1
20010039579	Trcka et al.	Nov 2001	A1
20010049793	Sugimoto	Dec 2001	A1
20020001384	Buer et al.	Jan 2002	A1
20020004902	Toh et al.	Jan 2002	A1
20020016826	Johansson et al.	Feb 2002	A1
20020016910	Wright et al.	Feb 2002	A1
20020019945	Houston et al.	Feb 2002	A1
20020023140	Hile et al.	Feb 2002	A1
20020026591	Hartley et al.	Feb 2002	A1
20020032860	Wheeler et al.	Mar 2002	A1
20020032871	Malan et al.	Mar 2002	A1
20020035683	Kaashoek et al.	Mar 2002	A1
20020038339	Xu	Mar 2002	A1
20020042876	Smith	Apr 2002	A1
20020042877	Wheeler et al.	Apr 2002	A1
20020046041	Lang	Apr 2002	A1
20020049853	Chu et al.	Apr 2002	A1
20020069263	Sears et al.	Jun 2002	A1
20020071438	Singh	Jun 2002	A1
20020078381	Farley et al.	Jun 2002	A1
20020078382	Sheikh et al.	Jun 2002	A1
20020080888	Shu et al.	Jun 2002	A1
20020083033	Abdo et al.	Jun 2002	A1
20020083342	Webb et al.	Jun 2002	A1
20020083343	Crosbie et al.	Jun 2002	A1
20020087882	Schneier et al.	Jul 2002	A1
20020091697	Huang et al.	Jul 2002	A1
20020091757	Cuomo et al.	Jul 2002	A1
20020095492	Kaashoek et al.	Jul 2002	A1
20020107853	Hofmann et al.	Aug 2002	A1
20020112008	Christenson et al.	Aug 2002	A1
20020112168	Filipi-Martin et al.	Aug 2002	A1
20020112185	Hodges	Aug 2002	A1
20020116463	Hart	Aug 2002	A1
20020116627	Tarbotton et al.	Aug 2002	A1
20020120705	Schiavone et al.	Aug 2002	A1
20020120853	Tyree	Aug 2002	A1
20020120874	Shu et al.	Aug 2002	A1
20020129002	Alberts et al.	Sep 2002	A1
20020129277	Caccavale	Sep 2002	A1
20020133365	Grey et al.	Sep 2002	A1
20020133586	Shanklin et al.	Sep 2002	A1
20020138416	Lovejoy et al.	Sep 2002	A1
20020138755	Ko	Sep 2002	A1
20020138759	Dutta	Sep 2002	A1
20020138762	Horne	Sep 2002	A1
20020143963	Converse et al.	Oct 2002	A1
20020147734	Shoup et al.	Oct 2002	A1
20020147780	Liu et al.	Oct 2002	A1
20020147915	Chefalas et al.	Oct 2002	A1
20020147925	Lingafelt et al.	Oct 2002	A1
20020152399	Smith	Oct 2002	A1
20020161718	Coley et al.	Oct 2002	A1
20020165971	Baron	Nov 2002	A1
20020169954	Bandini et al.	Nov 2002	A1
20020172367	Mulder et al.	Nov 2002	A1
20020174358	Wolff et al.	Nov 2002	A1
20020178227	Matsa et al.	Nov 2002	A1
20020178383	Hrabik et al.	Nov 2002	A1
20020181703	Logan et al.	Dec 2002	A1
20020186698	Ceniza	Dec 2002	A1
20020188864	Jackson	Dec 2002	A1
20020194161	McNamee et al.	Dec 2002	A1
20020194469	Dominique et al.	Dec 2002	A1
20020194490	Halperin et al.	Dec 2002	A1
20020199095	Bandini et al.	Dec 2002	A1
20030004688	Gupta et al.	Jan 2003	A1
20030004689	Gupta et al.	Jan 2003	A1
20030005326	Flemming	Jan 2003	A1
20030009554	Burch et al.	Jan 2003	A1
20030009693	Brock et al.	Jan 2003	A1
20030009696	Bunker et al.	Jan 2003	A1
20030009698	Lindeman et al.	Jan 2003	A1
20030009699	Gupta et al.	Jan 2003	A1
20030014662	Gupta et al.	Jan 2003	A1
20030014664	Hentunen	Jan 2003	A1
20030021280	Makinson et al.	Jan 2003	A1
20030023692	Moroo	Jan 2003	A1
20030023695	Kobata et al.	Jan 2003	A1
20030023873	Ben-Itzhak	Jan 2003	A1
20030023874	Prokupets et al.	Jan 2003	A1
20030023875	Hursey et al.	Jan 2003	A1
20030028803	Bunker et al.	Feb 2003	A1
20030033516	Howard et al.	Feb 2003	A1
20030033542	Goseva-Popstojanova et al.	Feb 2003	A1
20030037141	Milo et al.	Feb 2003	A1
20030041263	Devine et al.	Feb 2003	A1
20030041264	Black et al.	Feb 2003	A1
20030046421	Horvitz et al.	Mar 2003	A1
20030051026	Carter et al.	Mar 2003	A1
20030051163	Bidaud	Mar 2003	A1
20030051168	King et al.	Mar 2003	A1
20030055931	Cravo De Almeida et al.	Mar 2003	A1
20030061502	Teblyashkin et al.	Mar 2003	A1
20030061506	Cooper et al.	Mar 2003	A1
20030065791	Garg et al.	Apr 2003	A1
20030065943	Geis et al.	Apr 2003	A1
20030084020	Shu	May 2003	A1
20030084280	Bryan et al.	May 2003	A1
20030084320	Tarquini et al.	May 2003	A1
20030084323	Gales	May 2003	A1
20030084347	Luzzatto	May 2003	A1
20030088680	Nachenberg et al.	May 2003	A1
20030088792	Card et al.	May 2003	A1
20030093667	Dutta et al.	May 2003	A1
20030093695	Dutta	May 2003	A1
20030093696	Sugimoto	May 2003	A1
20030095555	McNamara et al.	May 2003	A1
20030097439	Strayer et al.	May 2003	A1
20030097564	Tewari et al.	May 2003	A1
20030101381	Mateev et al.	May 2003	A1
20030105827	Tan et al.	Jun 2003	A1
20030105859	Garnett et al.	Jun 2003	A1
20030105976	Copeland, III	Jun 2003	A1
20030110392	Aucsmith et al.	Jun 2003	A1
20030110393	Brock et al.	Jun 2003	A1
20030110396	Lewis et al.	Jun 2003	A1
20030115485	Milliken	Jun 2003	A1
20030115486	Choi et al.	Jun 2003	A1
20030120604	Yokota et al.	Jun 2003	A1
20030120647	Aiken et al.	Jun 2003	A1
20030123665	Dunstan et al.	Jul 2003	A1
20030126464	McDaniel et al.	Jul 2003	A1
20030126472	Banzhof	Jul 2003	A1
20030135749	Gales et al.	Jul 2003	A1
20030140137	Joiner et al.	Jul 2003	A1
20030140250	Taninaka et al.	Jul 2003	A1
20030145212	Crumly	Jul 2003	A1
20030145225	Bruton, III et al.	Jul 2003	A1
20030145226	Bruton, III et al.	Jul 2003	A1
20030145232	Poletto et al.	Jul 2003	A1
20030149887	Yadav	Aug 2003	A1
20030149888	Yadav	Aug 2003	A1
20030154393	Young	Aug 2003	A1
20030154399	Zuk et al.	Aug 2003	A1
20030154402	Pandit et al.	Aug 2003	A1
20030158905	Petry et al.	Aug 2003	A1
20030159069	Choi et al.	Aug 2003	A1
20030159070	Mayer et al.	Aug 2003	A1
20030167402	Stolfo et al.	Sep 2003	A1
20030172120	Tomkow et al.	Sep 2003	A1
20030172166	Judge et al.	Sep 2003	A1
20030172167	Judge et al.	Sep 2003	A1
20030172289	Soppera	Sep 2003	A1
20030172291	Judge et al.	Sep 2003	A1
20030172292	Judge	Sep 2003	A1
20030172294	Judge	Sep 2003	A1
20030172301	Judge et al.	Sep 2003	A1
20030172302	Judge et al.	Sep 2003	A1
20030187996	Cardina et al.	Oct 2003	A1
20030212791	Pickup	Nov 2003	A1
20030233328	Scott et al.	Dec 2003	A1
20030236845	Pitsos	Dec 2003	A1
20040015554	Wilson	Jan 2004	A1
20040025044	Day	Feb 2004	A1
20040054886	Dickinson, III et al.	Mar 2004	A1
20040058673	Irlam et al.	Mar 2004	A1
20040059811	Sugauchi et al.	Mar 2004	A1
20040083384	Hypponen	Apr 2004	A1
20040088570	Roberts et al.	May 2004	A1
20040103315	Cooper et al.	May 2004	A1
20040111531	Staniford et al.	Jun 2004	A1
20040139160	Wallace et al.	Jul 2004	A1
20040139334	Wiseman	Jul 2004	A1
20040143763	Radatti	Jul 2004	A1
20040167968	Wilson et al.	Aug 2004	A1
20040177120	Kirsch	Sep 2004	A1
20040181462	Bauer et al.	Sep 2004	A1
20040193482	Hoffman et al.	Sep 2004	A1
20040203589	Wang et al.	Oct 2004	A1
20040205135	Hallam-Baker	Oct 2004	A1
20040221062	Starbuck et al.	Nov 2004	A1
20040236884	Beetz	Nov 2004	A1
20040267893	Lin	Dec 2004	A1
20050014749	Chen et al.	Jan 2005	A1
20050021738	Goeller et al.	Jan 2005	A1
20050043936	Corston-Oliver et al.	Feb 2005	A1
20050052998	Oliver et al.	Mar 2005	A1
20050058129	Jones et al.	Mar 2005	A1
20050065810	Bouron	Mar 2005	A1
20050081059	Bandini et al.	Apr 2005	A1
20050086526	Aguirre	Apr 2005	A1
20050102366	Kirsch	May 2005	A1
20050188045	Katsikas	Aug 2005	A1
20050204159	Davis et al.	Sep 2005	A1
20050235360	Pearson	Oct 2005	A1
20050262209	Yu	Nov 2005	A1
20050262210	Yu	Nov 2005	A1
20060036693	Hulten et al.	Feb 2006	A1
20060036727	Kurapati et al.	Feb 2006	A1
20060042483	Work et al.	Mar 2006	A1
20060047794	Jezierski	Mar 2006	A1
20060095404	Adelman et al.	May 2006	A1
20060095966	Park	May 2006	A1
20060123083	Goutte et al.	Jun 2006	A1
20060168006	Shannon et al.	Jul 2006	A1
20060168017	Stern et al.	Jul 2006	A1
20060212925	Shull et al.	Sep 2006	A1
20060212930	Shull et al.	Sep 2006	A1
20060212931	Shull et al.	Sep 2006	A1
20060230039	Shull et al.	Oct 2006	A1
20060253458	Dixon et al.	Nov 2006	A1
20060259551	Caldwell, Jr.	Nov 2006	A1
20080060075	Cox et al.	Mar 2008	A1
20090064329	Okumura et al.	Mar 2009	A1
20090083413	Levow et al.	Mar 2009	A1
20100017487	Patinkin	Jan 2010	A1
20100049848	Levow et al.	Feb 2010	A1

Foreign Referenced Citations (5)

Number	Date	Country
WO9605673	Feb 1996	WO
WO0028420	May 2000	WO
WO0155927	Aug 2001	WO
WO0173523	Oct 2001	WO
WO02101516	Dec 2002	WO

Related Publications (1)

	Number	Date	Country
	20100205671 A1	Aug 2010	US

Provisional Applications (2)

	Number	Date	Country
	60407975	Sep 2002	US
	60341462	Dec 2001	US

Continuations (2)

	Number	Date	Country
Parent	12249823	Oct 2008	US
Child	12762367		US
Parent	10654771	Sep 2003	US
Child	12249823		US

Continuation in Parts (3)

	Number	Date	Country
Parent	10251403	Sep 2002	US
Child	10654771		US
Parent	09881074	Jun 2001	US
Child	10251403		US
Parent	09881145	Jun 2001	US
Child	09881074		US

Hash-based systems and methods for detecting and preventing transmission of polymorphic network worms and viruses

Information

Patent Number

Date Filed

Date Issued

Inventors

Original Assignees

Examiners

Agents

US Classifications

Field of Search

US

International Classifications

Disclaimer

Abstract