Hash-based systems and methods for detecting and preventing transmission of polymorphic network worms and viruses

- Stragent, LLC

A system (200) detects transmission of potentially malicious packets. The system (200) receives, or otherwise observes, packets and generates hash values based on variable-sized blocks of the packets. The system (200) then compares the generated hash values to hash values associated with prior packets. The system (200) determines that one of the received packets is a potentially malicious packet when one or more of the generated hash values associated with the received packet match one or more of the hash values associated with the prior packets.

Skip to: Description  ·  Claims  ·  References Cited  · Patent History  ·  Patent History
Description
RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No. 12/249,823, filed Oct. 10, 2008, which, in turn, is a continuation of U.S. patent application Ser. No. 10/654,771, filed Sep. 4, 2003, which, in turn, claims priority under 35 U.S.C. §119 based on U.S. Provisional Application No. 60/407,975, filed Sep. 5, 2002, all of which are incorporated herein by reference.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates generally to network security and, more particularly, to systems and methods for detecting and/or preventing the transmission of malicious packets, such as polymorphic worms and viruses.

2. Description of Related Art

Availability of low cost computers, high speed networking products, and readily available network connections has helped fuel the proliferation of the Internet. This proliferation has caused the Internet to become an essential tool for both the business community and private individuals. Dependence on the Internet arises, in part, because the Internet makes it possible for multitudes of users to access vast amounts of information and perform remote transactions expeditiously and efficiently. Along with the rapid growth of the Internet have come problems caused by malicious individuals or pranksters launching attacks from within the network. As the size of the Internet continues to grow, so does the threat posed by these individuals.

The ever-increasing number of computers, routers, and connections making up the Internet increases the number of vulnerable points from which these malicious individuals can launch attacks. These attacks can be focused on the Internet as a whole or on specific devices, such as hosts or computers, connected to the network. In fact, each router, switch, or computer connected to the Internet may be a potential entry point from which a malicious individual can launch an attack while remaining largely undetected. Attacks carried out on the Internet often consist of malicious packets being injected into the network. Malicious packets can be injected directly into the network by a computer, or a device attached to the network, such as a router or switch, can be compromised and configured to place malicious packets onto the network.

One particularly troublesome type of attack is a self-replicating network-transferred computer program, such as a virus or worm, that is designed to annoy network users, deny network service by overloading the network, or damage target computers (e.g., by deleting files). A virus is a program that infects a computer or device by attaching itself to another program and propagating itself when that program is executed, possibly destroying files or wiping out memory devices. A worm, on the other hand, is a program that can make copies of itself and spread itself through connected systems, using up resources in affected computers or causing other damage.

Various defenses, such as e-mail filters, anti-virus programs, and firewall mechanisms, have been employed against viruses and worms. Unfortunately, many viruses and worms are polymorphic. Polymorphic viruses and worms include viruses and worms that deliberately have a different set of bytes in each copy, as opposed to being substantially similar in each copy, to make them difficult to detect. Detection techniques based on byte sequence comparison, including older virus-detection techniques, may be generally ineffective in detecting polymorphic viruses and worms.

Accordingly, there is a need for new defenses to thwart the attack of polymorphic viruses and worms.

SUMMARY OF THE INVENTION

Systems and methods consistent with the present invention address these and other needs by providing a new defense that attacks malicious packets, such as polymorphic viruses and worms, at their most common denominator (i.e., the need to transfer a copy of their code over a network to multiple target systems).

In accordance with an aspect of the invention as embodied and broadly described herein, a method for detecting transmission of potentially malicious packets is provided. The method includes receiving packets; generating hash values based on variable-sized blocks of the received packets; comparing the generated hash values to hash values associated with prior packets; and determining that one of the received packets is a potentially malicious packet when one or more of the generated hash values associated with the received packet match one or more of the hash values associated with the prior packets.

In accordance with another aspect of the invention, a system for hampering transmission of potentially malicious packets is provided. The system includes means for observing packets, means for generating hash values based on variable-sized blocks of the observed packets, and means for comparing the generated hash values to hash values corresponding to prior packets. The system further includes means for identifying one of the observed packets as a potentially malicious packet when the generated hash values corresponding to the observed packet match the hash values corresponding to the prior packets, and means for hampering transmission of the observed packet when the observed packet is identified as a potentially malicious packet.

In accordance with yet another aspect of the invention, a device for detecting transmission of malicious packets is provided. The device includes a hash memory and a hash processor. The hash memory is configured to store information associated with hash values corresponding to prior packets. The hash processor is configured to observe a packet and generate one or more hash values based on variable-sized blocks of the packet. The hash processor is further configured to compare the one or more generated hash values to the hash values corresponding to the prior packets and identify the packet as a potentially malicious packet when a predetermined number of the one or more generated hash values match the hash values corresponding to the prior packets.

In accordance with a further aspect of the invention, a method for detecting transmission of a potentially malicious packet is provided. The method includes receiving a packet, selecting blocks of received packet of random block sizes, and performing multiple different hash functions on each of the blocks to generate multiple hash values. The method further includes comparing the generated hash values to hash values associated with prior packets, and identifying the received packet as a potentially malicious packet when one or more of the generated hash values correspond to one or more of the hash values associated with the prior packets.

In accordance with another aspect of the invention, a method for detecting transmission of a potentially malicious packet is provided. The method includes receiving a packet, selecting multiple blocks of the received packet of different block sizes, and performing a different hash function on each of the blocks to generate multiple hash values. The method further includes comparing the generated hash values to hash values associated with prior packets, and identifying the received packet as a potentially malicious packet when one or more of the generated hash values correspond to one or more of the hash values associated with the prior packets.

In accordance with yet another aspect of the invention, a method for detecting files suspected of containing a virus or worm on a computer is provided. The method includes receiving one or more first hash values associated with the virus or worm, hashing one or more variable-sized portions of the files to generate second hash values, comparing the second hash values to the one or more first hash values, and identifying one of the files as a file suspected of containing the virus or worm when one or more of the second hash values correspond to at least one of the one or more first hash values.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate the invention and, together with the description, explain the invention. In the drawings,

FIG. 1 is a diagram of a system in which systems and methods consistent with the present invention may be implemented;

FIG. 2 is an exemplary diagram of packet detection logic according to an implementation consistent with the principles of the invention;

FIGS. 3A-3C illustrate three possible data structures that may be used within the hash memory of FIG. 2 in implementations consistent with the principles of the invention; and

FIG. 4 is a flowchart of exemplary processing for detecting and/or preventing transmission of a malicious packet, such as a polymorphic virus or worm, according to an implementation consistent with the principles of the invention.

 DETAILED DESCRIPTION

The following detailed description of the invention refers to the accompanying drawings. The same reference numbers in different drawings may identify the same or similar elements. Also, the following detailed description does not limit the invention. Instead, the scope of the invention is defined by the appended claims and equivalents.

Systems and methods consistent with the present invention provide mechanisms to detect and/or prevent the transmission of malicious packets. Malicious packets, as used herein, may include polymorphic viruses and worms, but may also apply to non-polymorphic viruses and worms and possibly other types of data with duplicated content, such as illegal mass e-mail (e.g., spam), that are repeatedly transmitted through a network.

Polymorphic viruses and worms are generally composed of two pieces: an obscured payload (which contains the majority of the virus/worm), and a decoding bootstrap that must be initially executable by the victim machine “as is,” and turns the obscured payload into the executable remainder of the virus/worm. The design of the polymorphic viruses and worms are such that the contents of the obscured payload are essentially undetectable (e.g., by strong encryption), leaving two basic ways to detect the virus/worm: (1) detect it after the decoding bootstrap has run, which is a technique employed by many of today's virus detection software; and (2) detect the decoding bootstrap in a manner consistent with the principles of the invention.

While the decoding bootstrap must be executable by the target machine, it does not have to be the exact same code for every copy of the virus/worm. In other words, it can be made arbitrarily variable, as long as the effect of executing it results in the decoding of the obscured payload.

The most sophisticated polymorphic viruses/worms employ techniques, such as the interspersal of “no-ops” or other code that does not affect the decoding process, but adds to the variability of the byte string making up the decoder bootstrap. Another technique includes changing details of instructions in the actual decoder code, such as changing which registers are employed by the decoding code, or stringing small code fragments together with “branch” or “jump” instructions, allowing the execution sequence of the instructions to be relatively independent of the sequence of bytes making up the decoder bootstrap. “Dead” code, or gibberish bytes, can also be inserted between active code segments strung together this way.

Thus, detecting the decoder bootstrap of a polymorphic virus/worm is a very difficult task. It is most difficult when only one copy of the virus/worm is examined. When many potential copies of the virus/worm can be observed, however, certain similarities between various copies will eventually emerge, because there are only a finite set of transformations that the decoding bootstrap can be put through and still function properly. This opens up the opportunity to detect such viruses/worms in places where many copies can be observed over time, such as in the network nodes (and links) through which they propagate.

Another vulnerability to detection that some e-mail-based viruses/worms have is that they require user interaction with the message carrying the virus/worm in order to be executed. Thus, they are often accompanied by a text message in the body of the e-mail that is designed to entice the user into performing the necessary action to execute the virus/worm (usually opening a file attached to the e-mail message). A polymorphic virus/worm could relatively easily change the e-mail text used in minor ways, but to make substantial changes would likely render the message incoherent to the receiver and, thus, either make him suspicious or unlikely to perform the action needed for the virus/worm to execute. Systems and methods consistent with the principles of the invention can also detect the text of the e-mail message as possibly related to a virus/worm attack.

Systems and methods consistent with the principles of the invention hash incoming packets, using a varying hash-block size, varying between a minimum and a maximum value. The hash block size may be chosen randomly within this interval for each block, but other methods of varying the block size could also be used, as long as the method was not easily predictable by an attacker.

This serves two purposes. First, it reduces the need to hash multiple copies of non-polymorphic viruses/worms for pretraining, because each packet would now have a finite chance of sharing a block with previous packets, rather than no chance, if it did not share a prior copy's alignment within a packet. Second, it allows relatively short sequences of bytes to be hashed sometimes, greatly improving the chances of catching a fixed segment of a polymorphic virus/worm.

Exemplary System Configuration

FIG. 1 is a diagram of an exemplary system 100 in which systems and methods consistent with the present invention may be implemented. System 100 includes autonomous systems (ASs) 110-140 connected to public network (PN) 150. Connections made in system 100 may be via wired, wireless, and/or optical communication paths. While FIG. 1 shows four autonomous systems connected to a single public network, there can be more or fewer systems and networks in other implementations consistent with the principles of the invention.

Public network 150 may include a collection of network devices, such as routers (R1-R5) or switches, that transfer data between autonomous systems, such as autonomous systems 110-140. In an implementation consistent with the present invention, public network 150 takes the form of the Internet, an intranet, a public telephone network, a wide area network (WAN), or the like.

An autonomous system is a network domain in which all network devices (e.g., routers) in the domain can exchange routing tables. Often, an autonomous system can take the form of a local area network (LAN), a WAN, a metropolitan area network (MAN), etc. An autonomous system may include computers or other types of communication devices (referred to as “hosts”) that connect to public network 150 via an intruder detection system (IDS); a firewall, one or more border routers, or a combination of these devices.

Autonomous system 110, for example, includes hosts (H) 111-113 connected in a LAN configuration. Hosts 111-113 connect to public network 150 via an intruder detection system (IDS) 114. Intruder detection system 114 may include a commercially-available device that uses rule-based algorithms to determine if a given pattern of network traffic is abnormal. The general premise used by an intruder detection system is that malicious network traffic will have a different pattern from normal, or legitimate, network traffic.

Using a rule set, intruder detection system 114 monitors inbound traffic to autonomous system 110. When a suspicious pattern or event is detected, intruder detection system 114 may take remedial action, or it can instruct a border router or firewall to modify operation to address the malicious traffic pattern. For example, remedial actions may include disabling the link carrying the malicious traffic, discarding packets corning from a particular source address, or discarding packets addressed to a particular destination.

Autonomous system 120 contains different devices from autonomous system 110. These devices aid autonomous system 120 in identifying and/or preventing the transmission of potentially malicious packets within autonomous system 120 and tracing the propagation of the potentially malicious packets through autonomous system 120 and, possibly, public network 150. While FIG. 1 shows only autonomous system 120 as containing these devices, other autonomous systems, including autonomous system 110, may include them.

Autonomous system 120 includes hosts (H) 121-123, intruder detection system (IDS) 124, and security server (SS) 125 connected to public network 150 via a collection of devices, such as security routers (SR11-SR14) 126-129. Hosts 121-123 may include computers or other types of communication devices connected, for example, in a LAN configuration. Intruder detection system 124 may be configured similar to intruder detection system 114.

Security server 125 may include a device, such as a general-purpose computer or a server, that performs source path identification when a malicious packet is detected by intruder detection system 124 or a security router 126-129. While security server 125 and intruder detection system 124 are shown as separate devices in FIG. 1, they can be combined into a single unit performing both intrusion detection and source path identification in other implementations consistent with the present invention.

Security routers 126-129 may include network devices, such as routers, that may detect and/or prevent the transmission of malicious packets and perform source path identification functions. Security routers 127-129 may include border routers for autonomous system 120 because these routers include connections to public network 150. As a result, security routers 127-129 may include routing tables for routers outside autonomous system 120.

FIG. 2 is an exemplary functional block diagram of packet detection logic 200 according to an implementation consistent with the principles of the invention. Packet detection logic 200 may be implemented within a device that taps one or more bidirectional links of a router, such as security routers 126-129, an intruder detection system, such as intruder detection systems 114 and 124, a security server, such as security server 125, a host, such as hosts 111-113 and 121-123, or another type of device. In another implementation, packet detection logic 200 may be implemented within one of these devices. In the discussion that follows, it may be assumed that packet detection logic 200 is implemented within a security router.

Packet detection logic 200 may include hash processor 210 and hash memory 220. Hash processor 210 may include a conventional processor, an application specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or some other type of device that generates one or more representations for each received packet and records the packet representations in hash memory 220.

A packet representation will likely not be a copy of the entire packet, but rather it may include a portion of the packet or some unique value representative of the packet. Because modern routers can pass gigabits of data per second, storing complete packets is not practical because memories would have to be prohibitively large. By contrast, storing a value representative of the contents of a packet uses memory in a much more efficient manner. By way of example, if incoming packets range in size from 256 bits to 1000 bits, a fixed width number may be computed across blocks making up the content (or payload) of a packet in a manner that allows the entire packet to be identified.

To further illustrate the use of representations, a 32-bit hash value, or digest, may be computed across blocks of each packet. Then, the hash value may be stored in hash memory 220 or may be used as an index, or address, into hash memory 220. Using the hash value, or an index derived therefrom, results in efficient use of hash memory 220 while still allowing the content of each packet passing through packet detection logic 200 to be identified.

Systems and methods consistent with the present invention may use any storage scheme that records information about each packet in a space-efficient fashion, that can definitively determine if a packet has not been observed, and that can respond positively (i.e., in a predictable way) when a packet has been observed. Although systems and methods consistent with the present invention can use virtually any technique for deriving representations of packets, the remaining discussion will use hash values as exemplary representations of packets having passed through a participating router.

Hash processor 210 may determine one or more hash values over variable-sized blocks of bytes in the payload field (i.e., the contents) of an observed packet. When multiple hashes are employed, they may, but need not, be done on the same block of payload bytes. As described in more detail below, hash processor 210 may use the hash results of the hash operation to recognize duplicate occurrences of packet content and raise a warning if it detects packets with replicated content within a short period of time. Hash processor 210 may also use the hash results for tracing the path of a malicious packet through the network.

According to implementations consistent with the present invention, the content (or payload) of a packet may be hashed to detect the packet or trace the packet through a network. In other implementations, the header of a packet may be hashed. In yet other implementations, some combination of the content and the header of a packet may be hashed.

In one implementation consistent with the principles of the invention, hash processor 210 may perform three hashes covering each byte of the payload field. Thus, a hash block size may be chosen uniformly from a range of 4 to 128 bytes, in 4-byte increments (to accommodate a common data-path granularity in high-speed network devices). At the start of the packet payload, hash processor 210 may select a random block size from this range and hash the block with the three different hash functions, or hash processor 210 may select a different block size for each hash function. In the former case, a new block size may be chosen when the first block finishes, and all three hash functions may start at the same place on the new block. In the latter case, as each hash function completes its current block, it selects a random size for the next block it will hash.

Each hash value may be determined by taking an input block of data and processing it to obtain a numerical value that represents the given input data. Suitable hash functions are readily known in the art and will not be discussed in detail herein. Examples of hash functions include the Cyclic Redundancy Check (CRC) and Message Digest 5 (MD5). The resulting hash value, also referred to as a message digest or hash digest, may include a fixed length value. The hash value may serve as a signature for the data over which it was computed. For example, incoming packets could have fixed hash value(s) computed over their content.

The hash value essentially acts as a fingerprint identifying the input block of data over which it was computed. Unlike fingerprints, however, there is a chance that two very different pieces of data will hash to the same value, resulting in a hash collision. An acceptable hash function should provide a good distribution of values over a variety of data inputs in order to prevent these collisions. Because collisions occur when different input blocks result in the same hash value, an ambiguity may arise when attempting to associate a result with a particular input.

Hash processor 210 may store a representation of each packet it observes in hash memory 220. Hash processor 210 may store the actual hash values as the packet representations or it may use other techniques for minimizing storage requirements associated with retaining hash values and other information associated therewith. A technique for minimizing storage requirements may use one or more bit arrays or Bloom filters.

Rather than storing the actual hash value, which can typically be on the order of 32 bits or more in length, hash processor 210 may use the hash value as an index for addressing a bit array within hash memory 220. In other words, when hash processor 210 generates a hash value for a block of a packet, the hash value serves as the address location into the bit array. At the address corresponding to the hash value, one or more bits may be set at the respective location thus indicating that a particular hash value, and hence a particular data packet content, has been seen by hash processor 210. For example, using a 32-bit hash value provides on the order of 4.3 billion possible index values into the bit array. Storing one bit per block rather than storing the block itself, which can be 512 bits long, produces a compression factor of 1:512. While bit arrays are described by way of example, it will be appreciated by those skilled in the relevant art, that other storage techniques may be employed without departing from the spirit of the invention.

FIGS. 3A-3C illustrate three possible data structures that may be used within hash memory 220 in implementations consistent with the principles of the invention. As shown in FIG. 3A, hash memory 220 may include indicator fields 312 addressable by corresponding hash addresses 314. Hash addresses 314 may correspond to possible hash values generated by hash processor 210. Indicator field 312 may store one or more bits that indicate whether a packet block with the corresponding hash value has been observed by hash processor 210. In this case, a packet may be deemed suspicious if, during the hashing process, a significant number of the packet's hash values collide in hash memory 220. Shorter block sizes are more likely to be repeated in totally random traffic, leading to an increase in the generation of “false alarm” matches. To account for this, the threshold number of matches for “suspicion” may need to be configured somewhat higher.

As shown in FIG. 3B, hash memory 220 may alternatively include counter fields 322 addressable by corresponding hash addresses 314. Counter field 322 may record the number of occurrences of packet blocks with the corresponding hash value. Counter field 322 may be incremented on each hit. The more hits a counter receives, the more important the hit should be considered in determining the overall suspiciousness of the packet.

As shown in FIG. 3C, hash memory 220 may store additional information relating to a packet. For example, hash memory 220 may include link identifier (ID) fields 332 and status fields 334. Link ID field 332 may store information regarding the particular link upon which the packet arrived at packet detection logic 200. Status field 334 may store information to aid in monitoring the status of packet detection logic 200 or the link identified by link ID field 332.

Because shorter block sizes are more likely to be repeated in totally random traffic, another variation might include the use of different memories for different block sizes. Thus, a given count level for a shorter block size may be less reason for suspicion than the same count level found in a longer block size.

In an alternate implementation consistent with the principles of the invention, hash memory 220 may be preprogrammed to store hash values corresponding to known malicious packets, such as known viruses and worms. Hash memory 220 may store these hash values separately from the hash values of observed packets. In this case, hash processor 210 may compare a hash value for a received packet to not only the hash values of previously observed packets, but also to hash values of known malicious packets.

In yet another implementation consistent with the principles of the invention, hash memory 220 may be preprogrammed to store source addresses of known sources of legitimate duplicated content, such as packets from a multicast server, a popular page on a web server, an output from a mailing list “exploder” server, or the like. In this case, hash processor 210 may compare the source address for a received packet to the source addresses of known sources of legitimate duplicated content.

Over time, hash memory 220 may fill up and the possibility of overwriting an existing index value increases. The risk of overwriting an index value may be reduced if the bit array is periodically flushed to other storage media, such as a magnetic disk drive, optical media, solid state drive, or the like. Alternatively, the bit array may be slowly and incrementally erased. To facilitate this, a time-table may be established for flushing/erasing the bit array. If desired, the flushing/erasing cycle can be reduced by computing hash values only for a subset of the packets passing through the router. While this approach reduces the flushing/erasing cycle, it increases the possibility that a target packet may be missed (i.e., a hash value is not computed over a portion of it).

When hash memory 220 includes counter fields 322, non-zero storage locations may be decremented periodically rather than being erased. This may ensure that the “random noise” from normal packets would not remain in the bit array indefinitely. Replicated traffic (e.g., from a virus/worm propagating repeatedly across the network), however, would normally cause the relevant storage locations to stay substantially above the “background noise” level.

Exemplary Processing for Malicious Packet Detection/Prevention

FIG. 4 is a flowchart of exemplary processing for detecting and/or preventing transmission of a malicious packet, such as a polymorphic virus or worm, according to an implementation consistent with the principles of the invention. The processing of FIG. 4 may be performed by packet detection logic 200 within a tap device, a security router, such as security router 126, an IDS, such as IDS 124, a LAN switch, or other devices configured to detect and/or prevent transmission of malicious packets. In other implementations, one or more of the described acts may be performed by other systems or devices within system 100.

Processing may begin when packet detection logic 200 receives, or otherwise observes, a packet (act 405). Hash processor 210 may generate one or more hash values by hashing variable-sized blocks from the packet's payload field (act 410). Hash processor 210 may use one or more conventional techniques to perform the hashing operation.

In one implementation consistent with the principles of the invention, three hashes may be performed covering each byte of the payload field. A hash block size may be chosen uniformly from a range of 4 to 128 bytes, in 4-byte increments. At the start of the packet payload, a random block size may be selected from this range and the block may be hashed with the three different hash functions. A new block size may then be chosen when the first block finishes, and all three hash functions may start at the same place on the new block. Alternatively, a different block size may be selected for each hash function. In this case, as each hash function completes its current block, it selects a random size for the next block it will hash.

Hash processor 210 may optionally compare the generated hash value(s) to hash values of known viruses and/or worms within hash memory 220 (act 415). In this case, hash memory 220 may be preprogrammed to store hash values corresponding to known viruses and/or worms. If one or more of the generated hash values match one of the hash values of known viruses and/or worms, hash processor 210 may take remedial actions (acts 420 and 425). The remedial actions may include raising a warning for a human operator, delaying transmission of the packet, capturing a copy of the packet for human or automated analysis, dropping the packet and possibly other packets originating from the same Internet Protocol (IP) address as the packet, sending a Transmission Control Protocol (TCP) close message to the sender thereby preventing complete transmission of the packet, disconnecting the link on which the packet was received, and/or corrupting the packet content in a way likely to render any code contained therein inert (and likely to cause the receiver to drop the packet). Some of the remedial actions, such as dropping or corrupting the packet, may be performed probabilistically based, for example, on the count value in counter field 322 (FIGS. 3B and 3C), which may also be used to determine a probability that the packet is potentially malicious.

If the generated hash value(s) do not match any of the hash values of known viruses and/or worms, or if such a comparison was not performed, hash processor 210 may optionally determine whether the packet's source address indicates that the packet was sent from a legitimate source of duplicated packet content (i.e., a legitimate “replicator”) (act 430). For example, hash processor 210 may maintain a list of legitimate replicators in hash memory 220 and check the source address of the packet with the addresses of legitimate replicators on the list. If the packet's source address matches the address of one of the legitimate replicators, then hash processor 210 may end processing of the packet. For example, processing may return to act 405 to await receipt of the next packet.

Otherwise, hash processor 210 may record the generated hash value(s) in hash memory 220 (act 435). For example, hash processor 210 may set the one or more bits stored in indicator field 312 (FIGS. 3A-3C) or increment the count value in counter field 322 (FIGS. 3B and 3C), corresponding to each of the generated hash values, to indicate that the corresponding packet was observed by hash processor 210.

Hash processor 210 may then determine whether any prior packets with the same hash value(s) have been received (act 440). For example, hash processor 210 may use each of the generated hash value(s) as an address into hash memory 220. Hash processor 210 may then examine indicator field 312 at each address to determine whether the one or more bits stored therein indicate that a prior packet has been received. Alternatively, hash processor 210 may examine counter field 322 to determine whether the count value indicates that a prior packet has been received.

If there were no prior packets received with the same hash value(s), then processing may return to act 405 to await receipt of the next packet. If hash processor 210 determines that a prior packet has been observed with the same hash value, however, hash processor 210 may determine whether the packet is potentially malicious (act 445). Hash processor 210 may use a set of rules to determine whether to identify a packet as potentially malicious. For example, the rules might specify that more than x (where x>1) packets with the same hash value have to be observed by hash processor 210 before the packets are identified as potentially malicious. The rules might also specify that these packets have to have been observed by hash processor 210 within a specified period of time of one another. The reason for the latter rule is that, in the case of malicious packets, such as polymorphic viruses and worms, multiple packets will likely pass through packet detection logic 200 within a short period of time.

A packet may contain multiple hash blocks that partially match hash blocks associated with prior packets. For example, a packet that includes multiple hash blocks may have somewhere between one and all of its hashed content blocks match hash blocks associated with prior packets. The rules might specify the number of blocks and/or the number and/or length of sequences of blocks that need to match before hash processor 210 identifies the packet as potentially malicious. The rules might differ for different block sizes.

When hash processor 210 determines that the packet is not malicious (e.g., not a polymorphic worm or virus), such as when less than x number of packets with the same hash value or less than a predetermined number of the packet blocks with the same hash values are observed or when the packets are observed outside the specified period of time, processing may return to act 405 to await receipt of the next packet. When hash processor 210 determines that the packet may be malicious, however, hash processor 210 may take remedial actions (act 450). In some cases, it may not be possible to determine whether the packet is actually malicious because there is some probability that there was a false match or a legitimate replication. As a result, hash processor 210 may determine the probability of the packet actually being malicious based on information gathered by hash processor 210.

The remedial actions may include raising a warning for a human operator, saving the packet for human analysis, dropping the packet, corrupting the packet content in a way likely to render any code contained therein inert (and likely to cause the receiver to drop the packet), delaying transmission of the packet, capturing a copy of the packet for human or automated analysis, dropping other packets originating from the same IP address as the packet, sending a TCP close message to the sender thereby preventing complete transmission of the packet, and/or disconnecting the link on which the packet was received. Some of the remedial actions, such as dropping or corrupting the packet, may be performed probabilistically based, for example, on the count value in counter field 322 (FIGS. 3B and 3C), which may also be used to determine a probability that the packet is potentially malicious. This may greatly slow the spread rate of a virus or worm without completely stopping legitimate traffic that happened to match a suspect profile.

Once a malicious packet, such as a polymorphic virus or worm, has been identified, the path taken by the malicious packet may be traced. To do this, processing similar to that described in U.S. patent application Ser. No. 10/251,403, from which this application claims priority and which has been previously incorporated by reference, may be performed.

CONCLUSION

Systems and methods consistent with the present invention provide mechanisms to detect and/or prevent transmission of malicious packets, such as polymorphic viruses and worms.

Systems and methods consistent with the principles of the invention detect polymorphic viruses and worms with some finite probability, which may depend on the size of the decoder bootstrap code segment and the techniques used to obscure it (such as code rearrangement and the insertion of gibberish bytes). Also, the number of virus and worm examples that must be seen before detection becomes probable depends on the threshold settings, the degree to which different copies of the virus/worm resemble each other, the minimum hash block size used, and the rate at which copies arrive. Essentially, what happens is that short code sequences of the virus/worm decoder bootstrap will occasionally be in a single hash block, without any of the obscuring “cover” of gibberish bytes.

If the bootstrap is only obscured by inserted no-ops or irrelevant code sequences, packet detection logic 200 may eventually see samples of all variants of these in various lengths, and also in conjunction with the active code, and will actually recognize the virus/worm more easily, though usually after seeing many samples.

In either case, some set of byte sequences commonly found in the virus/worm, and found much less commonly in other network traffic, may be detected often enough that these sequences will rise above the “noise” level of the data stored in hash memory 220 and, thus, be detectable. Not every packet containing the virus/worm decoder bootstrap, however, will be detected this way, since it may be that none of the hash blocks in the particular packet isolated the fixed, active code elements. Thus, systems and methods consistent with the principles of the invention may be used to provide a warning that a virus/worm is potentially propagating and capture suspicious packets for human analysis.

Non-polymorphic viruses and worms may also be detected somewhat more quickly by these techniques because block alignment is not the same in every packet and partial matches will be more common early in the appearance of the virus/worm in the network, at least for longer packets. The certainty of detection will be correspondingly lower. So, it may take somewhat more examples of the virus/worm to reach the same degree of certainty of detection of the virus/worm, as with the fixed-length hash blocks, due to the randomness introduced into the hash-sampling process.

The foregoing description of preferred embodiments of the present invention provides illustration and description, but is not intended to be exhaustive or to limit the invention to the precise form disclosed. Modifications and variations are possible in light of the above teachings or may be acquired from practice of the invention.

For example, systems and methods have been described with regard to network-level devices. In other implementations, the systems and methods described herein may be used with a stand-alone device at the input or output of a network link or at other protocol levels, such as in mail relay hosts (e.g., Simple Mail Transfer Protocol (SMTP) servers).

To this regard, the variable-sized block hashing technique described previously can be used in conjunction with traditional host-based virus scanning software. For example, training data may be obtained from a network application and the hash memory contents may then be transmitted to one or more hosts to aid in looking for the suspected virus or worm on the host. In other words, the host may receive hash values associated with the suspected virus or worm from the network application. The host may hash one or more variable-sized portions of the files stored in its memory to generate hash values associated with these files. The host may compare the generated hash values to the hash values associated with the suspected virus or worm and identify one or more files that may contain the suspected virus or worm when the hash values match. The technique may be used as a prioritization stage to determine which files most likely contain a virus or worm. The virus scanning software could then use other, more expensive, techniques to scan these files.

The variable-sized block hashing technique may also be used in conjunction with network-based applications, where suspicious messages are delivered to a reassembly process and the resulting messages scanned by a more conventional (e.g., execution simulating) virus detector.

While a series of acts has been described with regard to the flowchart of FIG. 4, the order of the acts may differ in other implementations consistent with the principles of the invention. In addition, non-dependent acts may be performed concurrently.

Further, certain portions of the invention have been described as “logic” that performs one or more functions. This logic may include hardware, such as an ASIC or a FPGA, software, or a combination of hardware and software.

No element, act, or instruction used in the description of the present application should be construed as critical or essential to the invention unless explicitly described as such. Also, as used herein, the article “a” is intended to include one or more items. Where only one item is intended, the term “one” or similar language is used. The scope of the invention is defined by the claims and their equivalents.

Claims

1. In a network carrying a plurality of packets over at least one network link, the network including a first network component having memory and a processor and configured to store information in the memory about at least one of the plurality of packets, a method for detecting a target packet comprising:

receiving at least one of the plurality of packets over the link to obtain a received packet;
determining a representation of at least a portion of the received packet;
identifying a location in the memory;
associating a value with the location in the memory;
receiving a query message identifying a target packet at the first network component;
the first network component using the value associated with the location in the memory in processing the query message to determine if the target packet has been encountered;
creating a reply if the target packet has been encountered; and
the first network component making the reply available to the network if the target packet has been encountered;
wherein the reply is capable of being used as part of a method for locating an intrusion point of the target packet in the network.

2. The method of claim 1, wherein the making the reply available to the network includes forwarding the reply to a second network component.

3. The method of claim 2, wherein the second network component is a computer.

4. The method of claim 1, wherein the reply contains a network address for the first network component.

5. The method of claim 1, wherein the representation is determined over the entire received packet.

6. The method of claim 1, further comprising:

determining if the received packet has undergone a transformation, such transformation having occurred if a first hash value of at least a portion of the received packet computed at a first time is not equal to a second hash value of at least a portion of the received packet computed at a second time, the second time occurring after the first time.

7. The method of claim 1, wherein the network is an Internet Protocol (IP) network.

8. The method of claim 1, wherein the link is a wireless link.

9. The method of claim 1, wherein the first network component is a router.

10. In a network carrying a plurality of packets over at least one link, the network including a network component operatively coupled to the link and having a memory and a processor, a method for storing information about a plurality of packets received over the network, at least a portion of the information being used to locate an intrusion point for a first one of the plurality of packets, the method comprising:

receiving the first one of the plurality of packets;
determining a first representation of the first one of the plurality of packets over at least a portion thereof;
identifying a first location in the memory;
associating a value with the first location in the memory;
receiving a second one of the plurality of packets;
processing the second one of the plurality of packets to obtain information contained therein;
using the information contained in the second one of the plurality of packets to determine if the first one of the plurality of packets has been observed; and
making a reply available to the network, in response to receiving a query message identifying a target packet, if the information contained in the second one of the plurality of packets indicates that the first one of the plurality of packets has been observed, the reply capable of being used as part of a method for locating the intrusion point for the first one of the plurality of packets to assist in determining a source location of an intrusion point of the target packet in the network.

11. A system comprising:

a first interface for receiving at least one of a plurality of packets to obtain at least one received packet from a network;
a second interface for placing at least a subset of the at least one received packet onto a link;
a bus communicatively coupled to the first interface and the second interface;
a memory communicatively coupled to the bus, the memory for storing information about the at least one received packet in a machine-readable form;
a processor communicatively coupled to the bus and the memory, the processor configured for executing machine-readable instructions for processing the at least one received packet;
wherein the system is operable such that the memory is capable of storing the information in a form of one or more first representations for the at least one received packet, each of the one or more first representations determined from a corresponding one of the at least one received packet respectively;
wherein the system is operable to receive a query message including a second representation associated with a target packet in the network and use the stored one or more first representations in the memory in processing the query message to determine if the target packet has been encountered; and
wherein the system is operable to generate a reply after comparing the second representation to the stored one or more first representations; wherein the reply is capable of being used for locating an intrusion point associated with the target packet in the network.

12. The system of claim 11, wherein the first interface and the second interface are combined into a single bi-directional interface.

13. The system of claim 11, wherein the reply is made available to another network.

14. The system of claim 11, wherein the network is a wireless network.

15. The system of claim 11, wherein the network is an Internet Protocol (IP) network.

16. The system of claim 11, wherein the processor is an ASIC.

17. The system of claim 11, wherein the reply is a positive reply if the second representation matches at least one of the plurality of first representations.

18. The system of claim 11, wherein the reply is forwarded to those of a plurality of devices one hop away in the network.

19. The system of claim 11, wherein the system is operable such that the reply is forwarded to an isolation server responsive to operation of an intrusion detection system, for isolating a malicious packet.

20. The system of claim 19, wherein the system is operable such that the reply is related to building a trace of potential paths taken by the malicious packet.

21. The system of claim 11, wherein the system is operable such that the first representations include hash values.

22. The system of claim 11, wherein the system is operable such that the processor executes machine-readable instructions for establishing a bit map of the first representations representative of the at least one received packet.

23. The system of claim 11, wherein the system is operable such that the second representation is a hash of at least a portion of the at least one received packet.

24. The system of claim 11, wherein the system is operable such that the processor executes machine-readable instructions for determining whether a target packet has been encountered in the network.

25. The system of claim 24, wherein the system is operable such that the determining is accomplished using a source path isolation technique.

26. The system of claim 25, wherein the system is operable such that the source path isolation technique includes a breadth-first search.

27. The system of claim 25, wherein the system is operable such that the source path isolation technique includes a depth-first search.

28. The system of claim 11, wherein the reply is used to determine a point of entry of at least one target packet.

29. The system of claim 28, wherein the at least one target packet is a malicious packet.

30. The system of claim 11, wherein the information includes a time-of-arrival.

31. The system of claim 11, wherein the information includes encapsulation link information.

32. The system of claim 11, wherein the comparing the second representation to the one or more of the plurality of first representations includes using a bit map of hash values representative of the one or more of the plurality of first representations.

33. The system of claim 11, wherein the reply includes an address of a router.

34. The system of claim 33, wherein the router is the system.

35. The system of claim 11, wherein the reply includes information about observed packets.

36. The system of claim 11, wherein the reply includes information about transformed packets.

37. The system of claim 36, wherein the transformed packets have passed through the system.

38. The system of claim 11, wherein the system is operable to receive at least one executable instruction for instructing the system to modify the operation of the system, and wherein the at least one executable instruction facilitates a response to network intrusion.

Referenced Cited
U.S. Patent Documents
3956615 May 11, 1976 Anderson et al.
4104721 August 1, 1978 Markstein et al.
4177510 December 4, 1979 Appell et al.
4200770 April 29, 1980 Hellman et al.
4289930 September 15, 1981 Connolly et al.
4384325 May 17, 1983 Slechta, Jr. et al.
4386233 May 31, 1983 Smid et al.
4386416 May 31, 1983 Giltner et al.
4405829 September 20, 1983 Rivest et al.
4442484 April 10, 1984 Childs, Jr. et al.
4532588 July 30, 1985 Foster
4584639 April 22, 1986 Hardy
4590470 May 20, 1986 Koenig
4607137 August 19, 1986 Jansen et al.
4621321 November 4, 1986 Boebert et al.
4641274 February 3, 1987 Swank
4648031 March 3, 1987 Jenner
4701840 October 20, 1987 Boebert et al.
4710763 December 1, 1987 Franke et al.
4713753 December 15, 1987 Boebert et al.
4713780 December 15, 1987 Schultz et al.
4754428 June 28, 1988 Schultz et al.
4837798 June 6, 1989 Cohen et al.
4853961 August 1, 1989 Pastor
4864573 September 5, 1989 Horsten
4868877 September 19, 1989 Fischer
4870571 September 26, 1989 Frink
4885789 December 5, 1989 Burger et al.
4910774 March 20, 1990 Barakat
4914568 April 3, 1990 Kodosky et al.
4926480 May 15, 1990 Chaum
4947430 August 7, 1990 Chaum
4951196 August 21, 1990 Jackson
4975950 December 4, 1990 Lentz
4979210 December 18, 1990 Nagata et al.
4996711 February 26, 1991 Chaum
5005200 April 2, 1991 Fischer
5008814 April 16, 1991 Mathur
5020059 May 28, 1991 Gorin et al.
5051886 September 24, 1991 Kawaguchi et al.
5054096 October 1, 1991 Beizer
5070528 December 3, 1991 Hawe et al.
5093914 March 3, 1992 Coplien et al.
5105184 April 14, 1992 Pirani et al.
5119465 June 2, 1992 Jack et al.
5124984 June 23, 1992 Engel
5144557 September 1, 1992 Wang et al.
5144659 September 1, 1992 Jones
5144660 September 1, 1992 Rose
5144665 September 1, 1992 Takaragi et al.
5153918 October 6, 1992 Tuai
5164988 November 17, 1992 Matyas et al.
5167011 November 24, 1992 Priest
5191611 March 2, 1993 Lang
5200999 April 6, 1993 Matyas et al.
5204961 April 20, 1993 Barlow
5210795 May 11, 1993 Lipner et al.
5210824 May 11, 1993 Putz et al.
5210825 May 11, 1993 Kavaler
5214702 May 25, 1993 Fischer
5224163 June 29, 1993 Gasser et al.
5226080 July 6, 1993 Cole et al.
5228083 July 13, 1993 Lozowick et al.
5235642 August 10, 1993 Wobber et al.
5239466 August 24, 1993 Morgan et al.
5241594 August 31, 1993 Kung
5247661 September 21, 1993 Hager et al.
5263147 November 16, 1993 Francisco et al.
5263157 November 16, 1993 Janis
5265163 November 23, 1993 Golding et al.
5265164 November 23, 1993 Matyas et al.
5267313 November 30, 1993 Hirata
5272754 December 21, 1993 Boerbert
5276735 January 4, 1994 Boebert et al.
5276736 January 4, 1994 Chaum
5276737 January 4, 1994 Micali
5276869 January 4, 1994 Forrest et al.
5276901 January 4, 1994 Howell et al.
5278901 January 11, 1994 Shieh et al.
5280527 January 18, 1994 Gullman et al.
5283887 February 1, 1994 Zachery
5293250 March 8, 1994 Okumura et al.
5299263 March 29, 1994 Beller et al.
5303303 April 12, 1994 White
5305385 April 19, 1994 Schanning et al.
5311591 May 10, 1994 Fischer
5311593 May 10, 1994 Carmi
5313521 May 17, 1994 Torii et al.
5313637 May 17, 1994 Rose
5315657 May 24, 1994 Abadi et al.
5315658 May 24, 1994 Micali
5319776 June 7, 1994 Hile et al.
5325370 June 28, 1994 Cleveland et al.
5329623 July 12, 1994 Smith et al.
5333266 July 26, 1994 Boaz et al.
5341426 August 23, 1994 Barney et al.
5347578 September 13, 1994 Duxbury
5351293 September 27, 1994 Michener et al.
5355472 October 11, 1994 Lewis
5355474 October 11, 1994 Thuraisngham et al.
5359659 October 25, 1994 Rosenthal
5361002 November 1, 1994 Casper
5367621 November 22, 1994 Cohen et al.
5371794 December 6, 1994 Diffie et al.
5377354 December 27, 1994 Scannell et al.
5379340 January 3, 1995 Overend et al.
5379374 January 3, 1995 Ishizaki et al.
5386470 January 31, 1995 Carter et al.
5388189 February 7, 1995 Kung
5404231 April 4, 1995 Bloomfield
5406557 April 11, 1995 Baudoin
5406628 April 11, 1995 Beller et al.
5410326 April 25, 1995 Goldstein
5414650 May 9, 1995 Hekhuis
5414833 May 9, 1995 Hershey et al.
5416842 May 16, 1995 Aziz
5418908 May 23, 1995 Keller et al.
5424724 June 13, 1995 Williams et al.
5432932 July 11, 1995 Chen et al.
5436972 July 25, 1995 Fischer
5440723 August 8, 1995 Arnold et al.
5455828 October 3, 1995 Zisapel
5479411 December 26, 1995 Klein
5481312 January 2, 1996 Cash et al.
5481613 January 2, 1996 Ford et al.
5483466 January 9, 1996 Kawahara et al.
5485409 January 16, 1996 Gupta et al.
5485460 January 16, 1996 Schrier et al.
5491750 February 13, 1996 Bellare et al.
5495610 February 27, 1996 Shing et al.
5499294 March 12, 1996 Friedman
5504454 April 2, 1996 Daggett et al.
5509074 April 16, 1996 Choudhury et al.
5511122 April 23, 1996 Atkinson
5511163 April 23, 1996 Lerche et al.
5513126 April 30, 1996 Harkins et al.
5513323 April 30, 1996 Williams et al.
5521910 May 28, 1996 Matthews
5530852 June 25, 1996 Meske, Jr. et al.
5535276 July 9, 1996 Ganesan
5537533 July 16, 1996 Staheli et al.
5539824 July 23, 1996 Bjorklund et al.
5541993 July 30, 1996 Fan et al.
5544320 August 6, 1996 Konrad
5548646 August 20, 1996 Aziz et al.
5550984 August 27, 1996 Gelb
5550994 August 27, 1996 Tashiro et al.
5553145 September 3, 1996 Micali
5555309 September 10, 1996 Kruys
5557346 September 17, 1996 Lipner et al.
5557742 September 17, 1996 Smaha et al.
5557765 September 17, 1996 Lipner et al.
5561703 October 1, 1996 Arledge et al.
5564106 October 8, 1996 Puhl et al.
5566170 October 15, 1996 Bakke et al.
5572590 November 5, 1996 Chess
5572643 November 5, 1996 Judson
5577209 November 19, 1996 Boyle et al.
5583940 December 10, 1996 Vidrascu et al.
5583995 December 10, 1996 Gardner et al.
5586260 December 17, 1996 Hu
5602918 February 11, 1997 Chen et al.
5604490 February 18, 1997 Blakley, III et al.
5606668 February 25, 1997 Shwed
5608819 March 4, 1997 Ikeuchi
5608874 March 4, 1997 Ogawa et al.
5615340 March 25, 1997 Dai et al.
5619648 April 8, 1997 Canale et al.
5621579 April 15, 1997 Yuen
5621889 April 15, 1997 Lermuzeaux et al.
5623598 April 22, 1997 Voigt et al.
5623600 April 22, 1997 Ji et al.
5623601 April 22, 1997 Vu
5623637 April 22, 1997 Jones et al.
5625695 April 29, 1997 M'Raihi et al.
5627977 May 6, 1997 Hickey et al.
5629982 May 13, 1997 Micali
5631961 May 20, 1997 Mills et al.
5632011 May 20, 1997 Landfield et al.
5636371 June 3, 1997 Yu
5638487 June 10, 1997 Chigier
5640454 June 17, 1997 Lipner et al.
5644404 July 1, 1997 Hashimoto et al.
5644571 July 1, 1997 Seaman
5647000 July 8, 1997 Leighton
5649095 July 15, 1997 Cozza
5655081 August 5, 1997 Bonnell et al.
5657461 August 12, 1997 Harkins et al.
5666416 September 9, 1997 Micali
5666530 September 9, 1997 Clark et al.
5671279 September 23, 1997 Elgamal
5673322 September 30, 1997 Pepe et al.
5675507 October 7, 1997 Bobo, II
5675733 October 7, 1997 Williams
5677955 October 14, 1997 Doggett et al.
5684951 November 4, 1997 Goldman et al.
5687235 November 11, 1997 Perlman et al.
5689565 November 18, 1997 Spies et al.
5689566 November 18, 1997 Nguyen
5694616 December 2, 1997 Johnson et al.
5696822 December 9, 1997 Nachenberg
5699431 December 16, 1997 Van Oorschot et al.
5699513 December 16, 1997 Feigen et al.
5706442 January 6, 1998 Anderson et al.
5706507 January 6, 1998 Schloss
5708780 January 13, 1998 Levergood et al.
5708826 January 13, 1998 Ikeda et al.
5710883 January 20, 1998 Hong et al.
5717757 February 10, 1998 Micali
5717758 February 10, 1998 Micali
5724428 March 3, 1998 Rivest
5724512 March 3, 1998 Winterbottom
5727156 March 10, 1998 Herr-Hoyman et al.
5740231 April 14, 1998 Cohn et al.
5742759 April 21, 1998 Nessett et al.
5742769 April 21, 1998 Lee et al.
5745573 April 28, 1998 Lipner et al.
5745574 April 28, 1998 Muftic
5751956 May 12, 1998 Kirsch
5758343 May 26, 1998 Vigil et al.
5761531 June 2, 1998 Ohmura et al.
5764906 June 9, 1998 Edelstein et al.
5765030 June 9, 1998 Nachenberg et al.
5768388 June 16, 1998 Goldwasser et al.
5768528 June 16, 1998 Stumm
5769942 June 23, 1998 Maeda
5771348 June 23, 1998 Kubatzki et al.
5778372 July 7, 1998 Cordell et al.
5781729 July 14, 1998 Baker et al.
5781735 July 14, 1998 Southard
5781857 July 14, 1998 Hwang et al.
5781901 July 14, 1998 Kuzma
5790664 August 4, 1998 Coley et al.
5790789 August 4, 1998 Suarez
5790790 August 4, 1998 Smith et al.
5790793 August 4, 1998 Higley
5790856 August 4, 1998 Lillich
5793763 August 11, 1998 Mayes et al.
5793868 August 11, 1998 Micali
5793954 August 11, 1998 Baker et al.
5793972 August 11, 1998 Shane
5796830 August 18, 1998 Johnson et al.
5796942 August 18, 1998 Esbensen
5796948 August 18, 1998 Cohen
5798706 August 25, 1998 Kraemer et al.
5799083 August 25, 1998 Brothers et al.
5801700 September 1, 1998 Ferguson
5802178 September 1, 1998 Holden et al.
5802277 September 1, 1998 Cowlard
5802371 September 1, 1998 Meier
5805719 September 8, 1998 Pare, Jr. et al.
5805801 September 8, 1998 Holloway et al.
5812398 September 22, 1998 Nielsen
5812763 September 22, 1998 Teng
5812776 September 22, 1998 Gifford
5812844 September 22, 1998 Jones et al.
5815573 September 29, 1998 Johnson et al.
5815657 September 29, 1998 Williams et al.
5821398 October 13, 1998 Speirs et al.
5822526 October 13, 1998 Waskiewicz
5822527 October 13, 1998 Post
5826013 October 20, 1998 Nachenberg
5826014 October 20, 1998 Coley et al.
5826022 October 20, 1998 Nielsen
5826029 October 20, 1998 Gore, Jr. et al.
5828832 October 27, 1998 Holden et al.
5828893 October 27, 1998 Wied et al.
5832208 November 3, 1998 Chen et al.
5835087 November 10, 1998 Herz et al.
5835090 November 10, 1998 Clark et al.
5835600 November 10, 1998 Rivest
5835758 November 10, 1998 Nochur et al.
5842216 November 24, 1998 Anderson et al.
5845084 December 1, 1998 Cordell et al.
5850442 December 15, 1998 Muftic
5852665 December 22, 1998 Gressel et al.
5855020 December 1998 Kirsch
5857022 January 5, 1999 Sudia
5859966 January 12, 1999 Hayman et al.
5860068 January 12, 1999 Cook
5862325 January 19, 1999 Reed et al.
5864667 January 26, 1999 Barkan
5864683 January 26, 1999 Boebert et al.
5864852 January 26, 1999 Luotonen
5872844 February 16, 1999 Yacobi
5872849 February 16, 1999 Sudia
5872931 February 16, 1999 Chivaluri
5878230 March 2, 1999 Weber et al.
5884033 March 16, 1999 Duvall et al.
5889943 March 30, 1999 Ji et al.
5892825 April 6, 1999 Mages et al.
5892903 April 6, 1999 Klaus
5892904 April 6, 1999 Atkinson et al.
5893114 April 6, 1999 Hashimoto et al.
5896499 April 20, 1999 McKelvey
5898830 April 27, 1999 Wesinger, Jr. et al.
5898836 April 27, 1999 Freivald et al.
5901227 May 4, 1999 Perlman
5903651 May 11, 1999 Kocher
5903723 May 11, 1999 Beck et al.
5903882 May 11, 1999 Asay et al.
5905859 May 18, 1999 Holloway et al.
5907618 May 25, 1999 Gennaro et al.
5907620 May 25, 1999 Klemba et al.
5911776 June 15, 1999 Guck
5912972 June 15, 1999 Barton
5919257 July 6, 1999 Trostle
5919258 July 6, 1999 Kayashima et al.
5920630 July 6, 1999 Wertheimer et al.
5922074 July 13, 1999 Richard et al.
5923846 July 13, 1999 Gage et al.
5923885 July 13, 1999 Johnson et al.
5928329 July 27, 1999 Clark et al.
5930479 July 27, 1999 Hall
5933478 August 3, 1999 Ozaki et al.
5933498 August 3, 1999 Schneck et al.
5933647 August 3, 1999 Aronberg et al.
5937066 August 10, 1999 Gennaro et al.
5937164 August 10, 1999 Mages et al.
5940591 August 17, 1999 Boyle et al.
5941998 August 24, 1999 Tillson
5946679 August 31, 1999 Ahuja et al.
5948062 September 7, 1999 Tzelnic et al.
5948104 September 7, 1999 Gluck et al.
5950195 September 7, 1999 Stockwell et al.
5951644 September 14, 1999 Creemer
5951698 September 14, 1999 Chen et al.
5956403 September 21, 1999 Lipner et al.
5956481 September 21, 1999 Walsh et al.
5958005 September 28, 1999 Thorne et al.
5958010 September 28, 1999 Agarwal et al.
5959976 September 28, 1999 Kuo
5960170 September 28, 1999 Chen et al.
5963915 October 5, 1999 Kirsch
5964889 October 12, 1999 Nachenberg
5970248 October 19, 1999 Meier
5974141 October 26, 1999 Saito
5978799 November 2, 1999 Hirsch
5983012 November 9, 1999 Bianchi et al.
5983228 November 9, 1999 Kobayashi et al.
5987606 November 16, 1999 Cirasole et al.
5987609 November 16, 1999 Hasebe
5991406 November 23, 1999 Lipner et al.
5991807 November 23, 1999 Schmidt et al.
5991879 November 23, 1999 Still
5991881 November 23, 1999 Conklin et al.
5996011 November 30, 1999 Humes
5996077 November 30, 1999 Williams
5999723 December 7, 1999 Nachenberg
5999932 December 7, 1999 Paul
5999967 December 7, 1999 Sundsted
6000041 December 7, 1999 Baker et al.
6003027 December 14, 1999 Prager
6006329 December 21, 1999 Chi
6009103 December 28, 1999 Woundy
6009274 December 28, 1999 Fletcher et al.
6009462 December 28, 1999 Birrell et al.
6012144 January 4, 2000 Pickett
6014651 January 11, 2000 Crawford
6021510 February 1, 2000 Nachenberg
6023723 February 8, 2000 McCormick et al.
6026414 February 15, 2000 Anglin
6029256 February 22, 2000 Kouznetsov
6035423 March 7, 2000 Hodges et al.
6038233 March 14, 2000 Hamamoto et al.
6049789 April 11, 2000 Frison et al.
6052531 April 18, 2000 Waldin, Jr. et al.
6052709 April 18, 2000 Paul
6052788 April 18, 2000 Wesinger, Jr. et al.
6055519 April 25, 2000 Kennedy et al.
6058381 May 2, 2000 Nelson
6058482 May 2, 2000 Liu
6061448 May 9, 2000 Smith et al.
6061722 May 9, 2000 Lipa et al.
6067410 May 23, 2000 Nachenberg
6070243 May 30, 2000 See et al.
6072942 June 6, 2000 Stockwell et al.
6073140 June 6, 2000 Morgan et al.
6075863 June 13, 2000 Krishnan et al.
6078929 June 20, 2000 Rao
6085320 July 4, 2000 Kaliski, Jr.
6088803 July 11, 2000 Tso et al.
6088804 July 11, 2000 Hill et al.
6092067 July 18, 2000 Girling et al.
6092102 July 18, 2000 Wagner
6092114 July 18, 2000 Shaffer et al.
6092191 July 18, 2000 Shimbo et al.
6092194 July 18, 2000 Touboul
6092201 July 18, 2000 Turnbull et al.
6094277 July 25, 2000 Toyoda
6094731 July 25, 2000 Waldin et al.
6097811 August 1, 2000 Micali
6104500 August 15, 2000 Alam et al.
6108683 August 22, 2000 Kamada et al.
6108688 August 22, 2000 Nielsen
6108691 August 22, 2000 Lee et al.
6108786 August 22, 2000 Knowlson
6112181 August 29, 2000 Shear et al.
6118856 September 12, 2000 Paarsmarkt et al.
6119137 September 12, 2000 Smith et al.
6119142 September 12, 2000 Kosaka
6119157 September 12, 2000 Traversat et al.
6119165 September 12, 2000 Li et al.
6119230 September 12, 2000 Carter
6119231 September 12, 2000 Foss et al.
6119236 September 12, 2000 Shipley
6122661 September 19, 2000 Stedman et al.
6123737 September 26, 2000 Sadowsky
6134550 October 17, 2000 Van Oorschot et al.
6134551 October 17, 2000 Aucsmith
6138254 October 24, 2000 Voshell
6141695 October 31, 2000 Sekiguchi et al.
6141778 October 31, 2000 Kane et al.
6144744 November 7, 2000 Smith, Sr. et al.
6145083 November 7, 2000 Shaffer et al.
6151643 November 21, 2000 Cheng et al.
6151675 November 21, 2000 Smith
6154769 November 28, 2000 Cherkasova et al.
6154844 November 28, 2000 Touboul et al.
6154879 November 2000 Pare et al.
6161130 December 12, 2000 Horvitz et al.
6161137 December 12, 2000 Ogdon et al.
6167407 December 26, 2000 Nachenberg et al.
6167438 December 26, 2000 Yates et al.
6169969 January 2, 2001 Cohen
6178242 January 23, 2001 Tsuria
6178509 January 23, 2001 Nardone et al.
6182142 January 30, 2001 Win et al.
6182226 January 30, 2001 Reid et al.
6185678 February 6, 2001 Arbaugh et al.
6185682 February 6, 2001 Tang
6185689 February 6, 2001 Todd, Sr. et al.
6192360 February 20, 2001 Dumais et al.
6192407 February 20, 2001 Smith et al.
6199102 March 6, 2001 Cobb
6202157 March 13, 2001 Brownlie et al.
6215763 April 10, 2001 Doshi et al.
6216265 April 10, 2001 Roop et al.
6219706 April 17, 2001 Fan et al.
6219714 April 17, 2001 Inhwan et al.
6223094 April 24, 2001 Muehleck et al.
6223172 April 24, 2001 Hunter et al.
6223213 April 24, 2001 Cleron et al.
6226666 May 1, 2001 Chang et al.
6230190 May 8, 2001 Edmonds et al.
6230194 May 8, 2001 Frailong et al.
6230266 May 8, 2001 Perlman et al.
6233577 May 15, 2001 Ramasubramani et al.
6240401 May 29, 2001 Oren et al.
6243815 June 5, 2001 Antur et al.
6249575 June 19, 2001 Heilmann et al.
6249585 June 19, 2001 McGrew et al.
6249807 June 19, 2001 Shaw et al.
6253337 June 26, 2001 Maloney et al.
6260043 July 10, 2001 Puri et al.
6260142 July 10, 2001 Thakkar et al.
6266337 July 24, 2001 Marco
6266668 July 24, 2001 Vanderveldt et al.
6266692 July 24, 2001 Greenstein
6266700 July 24, 2001 Baker et al.
6266774 July 24, 2001 Sampath et al.
6269380 July 31, 2001 Terry et al.
6269447 July 31, 2001 Maloney et al.
6269456 July 31, 2001 Hodges et al.
6272532 August 7, 2001 Feinleib
6272632 August 7, 2001 Carman et al.
6275937 August 14, 2001 Hailpern et al.
6275942 August 14, 2001 Bernhard et al.
6275977 August 14, 2001 Nagai et al.
6279113 August 21, 2001 Vaidya
6279133 August 21, 2001 Vafai et al.
6282565 August 28, 2001 Shaw et al.
6285991 September 4, 2001 Powar
6289214 September 11, 2001 Backstrom
6292833 September 18, 2001 Liao et al.
6298445 October 2, 2001 Shostack et al.
6301668 October 9, 2001 Gleichauf et al.
6301699 October 9, 2001 Hollander et al.
6304898 October 16, 2001 Shiigi
6304904 October 16, 2001 Sathyanarayan et al.
6304973 October 16, 2001 Williams
6311207 October 30, 2001 Mighdoll et al.
6311273 October 30, 2001 Helbig et al.
6314190 November 6, 2001 Zimmermann
6317829 November 13, 2001 Van Oorschot
6320948 November 20, 2001 Heilmann et al.
6321267 November 20, 2001 Donaldson
6324569 November 27, 2001 Ogilvie et al.
6324647 November 27, 2001 Bowman-Amuah
6324656 November 27, 2001 Gleichauf et al.
6327579 December 4, 2001 Crawford
6327594 December 4, 2001 Van Huben et al.
6327620 December 4, 2001 Tams et al.
6327652 December 4, 2001 England et al.
6330551 December 11, 2001 Burchetta et al.
6330589 December 11, 2001 Kennedy
6330670 December 11, 2001 England et al.
6332163 December 18, 2001 Bowman-Amuah
6338141 January 8, 2002 Wells
6341369 January 22, 2002 Degenaro et al.
6347374 February 12, 2002 Drake et al.
6347375 February 12, 2002 Reinert et al.
6353886 March 5, 2002 Howard et al.
6356859 March 12, 2002 Talbot et al.
6356935 March 12, 2002 Gibbs
6357008 March 12, 2002 Nachenberg
6362836 March 26, 2002 Shaw et al.
6363489 March 26, 2002 Comay et al.
6367009 April 2, 2002 Davis et al.
6367012 April 2, 2002 Atkinson et al.
6370648 April 9, 2002 Diep
6373950 April 16, 2002 Rowney
6381694 April 30, 2002 Yen
6385596 May 7, 2002 Wiser et al.
6385655 May 7, 2002 Smith et al.
6389419 May 14, 2002 Wong et al.
6393465 May 21, 2002 Leeds
6393568 May 21, 2002 Ranger et al.
6397259 May 28, 2002 Lincke et al.
6397335 May 28, 2002 Franczek et al.
6400804 June 4, 2002 Bilder
6401210 June 4, 2002 Templeton
6405318 June 11, 2002 Rowland
6411716 June 25, 2002 Brickell
6424650 July 23, 2002 Yang et al.
6430184 August 6, 2002 Robins et al.
6430688 August 6, 2002 Kohl et al.
6434536 August 13, 2002 Geiger
6438549 August 20, 2002 Aldred et al.
6438576 August 20, 2002 Huang et al.
6438612 August 20, 2002 Ylonen et al.
6442588 August 27, 2002 Clark et al.
6442686 August 27, 2002 McArdle et al.
6442688 August 27, 2002 Moses et al.
6442689 August 27, 2002 Kocher
6446109 September 3, 2002 Gupta
6449367 September 10, 2002 Van Wie et al.
6449640 September 10, 2002 Haverstock et al.
6452613 September 17, 2002 Lefebvre et al.
6453345 September 17, 2002 Trcka et al.
6453352 September 17, 2002 Wagner et al.
6453419 September 17, 2002 Flint et al.
6460050 October 1, 2002 Pace et al.
6460141 October 1, 2002 Olden
6469969 October 22, 2002 Carson et al.
6470086 October 22, 2002 Smith
6477651 November 5, 2002 Teal
6484203 November 19, 2002 Porras et al.
6487599 November 26, 2002 Smith et al.
6487658 November 26, 2002 Micali
6487666 November 26, 2002 Shanklin et al.
6496974 December 17, 2002 Sliger et al.
6496979 December 17, 2002 Chen et al.
6499107 December 24, 2002 Gleichauf et al.
6502191 December 31, 2002 Smith et al.
6507851 January 14, 2003 Fujiwara et al.
6510431 January 21, 2003 Eichstaedt et al.
6510464 January 21, 2003 Grantges, Jr. et al.
6510466 January 21, 2003 Cox et al.
6516316 February 4, 2003 Ramasubramani et al.
6516411 February 4, 2003 Smith
6519264 February 11, 2003 Carr et al.
6519703 February 11, 2003 Joyce
6526171 February 25, 2003 Furukawa
6529498 March 4, 2003 Cheng
6539430 March 25, 2003 Humes
6546416 April 8, 2003 Kirsch
6546493 April 8, 2003 Magdych et al.
6550012 April 15, 2003 Villa et al.
6560632 May 6, 2003 Chess et al.
6574611 June 3, 2003 Matsuyama et al.
6574737 June 3, 2003 Kingsford et al.
6577920 June 10, 2003 Hypponen et al.
6578025 June 10, 2003 Pollack et al.
6578147 June 10, 2003 Shanklin et al.
6584488 June 24, 2003 Brenner et al.
6584564 June 24, 2003 Olkin et al.
6587949 July 1, 2003 Steinberg
6606708 August 12, 2003 Devine et al.
6609196 August 19, 2003 Dickinson, III et al.
6609205 August 19, 2003 Bernhard et al.
6611869 August 26, 2003 Eschelbeck et al.
6611925 August 26, 2003 Spear
6615242 September 2, 2003 Riemers
6622150 September 16, 2003 Kouznetsov et al.
6647400 November 11, 2003 Moran
6650890 November 18, 2003 Irlam et al.
6654787 November 25, 2003 Aronson et al.
6658568 December 2, 2003 Ginter et al.
6662230 December 9, 2003 Eichstaedt et al.
6668269 December 23, 2003 Kamada et al.
6675153 January 6, 2004 Cook et al.
6675209 January 6, 2004 Britt
6678270 January 13, 2004 Garfinkel
6681331 January 20, 2004 Munson et al.
6684335 January 27, 2004 Epstein, III et al.
6687687 February 3, 2004 Smadja
6687732 February 3, 2004 Bector et al.
6691156 February 10, 2004 Drummond et al.
6694023 February 17, 2004 Kim
6697950 February 24, 2004 Ko
6701440 March 2, 2004 Kim et al.
6704874 March 9, 2004 Porras et al.
6707915 March 16, 2004 Jobst et al.
6711127 March 23, 2004 Gorman et al.
6711679 March 23, 2004 Guski et al.
6715082 March 30, 2004 Chang et al.
6721721 April 13, 2004 Bates et al.
6725223 April 20, 2004 Abdo et al.
6725377 April 20, 2004 Kouznetsov
6728886 April 27, 2004 Ji et al.
6731756 May 4, 2004 Pizano et al.
6732101 May 4, 2004 Cook
6732149 May 4, 2004 Kephart
6732157 May 4, 2004 Gordon et al.
6735700 May 11, 2004 Flint et al.
6735703 May 11, 2004 Kilpatrick et al.
6738462 May 18, 2004 Brunson
6738814 May 18, 2004 Cox et al.
6738932 May 18, 2004 Price
6741595 May 25, 2004 Maher, III et al.
6742015 May 25, 2004 Bowman-Amuah
6742124 May 25, 2004 Kilpatrick et al.
6742128 May 25, 2004 Joiner
6745192 June 1, 2004 Libenzi
6748531 June 8, 2004 Epstein
6754705 June 22, 2004 Joiner et al.
6757830 June 29, 2004 Tarbotton et al.
6760765 July 6, 2004 Asai et al.
6760845 July 6, 2004 Cafarelli et al.
6766450 July 20, 2004 Micali
6768991 July 27, 2004 Hearnden
6769016 July 27, 2004 Rothwell et al.
6772334 August 3, 2004 Glawitsch
6772346 August 3, 2004 Chess et al.
6775657 August 10, 2004 Baker
6775704 August 10, 2004 Watson et al.
6779033 August 17, 2004 Watson et al.
6782503 August 24, 2004 Dawson
6785728 August 31, 2004 Schneider et al.
6785732 August 31, 2004 Bates et al.
6785818 August 31, 2004 Sobel et al.
6789202 September 7, 2004 Ko et al.
6792546 September 14, 2004 Shanklin et al.
6799197 September 28, 2004 Shetty et al.
6802002 October 5, 2004 Corella
6804237 October 12, 2004 Luo et al.
6804778 October 12, 2004 Levi et al.
6804783 October 12, 2004 Wesinger, Jr. et al.
6826698 November 30, 2004 Minkin et al.
6842860 January 11, 2005 Branstad et al.
6842861 January 11, 2005 Cox et al.
6845449 January 18, 2005 Carman et al.
6847888 January 25, 2005 Fox et al.
6851057 February 1, 2005 Nachenberg
6859793 February 22, 2005 Lambiase
6862581 March 1, 2005 Lambiase
6870849 March 22, 2005 Callon et al.
6883101 April 19, 2005 Fox et al.
6892178 May 10, 2005 Zacharia
6892179 May 10, 2005 Zacharia
6892237 May 10, 2005 Gai et al.
6892241 May 10, 2005 Kouznetsov et al.
6895385 May 17, 2005 Zacharia et al.
6895436 May 17, 2005 Caillau et al.
6907430 June 14, 2005 Chong et al.
6909205 June 21, 2005 Corcoran et al.
6910134 June 21, 2005 Maher, III et al.
6910135 June 21, 2005 Grainger
6915426 July 5, 2005 Carman et al.
6922776 July 26, 2005 Cook et al.
6928550 August 9, 2005 Le Pennec et al.
6928556 August 9, 2005 Black et al.
6934857 August 23, 2005 Bartleson et al.
6941348 September 6, 2005 Petry et al.
6941467 September 6, 2005 Judge et al.
6944673 September 13, 2005 Malan et al.
6947442 September 20, 2005 Sato et al.
6947936 September 20, 2005 Suermondt et al.
6950933 September 27, 2005 Cook et al.
6952776 October 4, 2005 Chess
6954775 October 11, 2005 Shanklin et al.
6968336 November 22, 2005 Gupta
6968461 November 22, 2005 Lucas et al.
6971019 November 29, 2005 Nachenberg
6976168 December 13, 2005 Branstad et al.
6976271 December 13, 2005 Le Pennec et al.
6978223 December 20, 2005 Milliken
6981146 December 27, 2005 Sheymov
6981158 December 27, 2005 Sanchez et al.
6985923 January 10, 2006 Bates et al.
6993660 January 31, 2006 Libenzi et al.
7010696 March 7, 2006 Cambridge et al.
7055173 May 30, 2006 Chaganty et al.
7058974 June 6, 2006 Maher, III et al.
7080000 July 18, 2006 Cambridge
7085934 August 1, 2006 Edwards
7093002 August 15, 2006 Wolff et al.
7107618 September 12, 2006 Gordon et al.
7117358 October 3, 2006 Bandini et al.
7117533 October 3, 2006 Libenzi
7120252 October 10, 2006 Jones et al.
7127743 October 24, 2006 Khanolkar et al.
7134141 November 7, 2006 Crosbie et al.
7136487 November 14, 2006 Schon et al.
7150042 December 12, 2006 Wolff et al.
7159237 January 2, 2007 Schneier et al.
7181015 February 20, 2007 Matt
7213260 May 1, 2007 Judge
7222157 May 22, 2007 Sutton et al.
7225255 May 29, 2007 Favier et al.
7225466 May 29, 2007 Judge
7234168 June 19, 2007 Gupta et al.
7308715 December 11, 2007 Gupta et al.
7310818 December 18, 2007 Parish et al.
7328349 February 5, 2008 Milliken
7366764 April 29, 2008 Vollebregt
7409714 August 5, 2008 Gupta et al.
7458098 November 25, 2008 Judge et al.
7519994 April 14, 2009 Judge et al.
7533272 May 12, 2009 Gordon et al.
7624274 November 24, 2009 Alspector et al.
7693945 April 6, 2010 Dulitz et al.
20010005889 June 28, 2001 Albrecht
20010009580 July 26, 2001 Ikeda
20010011308 August 2, 2001 Clark et al.
20010034839 October 25, 2001 Karjoth et al.
20010039579 November 8, 2001 Trcka et al.
20010049793 December 6, 2001 Sugimoto
20020001384 January 3, 2002 Buer et al.
20020004902 January 10, 2002 Toh et al.
20020016826 February 7, 2002 Johansson et al.
20020016910 February 7, 2002 Wright et al.
20020019945 February 14, 2002 Houston et al.
20020023140 February 21, 2002 Hile et al.
20020026591 February 28, 2002 Hartley et al.
20020032860 March 14, 2002 Wheeler et al.
20020032871 March 14, 2002 Malan et al.
20020035683 March 21, 2002 Kaashoek et al.
20020038339 March 28, 2002 Xu
20020042876 April 11, 2002 Smith
20020042877 April 11, 2002 Wheeler et al.
20020046041 April 18, 2002 Lang
20020049853 April 25, 2002 Chu et al.
20020069263 June 6, 2002 Sears et al.
20020071438 June 13, 2002 Singh
20020078381 June 20, 2002 Farley et al.
20020078382 June 20, 2002 Sheikh et al.
20020080888 June 27, 2002 Shu et al.
20020083033 June 27, 2002 Abdo et al.
20020083342 June 27, 2002 Webb et al.
20020083343 June 27, 2002 Crosbie et al.
20020087882 July 4, 2002 Schneier et al.
20020091697 July 11, 2002 Huang et al.
20020091757 July 11, 2002 Cuomo et al.
20020095492 July 18, 2002 Kaashoek et al.
20020107853 August 8, 2002 Hofmann et al.
20020112008 August 15, 2002 Christenson et al.
20020112168 August 15, 2002 Filipi-Martin et al.
20020112185 August 15, 2002 Hodges
20020116463 August 22, 2002 Hart
20020116627 August 22, 2002 Tarbotton et al.
20020120705 August 29, 2002 Schiavone et al.
20020120853 August 29, 2002 Tyree
20020120874 August 29, 2002 Shu et al.
20020129002 September 12, 2002 Alberts et al.
20020129277 September 12, 2002 Caccavale
20020133365 September 19, 2002 Grey et al.
20020133586 September 19, 2002 Shanklin et al.
20020138416 September 26, 2002 Lovejoy et al.
20020138755 September 26, 2002 Ko
20020138759 September 26, 2002 Dutta
20020138762 September 26, 2002 Horne
20020143963 October 3, 2002 Converse et al.
20020147734 October 10, 2002 Shoup et al.
20020147780 October 10, 2002 Liu et al.
20020147915 October 10, 2002 Chefalas et al.
20020147925 October 10, 2002 Lingafelt et al.
20020152399 October 17, 2002 Smith
20020161718 October 31, 2002 Coley et al.
20020165971 November 7, 2002 Baron
20020169954 November 14, 2002 Bandini et al.
20020172367 November 21, 2002 Mulder et al.
20020174358 November 21, 2002 Wolff et al.
20020178227 November 28, 2002 Matsa et al.
20020178383 November 28, 2002 Hrabik et al.
20020181703 December 5, 2002 Logan et al.
20020186698 December 12, 2002 Ceniza
20020188864 December 12, 2002 Jackson
20020194161 December 19, 2002 McNamee et al.
20020194469 December 19, 2002 Dominique et al.
20020194490 December 19, 2002 Halperin et al.
20020199095 December 26, 2002 Bandini et al.
20030004688 January 2, 2003 Gupta et al.
20030004689 January 2, 2003 Gupta et al.
20030005326 January 2, 2003 Flemming
20030009554 January 9, 2003 Burch et al.
20030009693 January 9, 2003 Brock et al.
20030009696 January 9, 2003 Bunker et al.
20030009698 January 9, 2003 Lindeman et al.
20030009699 January 9, 2003 Gupta et al.
20030014662 January 16, 2003 Gupta et al.
20030014664 January 16, 2003 Hentunen
20030021280 January 30, 2003 Makinson et al.
20030023692 January 30, 2003 Moroo
20030023695 January 30, 2003 Kobata et al.
20030023873 January 30, 2003 Ben-Itzhak
20030023874 January 30, 2003 Prokupets et al.
20030023875 January 30, 2003 Hursey et al.
20030028803 February 6, 2003 Bunker et al.
20030033516 February 13, 2003 Howard et al.
20030033542 February 13, 2003 Goseva-Popstojanova et al.
20030037141 February 20, 2003 Milo et al.
20030041263 February 27, 2003 Devine et al.
20030041264 February 27, 2003 Black et al.
20030046421 March 6, 2003 Horvitz et al.
20030051026 March 13, 2003 Carter et al.
20030051163 March 13, 2003 Bidaud
20030051168 March 13, 2003 King et al.
20030055931 March 20, 2003 Cravo De Almeida et al.
20030061502 March 27, 2003 Teblyashkin et al.
20030061506 March 27, 2003 Cooper et al.
20030065791 April 3, 2003 Garg et al.
20030065943 April 3, 2003 Geis et al.
20030084020 May 1, 2003 Shu
20030084280 May 1, 2003 Bryan et al.
20030084320 May 1, 2003 Tarquini et al.
20030084323 May 1, 2003 Gales
20030084347 May 1, 2003 Luzzatto
20030088680 May 8, 2003 Nachenberg et al.
20030088792 May 8, 2003 Card et al.
20030093667 May 15, 2003 Dutta et al.
20030093695 May 15, 2003 Dutta
20030093696 May 15, 2003 Sugimoto
20030095555 May 22, 2003 McNamara et al.
20030097439 May 22, 2003 Strayer et al.
20030097564 May 22, 2003 Tewari et al.
20030101381 May 29, 2003 Mateev et al.
20030105827 June 5, 2003 Tan et al.
20030105859 June 5, 2003 Garnett et al.
20030105976 June 5, 2003 Copeland, III
20030110392 June 12, 2003 Aucsmith et al.
20030110393 June 12, 2003 Brock et al.
20030110396 June 12, 2003 Lewis et al.
20030115485 June 19, 2003 Milliken
20030115486 June 19, 2003 Choi et al.
20030120604 June 26, 2003 Yokota et al.
20030120647 June 26, 2003 Aiken et al.
20030123665 July 3, 2003 Dunstan et al.
20030126464 July 3, 2003 McDaniel et al.
20030126472 July 3, 2003 Banzhof
20030135749 July 17, 2003 Gales et al.
20030140137 July 24, 2003 Joiner et al.
20030140250 July 24, 2003 Taninaka et al.
20030145212 July 31, 2003 Crumly
20030145225 July 31, 2003 Bruton, III et al.
20030145226 July 31, 2003 Bruton, III et al.
20030145232 July 31, 2003 Poletto et al.
20030149887 August 7, 2003 Yadav
20030149888 August 7, 2003 Yadav
20030154393 August 14, 2003 Young
20030154399 August 14, 2003 Zuk et al.
20030154402 August 14, 2003 Pandit et al.
20030158905 August 21, 2003 Petry et al.
20030159069 August 21, 2003 Choi et al.
20030159070 August 21, 2003 Mayer et al.
20030167402 September 4, 2003 Stolfo et al.
20030172120 September 11, 2003 Tomkow et al.
20030172166 September 11, 2003 Judge et al.
20030172167 September 11, 2003 Judge et al.
20030172289 September 11, 2003 Soppera
20030172291 September 11, 2003 Judge et al.
20030172292 September 11, 2003 Judge
20030172294 September 11, 2003 Judge
20030172301 September 11, 2003 Judge et al.
20030172302 September 11, 2003 Judge et al.
20030187996 October 2, 2003 Cardina et al.
20030212791 November 13, 2003 Pickup
20030233328 December 18, 2003 Scott et al.
20030236845 December 25, 2003 Pitsos
20040015554 January 22, 2004 Wilson
20040025044 February 5, 2004 Day
20040054886 March 18, 2004 Dickinson, III et al.
20040058673 March 25, 2004 Irlam et al.
20040059811 March 25, 2004 Sugauchi et al.
20040083384 April 29, 2004 Hypponen
20040088570 May 6, 2004 Roberts et al.
20040103315 May 27, 2004 Cooper et al.
20040111531 June 10, 2004 Staniford et al.
20040139160 July 15, 2004 Wallace et al.
20040139334 July 15, 2004 Wiseman
20040143763 July 22, 2004 Radatti
20040167968 August 26, 2004 Wilson et al.
20040177120 September 9, 2004 Kirsch
20040181462 September 16, 2004 Bauer et al.
20040193482 September 30, 2004 Hoffman et al.
20040203589 October 14, 2004 Wang et al.
20040205135 October 14, 2004 Hallam-Baker
20040221062 November 4, 2004 Starbuck et al.
20040236884 November 25, 2004 Beetz
20040267893 December 30, 2004 Lin
20050014749 January 20, 2005 Chen et al.
20050021738 January 27, 2005 Goeller et al.
20050043936 February 24, 2005 Corston-Oliver et al.
20050052998 March 10, 2005 Oliver et al.
20050058129 March 17, 2005 Jones et al.
20050065810 March 24, 2005 Bouron
20050081059 April 14, 2005 Bandini et al.
20050086526 April 21, 2005 Aguirre
20050102366 May 12, 2005 Kirsch
20050188045 August 25, 2005 Katsikas
20050204159 September 15, 2005 Davis et al.
20050235360 October 20, 2005 Pearson
20050262209 November 24, 2005 Yu
20050262210 November 24, 2005 Yu
20060036693 February 16, 2006 Hulten et al.
20060036727 February 16, 2006 Kurapati et al.
20060042483 March 2, 2006 Work et al.
20060047794 March 2, 2006 Jezierski
20060095404 May 4, 2006 Adelman et al.
20060095966 May 4, 2006 Park
20060123083 June 8, 2006 Goutte et al.
20060168006 July 27, 2006 Shannon et al.
20060168017 July 27, 2006 Stern et al.
20060212925 September 21, 2006 Shull et al.
20060212930 September 21, 2006 Shull et al.
20060212931 September 21, 2006 Shull et al.
20060230039 October 12, 2006 Shull et al.
20060253458 November 9, 2006 Dixon et al.
20060259551 November 16, 2006 Caldwell, Jr.
20080060075 March 6, 2008 Cox et al.
20090064329 March 5, 2009 Okumura et al.
20090083413 March 26, 2009 Levow et al.
20100017487 January 21, 2010 Patinkin
20100049848 February 25, 2010 Levow et al.
Foreign Patent Documents
WO9605673 February 1996 WO
WO0028420 May 2000 WO
WO0155927 August 2001 WO
WO0173523 October 2001 WO
WO02101516 December 2002 WO
Other references
  • US 5,373,559, 12/1994, Kaufman et al. (withdrawn)
  • Notice of Allowance from U.S. Appl. No. 12/248,790 which was mailed on Aug. 15, 2011.
  • Office Action from U.S. Appl. No. 12/762,368 which was mailed on Oct. 13, 2011.
  • Paul Graham; A Plan for Spam; http://www.paulgraham.com/spam.html; Aug. 2002; pp. 1-11.
  • Paul Vixie; Distributed Checksum Clearninghouse; Rhyolite Software; http://www.rhyolite.com/anti-spam/dcc/dcc-tree/dcc.html; Aug. 26, 2002; pp. 1-9.
  • RFC #1123; R. Braden; Requirements for Internet Hosts—Application and Support; Oct. 1989; pp. 1-97.
  • RFC #2045; N. Freed et al.; Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies; Nov. 1996; pp. 1-29.
  • RFC #2046; N. Freed et al.; Multipurpose Internet Mail Extensions (MIME) Part Two: Media Types; Nov. 1996; pp. 1-19.
  • RFC #2047; K. Moore; MIME (Multipurpose Internet Mail Extensions) Part Three: Message Header Extensions for Non-ASCII Text); Nov. 1996; pp. 1-15.
  • RFC #2048; N. Freed et al.; Multipurpose Internet Mail Extensions (MIME) Part Four: Registration Procedures; Nov. 1996; pp. 1-20.
  • RFC #2049; N. Freed et al.; Multipurpose Internet Mail Extensions MIME) Part Five: Conformance Criteria and Examples; Nov. 1996; pp. 1-23.
  • RFC #2231; N. Freed et al.; MIME Parameter Value and Encoded Word Extensions: Character Sets, Languages, and Continuations; Nov. 1997; pp. 1-10.
  • RFC #822; David H. Crocker; Standard for the Format of ARPA Internet Text Message; Aug. 13, 1982; pp. 1-49.
  • S. Staniford-Chen, and L. Todd Herberlein; “Holding Intruders Accountable on the Internet”; Proceedsings of the 1995 IEEE Symposium on Security and Privacy; Oakland, CA, pp. 39-49, May 8-10, 1995.
  • Savage et al., “Practical Network Support for IP Traceback,” Department of Computer Science and Engineering, University of Washington, (2000).
  • Schwartz et al., “Smart Packets: Applying Active Networks to Network Management,” ACM Transaction on Computer Systems, 18(1):67-88, (2000).
  • Skipper, Chad, “Polymorphism and IDS,” Symantec, (2001).
  • Todd Heberlein; “Worm Detection and Prevention: Concept, Approach, and Experience”; Net Squared, Inc.; http://www.attackcenter.com/Information/WhitePapers/WormDetect/; Aug. 14, 2002; pp. 1-7.
  • International Search Report for PCT/US2004/028896 mailed on Dec. 13, 2004.
  • Bace, Rebecca Gurley, “Intrusion Detection—Technology Series”—Copyright 2000 by MacMillan Technical Publishing.
  • Amoroso, Edward G., “Intrusion Detection—An Introduction to Surveillance, Correlation, Traps, Trace Back, and Response.” AT&T Laboratories, First Edition.—Copyright 1999 by AT&T, Inc.
  • Jackson, Kathleen, DuBois, David H., and Stallings, Cathy A., “A Phased Approach to Network Intrusion Detection,” 14th National Computing Security Conference, 1991.
  • Paxson, Vern, “Bro: A System for Detecting Network Intruders in Real-Time,” Proceedings of The 7th USENIX Security Symposium, San Antonio, TX, 1998.
  • Snapp, Steven R, Brentano, James, Dias, Gihan V., Goan, Terrance L., Heberlein, L. Todd, Ho, Che-Lin, Levitt, Karl N., Mukherjee, Biswanath, Smaha, Stephen E., Grance, Tim, Teal, Daniel M. and Mansur, Doug, “DIDS (Distributed Intrusion Detection System)—Motivation, Architecture, and An Early Prototype,” The 14th National Computer Security Conference, Oct. 1991, pp. 167-176.
  • US App No. 00-4039CIP3.
  • U.S. Appl. No. 09/881,074, filed Jun. 14, 2001.
  • U.S. Appl. No. 09/881,145, filed Jun. 14, 2001.
  • U.S. Appl. No. 10/251,403, filed Sep. 20, 2002.
  • US App No. Frentz Jan. 14, 2003.
  • Notice of Allowance from U.S. Appl. No. 09/881,074 which was mailed on Jan. 6, 2005.
  • Notice of Allowance from U.S. Appl. No. 10/251,403 which was mailed on Aug. 10, 2007.
  • Office Action from U.S. Appl. No. 09/881,145 which was mailed on Nov. 30, 2006.
  • Office Action from U.S. Appl. No. 09/881,145 which was mailed on Apr. 20, 2005.
  • Office Action from U.S. Appl. No. 09/881,145 which was mailed on Aug. 16, 2007.
  • Office Action from U.S. Appl. No. 10/251,403 which was mailed on Dec. 8, 2006.
  • Office Action from U.S. Appl. No. 10/251,403 which was mailed on Apr. 25, 2006.
  • Office Action from U.S. Appl. No. 10/654,771 which was mailed on Jan. 13, 2011.
  • Office Action from U.S. Appl. No. 10/654,771 which was mailed on Dec. 11, 2008.
  • Office Action from U.S. Appl. No. 10/654,771 which was mailed on Jul. 22, 2010.
  • Office Action from U.S. Appl. No. 12/243,778 which was mailed on Oct. 7, 2010.
  • Office Action from U.S. Appl. No. 12/248,790 which was mailed on Feb. 11, 2010.
  • Office Action from U.S. Appl. No. 12/248,790 which was mailed on May 27, 2010.
  • Office Action from U.S. Appl. No. 12/243,785 which was mailed on Sep. 1, 2010.
  • Office Action from U.S. Appl. No. 12/243,785 which was mailed on Mar. 30, 2011.
  • Office Action from U.S. Appl. No. 12/249,803 which was mailed on Oct. 19, 2010.
  • Office Action from U.S. Appl. No. 12/249,803 which was mailed on Mar. 10, 2011.
  • Office Action from U.S. Appl. No. 12/249,804 which was mailed on Apr. 20, 2011.
  • Office Action from U.S. Appl. No. 12/249,804 which was mailed on Aug. 30, 2010.
  • Office Action from U.S. Appl. No. 12/249,823 which was mailed on Dec. 1, 2010.
  • Office Action from U.S. Appl. No. 12/249,832 which was mailed on Oct. 12, 2010.
  • Office Action from U.S. Appl. No. 12/762,365 which was mailed on Dec. 14, 2010.
  • Office Action from U.S. Appl. No. 12/762,366 which was mailed on Nov. 10, 2010.
  • Notice of Allowance from U.S. Appl. No. 12/248,790 which was mailed on Feb. 2, 2012.
  • Office Action from U.S. Appl. No. 12/762,368 which was mailed on Feb. 23, 2012.
Patent History
Patent number: 8166549
Type: Grant
Filed: Apr 18, 2010
Date of Patent: Apr 24, 2012
Patent Publication Number: 20100205671
Assignee: Stragent, LLC (Longview, TX)
Inventors: Walter Clark Milliken (Dover, NH), William Timothy Strayer (West Newton, MA), Stephen Douglas Milligan (Stow, MA), Luis Sanchez (Mayaguez, PR), Craig Partridge (East Lansing, MI)
Primary Examiner: Longbit Chai
Attorney: The Caldwell Firm, LLC
Application Number: 12/762,367