TREA

Worm propagation mitigation

Follow

Information

  • Patent Application
  • 20070226801
  • Publication Number
    20070226801
  • Date Filed
    March 21, 2006
    18 years ago
  • Date Published
    September 27, 2007
    16 years ago
Information
Abstract
A system, method, and computer program product for identifying a worm are disclosed. The system, method, and computer product are configured to generate a signature for a computer worm by identifying a set of bits representing the signature, generate a first worm signature based on the signature, and generate a second worm signature based on the signature. The first worm signature is formatted for a first device and the second worm signature is formatted for a second, different device. The first worm signature and the second worm signature are different.
Description

DESCRIPTION OF DRAWINGS


FIG. 1 is a block diagram of a network including anomaly detection.



FIG. 2A is a block diagram depicting exemplary details of a worm detection system.



FIG. 2B is a block diagram depicting exemplary details of a worm signature distribution system.



FIG. 3 is a block diagram depicting an aggregator.



FIG. 4 is a flow chart of a mitigation process.



FIG. 5 is a flowchart of a worm detection and signature generation process.



FIG. 6 is a flow chart of a worm signature distribution process.



FIG. 7 is a block diagram of traffic attributes.



FIG. 8 is a flow chart of a worm detection process.



FIG. 9 is a flow chart of a signature detection process.



FIG. 10 is a flow chart of an anomaly detection process.



FIG. 11 is a flow chart of a tree generation process.



FIG. 12 is a flow chart of a connectedness determination process.



FIG. 13 is a flow chart of a signature consolidation process.



FIG. 14 is a block diagram of email traffic attributes.



FIG. 15 is a flow chart of an email-based worm detection process.



FIG. 16 is a flow chart of a signature detection process.



FIG. 17 is a flow chart of an anomaly detection process.



FIG. 18 is a flow chart of a signature consolidation process.


Claims
  • 1. A computer program product residing on a computer readable medium for intrusion detection, the computer program product comprising instructions for causing a processor to: generate a signature for a computer worm by identifying a set of bits representing the worm;generate a first worm signature based on the generated signature, the first worm signature formatted for a first device; andgenerate a second worm signature based on the generated signature, the second worm signature formatted for a second, different device, with the first worm signature and the second worm signature being different.
  • 2. The computer program product of claim 1 further comprising instructions for causing a processor to: communicate the first worm signature to the first device; andcommunicate the second worm signature to the second device.
  • 3. The computer program product of claim 1 further comprising instructions for causing a processor to log the identified set of bits in a database.
  • 4. The computer program product of claim 1 wherein the first device is a device selected from the group consisting of a host based security device, an intrusion protection system, a firewall, a switch, and a router.
  • 5. The computer program product of claim 1 wherein the second device is a device selected from the group consisting of a host based security device, an intrusion protection system, a firewall, a switch, and a router.
  • 6. The computer program product of claim 1 wherein the instructions to generate the first worm signature and the instructions to generate the second worm signature comprise instructions to automatically generate the first and second worm signatures.
  • 7. The computer program product of claim 1 wherein the instructions to generate the first worm signature and the instructions to generate the second worm signature comprise instructions to generate the first and second worm signatures without human intervention.
  • 8. The computer program product of claim 1 wherein the first and second worm signatures comprise a set of instructions for causing the first and second device to mitigate a packet.
  • 9. The computer program product of claim 1 wherein the instructions to identify the set of bits representing the signature for the computer worm comprise instructions to: receive packet payload data; andanalyze the packet payload data to identify recurring sets of bits.
  • 10. An intrusion detection system, comprising: a system configured to: analyze packet payloads and to generate a signature for a computer worm by identifying a set of bits representing the signature;generate a first worm signature based on the signature, the first worm signature being formatted for a first device; andgenerate a second worm signature based on the signature, the second worm signature being formatted for a second, different device, with the first worm signature and the second worm signature being different.
  • 11. The intrusion detection system of claim 10, wherein the system is further configured to: communicate the first worm signature to the first device; andcommunicate the second worm signature to the second device.
  • 12. The intrusion detection system of claim 10, further comprising: a database; anda processor configured to log the identified set of bits in a database.
  • 13. The intrusion detection system of claim 10 wherein at least one of the first device and the second device comprises a device selected from the group consisting of a host based security device, an intrusion protection system, a firewall, a switch, and a router.
  • 14. A method comprising: generating a signature for a computer worm by identifying a set of bits representing the signature;generating a first worm signature based on the signature, the first worm signature being formatted for a first device; andgenerating a second worm signature based on the signature, the second worm signature being formatted for a second, different device, with the first worm signature and the second worm signature being different.
  • 15. The method of claim 14 further comprising: communicating the first worm signature to the first device; andcommunicating the second worm signature to the second device.
  • 16. The method of claim 14 further comprising logging the identified set of bits in a database.
  • 17. The method of claim 14 wherein at least one of the first device and the second device comprises a device selected from the group consisting of a host based security device, an intrusion protection system, a firewall, a switch, and a router.
  • 18. The method of claim 14 wherein the first and second worm signatures comprise a set of instructions for causing the first and second device to mitigate a packet.
  • 19. The method of claim 14 further comprising: receiving packet payload data; andanalyzing the packet payload data to identify recurring sets of bits.