Proactive worm containment (PWC) for enterprise networks

Assignee

• The Penn State Research Foundation · US

Inventors

• Peng Liu · San Diego, US
• Yoon Chan JHI · Seoul, KR
• Lunquan Li · Tangxia, CN

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L63/1491
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

A proactive worm containment (PWC) solution for enterprises uses a sustained faster-than-normal outgoing connection rate to determine if a host is infected. Two novel white detection techniques are used to reduce false positives, including a vulnerability time window lemma to avoid false initial containment, and a relaxation analysis to uncontain (or unblock) those mistakenly contained (or blocked) hosts, if there are any. The system integrates seamlessly with existing signature-based or filter-based worm scan filtering solutions. Nevertheless, the invention is signature free and does not rely on worm signatures. Nor is it protocol specific, as the approach performs containment consistently over a large range of worm scan rates. It is not sensitive to worm scan rate and, being a network-level approach deployed on a host, the system requires no changes to the host's OS, applications, or hardware.