Hash-based systems and methods for detecting and preventing transmission of polymorphic network worms and viruses
A system (200) detects transmission of potentially malicious packets. The system (200) receives, or otherwise observes, packets and generates hash values based on variable-sized blocks of the packets. The system (200) then compares the generated hash values to hash values associated with prior packets. The system (200) determines that one of the received packets is a potentially malicious packet when one or more of the generated hash values associated with the received packet match one or more of the hash values associated with the prior packets.
Latest Stragent, LLC Patents:
- System, method and computer program product for sharing information in a distributed framework
- System, method and computer program product for sharing information in a distributed framework
- System, method and computer program product for sharing information in a distributed framework
- System, method and computer program product for sharing information in a distributed framework
- System, method and computer program product for sharing information in a distributed framework
This application is a continuation of U.S. patent application Ser. No. 12/249,823, filed Oct. 10, 2008, which, in turn, is a continuation of U.S. patent application Ser. No. 10/654,771, filed Sep. 4, 2003, which, in turn, claims priority under 35 U.S.C. §119 based on U.S. Provisional Application No. 60/407,975, filed Sep. 5, 2002, all of which are incorporated herein by reference.
BACKGROUND OF THE INVENTION1. Field of the Invention
The present invention relates generally to network security and, more particularly, to systems and methods for detecting and/or preventing the transmission of malicious packets, such as polymorphic worms and viruses.
2. Description of Related Art
Availability of low cost computers, high speed networking products, and readily available network connections has helped fuel the proliferation of the Internet. This proliferation has caused the Internet to become an essential tool for both the business community and private individuals. Dependence on the Internet arises, in part, because the Internet makes it possible for multitudes of users to access vast amounts of information and perform remote transactions expeditiously and efficiently. Along with the rapid growth of the Internet have come problems caused by malicious individuals or pranksters launching attacks from within the network. As the size of the Internet continues to grow, so does the threat posed by these individuals.
The ever-increasing number of computers, routers, and connections making up the Internet increases the number of vulnerable points from which these malicious individuals can launch attacks. These attacks can be focused on the Internet as a whole or on specific devices, such as hosts or computers, connected to the network. In fact, each router, switch, or computer connected to the Internet may be a potential entry point from which a malicious individual can launch an attack while remaining largely undetected. Attacks carried out on the Internet often consist of malicious packets being injected into the network. Malicious packets can be injected directly into the network by a computer, or a device attached to the network, such as a router or switch, can be compromised and configured to place malicious packets onto the network.
One particularly troublesome type of attack is a self-replicating network-transferred computer program, such as a virus or worm, that is designed to annoy network users, deny network service by overloading the network, or damage target computers (e.g., by deleting files). A virus is a program that infects a computer or device by attaching itself to another program and propagating itself when that program is executed, possibly destroying files or wiping out memory devices. A worm, on the other hand, is a program that can make copies of itself and spread itself through connected systems, using up resources in affected computers or causing other damage.
Various defenses, such as e-mail filters, anti-virus programs, and firewall mechanisms, have been employed against viruses and worms. Unfortunately, many viruses and worms are polymorphic. Polymorphic viruses and worms include viruses and worms that deliberately have a different set of bytes in each copy, as opposed to being substantially similar in each copy, to make them difficult to detect. Detection techniques based on byte sequence comparison, including older virus-detection techniques, may be generally ineffective in detecting polymorphic viruses and worms.
Accordingly, there is a need for new defenses to thwart the attack of polymorphic viruses and worms.
SUMMARY OF THE INVENTIONSystems and methods consistent with the present invention address these and other needs by providing a new defense that attacks malicious packets, such as polymorphic viruses and worms, at their most common denominator (i.e., the need to transfer a copy of their code over a network to multiple target systems).
In accordance with an aspect of the invention as embodied and broadly described herein, a method for detecting transmission of potentially malicious packets is provided. The method includes receiving packets; generating hash values based on variable-sized blocks of the received packets; comparing the generated hash values to hash values associated with prior packets; and determining that one of the received packets is a potentially malicious packet when one or more of the generated hash values associated with the received packet match one or more of the hash values associated with the prior packets.
In accordance with another aspect of the invention, a system for hampering transmission of potentially malicious packets is provided. The system includes means for observing packets, means for generating hash values based on variable-sized blocks of the observed packets, and means for comparing the generated hash values to hash values corresponding to prior packets. The system further includes means for identifying one of the observed packets as a potentially malicious packet when the generated hash values corresponding to the observed packet match the hash values corresponding to the prior packets, and means for hampering transmission of the observed packet when the observed packet is identified as a potentially malicious packet.
In accordance with yet another aspect of the invention, a device for detecting transmission of malicious packets is provided. The device includes a hash memory and a hash processor. The hash memory is configured to store information associated with hash values corresponding to prior packets. The hash processor is configured to observe a packet and generate one or more hash values based on variable-sized blocks of the packet. The hash processor is further configured to compare the one or more generated hash values to the hash values corresponding to the prior packets and identify the packet as a potentially malicious packet when a predetermined number of the one or more generated hash values match the hash values corresponding to the prior packets.
In accordance with a further aspect of the invention, a method for detecting transmission of a potentially malicious packet is provided. The method includes receiving a packet, selecting blocks of received packet of random block sizes, and performing multiple different hash functions on each of the blocks to generate multiple hash values. The method further includes comparing the generated hash values to hash values associated with prior packets, and identifying the received packet as a potentially malicious packet when one or more of the generated hash values correspond to one or more of the hash values associated with the prior packets.
In accordance with another aspect of the invention, a method for detecting transmission of a potentially malicious packet is provided. The method includes receiving a packet, selecting multiple blocks of the received packet of different block sizes, and performing a different hash function on each of the blocks to generate multiple hash values. The method further includes comparing the generated hash values to hash values associated with prior packets, and identifying the received packet as a potentially malicious packet when one or more of the generated hash values correspond to one or more of the hash values associated with the prior packets.
In accordance with yet another aspect of the invention, a method for detecting files suspected of containing a virus or worm on a computer is provided. The method includes receiving one or more first hash values associated with the virus or worm, hashing one or more variable-sized portions of the files to generate second hash values, comparing the second hash values to the one or more first hash values, and identifying one of the files as a file suspected of containing the virus or worm when one or more of the second hash values correspond to at least one of the one or more first hash values.
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate the invention and, together with the description, explain the invention. In the drawings,
The following detailed description of the invention refers to the accompanying drawings. The same reference numbers in different drawings may identify the same or similar elements. Also, the following detailed description does not limit the invention. Instead, the scope of the invention is defined by the appended claims and equivalents.
Systems and methods consistent with the present invention provide mechanisms to detect and/or prevent the transmission of malicious packets. Malicious packets, as used herein, may include polymorphic viruses and worms, but may also apply to non-polymorphic viruses and worms and possibly other types of data with duplicated content, such as illegal mass e-mail (e.g., spam), that are repeatedly transmitted through a network.
Polymorphic viruses and worms are generally composed of two pieces: an obscured payload (which contains the majority of the virus/worm), and a decoding bootstrap that must be initially executable by the victim machine “as is,” and turns the obscured payload into the executable remainder of the virus/worm. The design of the polymorphic viruses and worms are such that the contents of the obscured payload are essentially undetectable (e.g., by strong encryption), leaving two basic ways to detect the virus/worm: (1) detect it after the decoding bootstrap has run, which is a technique employed by many of today's virus detection software; and (2) detect the decoding bootstrap in a manner consistent with the principles of the invention.
While the decoding bootstrap must be executable by the target machine, it does not have to be the exact same code for every copy of the virus/worm. In other words, it can be made arbitrarily variable, as long as the effect of executing it results in the decoding of the obscured payload.
The most sophisticated polymorphic viruses/worms employ techniques, such as the interspersal of “no-ops” or other code that does not affect the decoding process, but adds to the variability of the byte string making up the decoder bootstrap. Another technique includes changing details of instructions in the actual decoder code, such as changing which registers are employed by the decoding code, or stringing small code fragments together with “branch” or “jump” instructions, allowing the execution sequence of the instructions to be relatively independent of the sequence of bytes making up the decoder bootstrap. “Dead” code, or gibberish bytes, can also be inserted between active code segments strung together this way.
Thus, detecting the decoder bootstrap of a polymorphic virus/worm is a very difficult task. It is most difficult when only one copy of the virus/worm is examined. When many potential copies of the virus/worm can be observed, however, certain similarities between various copies will eventually emerge, because there are only a finite set of transformations that the decoding bootstrap can be put through and still function properly. This opens up the opportunity to detect such viruses/worms in places where many copies can be observed over time, such as in the network nodes (and links) through which they propagate.
Another vulnerability to detection that some e-mail-based viruses/worms have is that they require user interaction with the message carrying the virus/worm in order to be executed. Thus, they are often accompanied by a text message in the body of the e-mail that is designed to entice the user into performing the necessary action to execute the virus/worm (usually opening a file attached to the e-mail message). A polymorphic virus/worm could relatively easily change the e-mail text used in minor ways, but to make substantial changes would likely render the message incoherent to the receiver and, thus, either make him suspicious or unlikely to perform the action needed for the virus/worm to execute. Systems and methods consistent with the principles of the invention can also detect the text of the e-mail message as possibly related to a virus/worm attack.
Systems and methods consistent with the principles of the invention hash incoming packets, using a varying hash-block size, varying between a minimum and a maximum value. The hash block size may be chosen randomly within this interval for each block, but other methods of varying the block size could also be used, as long as the method was not easily predictable by an attacker.
This serves two purposes. First, it reduces the need to hash multiple copies of non-polymorphic viruses/worms for pretraining, because each packet would now have a finite chance of sharing a block with previous packets, rather than no chance, if it did not share a prior copy's alignment within a packet. Second, it allows relatively short sequences of bytes to be hashed sometimes, greatly improving the chances of catching a fixed segment of a polymorphic virus/worm.
Exemplary System ConfigurationPublic network 150 may include a collection of network devices, such as routers (R1-R5) or switches, that transfer data between autonomous systems, such as autonomous systems 110-140. In an implementation consistent with the present invention, public network 150 takes the form of the Internet, an intranet, a public telephone network, a wide area network (WAN), or the like.
An autonomous system is a network domain in which all network devices (e.g., routers) in the domain can exchange routing tables. Often, an autonomous system can take the form of a local area network (LAN), a WAN, a metropolitan area network (MAN), etc. An autonomous system may include computers or other types of communication devices (referred to as “hosts”) that connect to public network 150 via an intruder detection system (IDS); a firewall, one or more border routers, or a combination of these devices.
Autonomous system 110, for example, includes hosts (H) 111-113 connected in a LAN configuration. Hosts 111-113 connect to public network 150 via an intruder detection system (IDS) 114. Intruder detection system 114 may include a commercially-available device that uses rule-based algorithms to determine if a given pattern of network traffic is abnormal. The general premise used by an intruder detection system is that malicious network traffic will have a different pattern from normal, or legitimate, network traffic.
Using a rule set, intruder detection system 114 monitors inbound traffic to autonomous system 110. When a suspicious pattern or event is detected, intruder detection system 114 may take remedial action, or it can instruct a border router or firewall to modify operation to address the malicious traffic pattern. For example, remedial actions may include disabling the link carrying the malicious traffic, discarding packets corning from a particular source address, or discarding packets addressed to a particular destination.
Autonomous system 120 contains different devices from autonomous system 110. These devices aid autonomous system 120 in identifying and/or preventing the transmission of potentially malicious packets within autonomous system 120 and tracing the propagation of the potentially malicious packets through autonomous system 120 and, possibly, public network 150. While
Autonomous system 120 includes hosts (H) 121-123, intruder detection system (IDS) 124, and security server (SS) 125 connected to public network 150 via a collection of devices, such as security routers (SR11-SR14) 126-129. Hosts 121-123 may include computers or other types of communication devices connected, for example, in a LAN configuration. Intruder detection system 124 may be configured similar to intruder detection system 114.
Security server 125 may include a device, such as a general-purpose computer or a server, that performs source path identification when a malicious packet is detected by intruder detection system 124 or a security router 126-129. While security server 125 and intruder detection system 124 are shown as separate devices in
Security routers 126-129 may include network devices, such as routers, that may detect and/or prevent the transmission of malicious packets and perform source path identification functions. Security routers 127-129 may include border routers for autonomous system 120 because these routers include connections to public network 150. As a result, security routers 127-129 may include routing tables for routers outside autonomous system 120.
Packet detection logic 200 may include hash processor 210 and hash memory 220. Hash processor 210 may include a conventional processor, an application specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or some other type of device that generates one or more representations for each received packet and records the packet representations in hash memory 220.
A packet representation will likely not be a copy of the entire packet, but rather it may include a portion of the packet or some unique value representative of the packet. Because modern routers can pass gigabits of data per second, storing complete packets is not practical because memories would have to be prohibitively large. By contrast, storing a value representative of the contents of a packet uses memory in a much more efficient manner. By way of example, if incoming packets range in size from 256 bits to 1000 bits, a fixed width number may be computed across blocks making up the content (or payload) of a packet in a manner that allows the entire packet to be identified.
To further illustrate the use of representations, a 32-bit hash value, or digest, may be computed across blocks of each packet. Then, the hash value may be stored in hash memory 220 or may be used as an index, or address, into hash memory 220. Using the hash value, or an index derived therefrom, results in efficient use of hash memory 220 while still allowing the content of each packet passing through packet detection logic 200 to be identified.
Systems and methods consistent with the present invention may use any storage scheme that records information about each packet in a space-efficient fashion, that can definitively determine if a packet has not been observed, and that can respond positively (i.e., in a predictable way) when a packet has been observed. Although systems and methods consistent with the present invention can use virtually any technique for deriving representations of packets, the remaining discussion will use hash values as exemplary representations of packets having passed through a participating router.
Hash processor 210 may determine one or more hash values over variable-sized blocks of bytes in the payload field (i.e., the contents) of an observed packet. When multiple hashes are employed, they may, but need not, be done on the same block of payload bytes. As described in more detail below, hash processor 210 may use the hash results of the hash operation to recognize duplicate occurrences of packet content and raise a warning if it detects packets with replicated content within a short period of time. Hash processor 210 may also use the hash results for tracing the path of a malicious packet through the network.
According to implementations consistent with the present invention, the content (or payload) of a packet may be hashed to detect the packet or trace the packet through a network. In other implementations, the header of a packet may be hashed. In yet other implementations, some combination of the content and the header of a packet may be hashed.
In one implementation consistent with the principles of the invention, hash processor 210 may perform three hashes covering each byte of the payload field. Thus, a hash block size may be chosen uniformly from a range of 4 to 128 bytes, in 4-byte increments (to accommodate a common data-path granularity in high-speed network devices). At the start of the packet payload, hash processor 210 may select a random block size from this range and hash the block with the three different hash functions, or hash processor 210 may select a different block size for each hash function. In the former case, a new block size may be chosen when the first block finishes, and all three hash functions may start at the same place on the new block. In the latter case, as each hash function completes its current block, it selects a random size for the next block it will hash.
Each hash value may be determined by taking an input block of data and processing it to obtain a numerical value that represents the given input data. Suitable hash functions are readily known in the art and will not be discussed in detail herein. Examples of hash functions include the Cyclic Redundancy Check (CRC) and Message Digest 5 (MD5). The resulting hash value, also referred to as a message digest or hash digest, may include a fixed length value. The hash value may serve as a signature for the data over which it was computed. For example, incoming packets could have fixed hash value(s) computed over their content.
The hash value essentially acts as a fingerprint identifying the input block of data over which it was computed. Unlike fingerprints, however, there is a chance that two very different pieces of data will hash to the same value, resulting in a hash collision. An acceptable hash function should provide a good distribution of values over a variety of data inputs in order to prevent these collisions. Because collisions occur when different input blocks result in the same hash value, an ambiguity may arise when attempting to associate a result with a particular input.
Hash processor 210 may store a representation of each packet it observes in hash memory 220. Hash processor 210 may store the actual hash values as the packet representations or it may use other techniques for minimizing storage requirements associated with retaining hash values and other information associated therewith. A technique for minimizing storage requirements may use one or more bit arrays or Bloom filters.
Rather than storing the actual hash value, which can typically be on the order of 32 bits or more in length, hash processor 210 may use the hash value as an index for addressing a bit array within hash memory 220. In other words, when hash processor 210 generates a hash value for a block of a packet, the hash value serves as the address location into the bit array. At the address corresponding to the hash value, one or more bits may be set at the respective location thus indicating that a particular hash value, and hence a particular data packet content, has been seen by hash processor 210. For example, using a 32-bit hash value provides on the order of 4.3 billion possible index values into the bit array. Storing one bit per block rather than storing the block itself, which can be 512 bits long, produces a compression factor of 1:512. While bit arrays are described by way of example, it will be appreciated by those skilled in the relevant art, that other storage techniques may be employed without departing from the spirit of the invention.
As shown in
As shown in
Because shorter block sizes are more likely to be repeated in totally random traffic, another variation might include the use of different memories for different block sizes. Thus, a given count level for a shorter block size may be less reason for suspicion than the same count level found in a longer block size.
In an alternate implementation consistent with the principles of the invention, hash memory 220 may be preprogrammed to store hash values corresponding to known malicious packets, such as known viruses and worms. Hash memory 220 may store these hash values separately from the hash values of observed packets. In this case, hash processor 210 may compare a hash value for a received packet to not only the hash values of previously observed packets, but also to hash values of known malicious packets.
In yet another implementation consistent with the principles of the invention, hash memory 220 may be preprogrammed to store source addresses of known sources of legitimate duplicated content, such as packets from a multicast server, a popular page on a web server, an output from a mailing list “exploder” server, or the like. In this case, hash processor 210 may compare the source address for a received packet to the source addresses of known sources of legitimate duplicated content.
Over time, hash memory 220 may fill up and the possibility of overwriting an existing index value increases. The risk of overwriting an index value may be reduced if the bit array is periodically flushed to other storage media, such as a magnetic disk drive, optical media, solid state drive, or the like. Alternatively, the bit array may be slowly and incrementally erased. To facilitate this, a time-table may be established for flushing/erasing the bit array. If desired, the flushing/erasing cycle can be reduced by computing hash values only for a subset of the packets passing through the router. While this approach reduces the flushing/erasing cycle, it increases the possibility that a target packet may be missed (i.e., a hash value is not computed over a portion of it).
When hash memory 220 includes counter fields 322, non-zero storage locations may be decremented periodically rather than being erased. This may ensure that the “random noise” from normal packets would not remain in the bit array indefinitely. Replicated traffic (e.g., from a virus/worm propagating repeatedly across the network), however, would normally cause the relevant storage locations to stay substantially above the “background noise” level.
Exemplary Processing for Malicious Packet Detection/Prevention
Processing may begin when packet detection logic 200 receives, or otherwise observes, a packet (act 405). Hash processor 210 may generate one or more hash values by hashing variable-sized blocks from the packet's payload field (act 410). Hash processor 210 may use one or more conventional techniques to perform the hashing operation.
In one implementation consistent with the principles of the invention, three hashes may be performed covering each byte of the payload field. A hash block size may be chosen uniformly from a range of 4 to 128 bytes, in 4-byte increments. At the start of the packet payload, a random block size may be selected from this range and the block may be hashed with the three different hash functions. A new block size may then be chosen when the first block finishes, and all three hash functions may start at the same place on the new block. Alternatively, a different block size may be selected for each hash function. In this case, as each hash function completes its current block, it selects a random size for the next block it will hash.
Hash processor 210 may optionally compare the generated hash value(s) to hash values of known viruses and/or worms within hash memory 220 (act 415). In this case, hash memory 220 may be preprogrammed to store hash values corresponding to known viruses and/or worms. If one or more of the generated hash values match one of the hash values of known viruses and/or worms, hash processor 210 may take remedial actions (acts 420 and 425). The remedial actions may include raising a warning for a human operator, delaying transmission of the packet, capturing a copy of the packet for human or automated analysis, dropping the packet and possibly other packets originating from the same Internet Protocol (IP) address as the packet, sending a Transmission Control Protocol (TCP) close message to the sender thereby preventing complete transmission of the packet, disconnecting the link on which the packet was received, and/or corrupting the packet content in a way likely to render any code contained therein inert (and likely to cause the receiver to drop the packet). Some of the remedial actions, such as dropping or corrupting the packet, may be performed probabilistically based, for example, on the count value in counter field 322 (
If the generated hash value(s) do not match any of the hash values of known viruses and/or worms, or if such a comparison was not performed, hash processor 210 may optionally determine whether the packet's source address indicates that the packet was sent from a legitimate source of duplicated packet content (i.e., a legitimate “replicator”) (act 430). For example, hash processor 210 may maintain a list of legitimate replicators in hash memory 220 and check the source address of the packet with the addresses of legitimate replicators on the list. If the packet's source address matches the address of one of the legitimate replicators, then hash processor 210 may end processing of the packet. For example, processing may return to act 405 to await receipt of the next packet.
Otherwise, hash processor 210 may record the generated hash value(s) in hash memory 220 (act 435). For example, hash processor 210 may set the one or more bits stored in indicator field 312 (
Hash processor 210 may then determine whether any prior packets with the same hash value(s) have been received (act 440). For example, hash processor 210 may use each of the generated hash value(s) as an address into hash memory 220. Hash processor 210 may then examine indicator field 312 at each address to determine whether the one or more bits stored therein indicate that a prior packet has been received. Alternatively, hash processor 210 may examine counter field 322 to determine whether the count value indicates that a prior packet has been received.
If there were no prior packets received with the same hash value(s), then processing may return to act 405 to await receipt of the next packet. If hash processor 210 determines that a prior packet has been observed with the same hash value, however, hash processor 210 may determine whether the packet is potentially malicious (act 445). Hash processor 210 may use a set of rules to determine whether to identify a packet as potentially malicious. For example, the rules might specify that more than x (where x>1) packets with the same hash value have to be observed by hash processor 210 before the packets are identified as potentially malicious. The rules might also specify that these packets have to have been observed by hash processor 210 within a specified period of time of one another. The reason for the latter rule is that, in the case of malicious packets, such as polymorphic viruses and worms, multiple packets will likely pass through packet detection logic 200 within a short period of time.
A packet may contain multiple hash blocks that partially match hash blocks associated with prior packets. For example, a packet that includes multiple hash blocks may have somewhere between one and all of its hashed content blocks match hash blocks associated with prior packets. The rules might specify the number of blocks and/or the number and/or length of sequences of blocks that need to match before hash processor 210 identifies the packet as potentially malicious. The rules might differ for different block sizes.
When hash processor 210 determines that the packet is not malicious (e.g., not a polymorphic worm or virus), such as when less than x number of packets with the same hash value or less than a predetermined number of the packet blocks with the same hash values are observed or when the packets are observed outside the specified period of time, processing may return to act 405 to await receipt of the next packet. When hash processor 210 determines that the packet may be malicious, however, hash processor 210 may take remedial actions (act 450). In some cases, it may not be possible to determine whether the packet is actually malicious because there is some probability that there was a false match or a legitimate replication. As a result, hash processor 210 may determine the probability of the packet actually being malicious based on information gathered by hash processor 210.
The remedial actions may include raising a warning for a human operator, saving the packet for human analysis, dropping the packet, corrupting the packet content in a way likely to render any code contained therein inert (and likely to cause the receiver to drop the packet), delaying transmission of the packet, capturing a copy of the packet for human or automated analysis, dropping other packets originating from the same IP address as the packet, sending a TCP close message to the sender thereby preventing complete transmission of the packet, and/or disconnecting the link on which the packet was received. Some of the remedial actions, such as dropping or corrupting the packet, may be performed probabilistically based, for example, on the count value in counter field 322 (
Once a malicious packet, such as a polymorphic virus or worm, has been identified, the path taken by the malicious packet may be traced. To do this, processing similar to that described in U.S. patent application Ser. No. 10/251,403, from which this application claims priority and which has been previously incorporated by reference, may be performed.
CONCLUSIONSystems and methods consistent with the present invention provide mechanisms to detect and/or prevent transmission of malicious packets, such as polymorphic viruses and worms.
Systems and methods consistent with the principles of the invention detect polymorphic viruses and worms with some finite probability, which may depend on the size of the decoder bootstrap code segment and the techniques used to obscure it (such as code rearrangement and the insertion of gibberish bytes). Also, the number of virus and worm examples that must be seen before detection becomes probable depends on the threshold settings, the degree to which different copies of the virus/worm resemble each other, the minimum hash block size used, and the rate at which copies arrive. Essentially, what happens is that short code sequences of the virus/worm decoder bootstrap will occasionally be in a single hash block, without any of the obscuring “cover” of gibberish bytes.
If the bootstrap is only obscured by inserted no-ops or irrelevant code sequences, packet detection logic 200 may eventually see samples of all variants of these in various lengths, and also in conjunction with the active code, and will actually recognize the virus/worm more easily, though usually after seeing many samples.
In either case, some set of byte sequences commonly found in the virus/worm, and found much less commonly in other network traffic, may be detected often enough that these sequences will rise above the “noise” level of the data stored in hash memory 220 and, thus, be detectable. Not every packet containing the virus/worm decoder bootstrap, however, will be detected this way, since it may be that none of the hash blocks in the particular packet isolated the fixed, active code elements. Thus, systems and methods consistent with the principles of the invention may be used to provide a warning that a virus/worm is potentially propagating and capture suspicious packets for human analysis.
Non-polymorphic viruses and worms may also be detected somewhat more quickly by these techniques because block alignment is not the same in every packet and partial matches will be more common early in the appearance of the virus/worm in the network, at least for longer packets. The certainty of detection will be correspondingly lower. So, it may take somewhat more examples of the virus/worm to reach the same degree of certainty of detection of the virus/worm, as with the fixed-length hash blocks, due to the randomness introduced into the hash-sampling process.
The foregoing description of preferred embodiments of the present invention provides illustration and description, but is not intended to be exhaustive or to limit the invention to the precise form disclosed. Modifications and variations are possible in light of the above teachings or may be acquired from practice of the invention.
For example, systems and methods have been described with regard to network-level devices. In other implementations, the systems and methods described herein may be used with a stand-alone device at the input or output of a network link or at other protocol levels, such as in mail relay hosts (e.g., Simple Mail Transfer Protocol (SMTP) servers).
To this regard, the variable-sized block hashing technique described previously can be used in conjunction with traditional host-based virus scanning software. For example, training data may be obtained from a network application and the hash memory contents may then be transmitted to one or more hosts to aid in looking for the suspected virus or worm on the host. In other words, the host may receive hash values associated with the suspected virus or worm from the network application. The host may hash one or more variable-sized portions of the files stored in its memory to generate hash values associated with these files. The host may compare the generated hash values to the hash values associated with the suspected virus or worm and identify one or more files that may contain the suspected virus or worm when the hash values match. The technique may be used as a prioritization stage to determine which files most likely contain a virus or worm. The virus scanning software could then use other, more expensive, techniques to scan these files.
The variable-sized block hashing technique may also be used in conjunction with network-based applications, where suspicious messages are delivered to a reassembly process and the resulting messages scanned by a more conventional (e.g., execution simulating) virus detector.
While a series of acts has been described with regard to the flowchart of
Further, certain portions of the invention have been described as “logic” that performs one or more functions. This logic may include hardware, such as an ASIC or a FPGA, software, or a combination of hardware and software.
No element, act, or instruction used in the description of the present application should be construed as critical or essential to the invention unless explicitly described as such. Also, as used herein, the article “a” is intended to include one or more items. Where only one item is intended, the term “one” or similar language is used. The scope of the invention is defined by the claims and their equivalents.
Claims
1. In a network carrying a plurality of packets over at least one network link, the network including a first network component having memory and a processor and configured to store information in the memory about at least one of the plurality of packets, a method for detecting a target packet comprising:
- receiving at least one of the plurality of packets over the link to obtain a received packet;
- determining a representation of at least a portion of the received packet;
- identifying a location in the memory;
- associating a value with the location in the memory;
- receiving a query message identifying a target packet at the first network component;
- the first network component using the value associated with the location in the memory in processing the query message to determine if the target packet has been encountered;
- creating a reply if the target packet has been encountered; and
- the first network component making the reply available to the network if the target packet has been encountered;
- wherein the reply is capable of being used as part of a method for locating an intrusion point of the target packet in the network.
2. The method of claim 1, wherein the making the reply available to the network includes forwarding the reply to a second network component.
3. The method of claim 2, wherein the second network component is a computer.
4. The method of claim 1, wherein the reply contains a network address for the first network component.
5. The method of claim 1, wherein the representation is determined over the entire received packet.
6. The method of claim 1, further comprising:
- determining if the received packet has undergone a transformation, such transformation having occurred if a first hash value of at least a portion of the received packet computed at a first time is not equal to a second hash value of at least a portion of the received packet computed at a second time, the second time occurring after the first time.
7. The method of claim 1, wherein the network is an Internet Protocol (IP) network.
8. The method of claim 1, wherein the link is a wireless link.
9. The method of claim 1, wherein the first network component is a router.
10. In a network carrying a plurality of packets over at least one link, the network including a network component operatively coupled to the link and having a memory and a processor, a method for storing information about a plurality of packets received over the network, at least a portion of the information being used to locate an intrusion point for a first one of the plurality of packets, the method comprising:
- receiving the first one of the plurality of packets;
- determining a first representation of the first one of the plurality of packets over at least a portion thereof;
- identifying a first location in the memory;
- associating a value with the first location in the memory;
- receiving a second one of the plurality of packets;
- processing the second one of the plurality of packets to obtain information contained therein;
- using the information contained in the second one of the plurality of packets to determine if the first one of the plurality of packets has been observed; and
- making a reply available to the network, in response to receiving a query message identifying a target packet, if the information contained in the second one of the plurality of packets indicates that the first one of the plurality of packets has been observed, the reply capable of being used as part of a method for locating the intrusion point for the first one of the plurality of packets to assist in determining a source location of an intrusion point of the target packet in the network.
11. A system comprising:
- a first interface for receiving at least one of a plurality of packets to obtain at least one received packet from a network;
- a second interface for placing at least a subset of the at least one received packet onto a link;
- a bus communicatively coupled to the first interface and the second interface;
- a memory communicatively coupled to the bus, the memory for storing information about the at least one received packet in a machine-readable form;
- a processor communicatively coupled to the bus and the memory, the processor configured for executing machine-readable instructions for processing the at least one received packet;
- wherein the system is operable such that the memory is capable of storing the information in a form of one or more first representations for the at least one received packet, each of the one or more first representations determined from a corresponding one of the at least one received packet respectively;
- wherein the system is operable to receive a query message including a second representation associated with a target packet in the network and use the stored one or more first representations in the memory in processing the query message to determine if the target packet has been encountered; and
- wherein the system is operable to generate a reply after comparing the second representation to the stored one or more first representations; wherein the reply is capable of being used for locating an intrusion point associated with the target packet in the network.
12. The system of claim 11, wherein the first interface and the second interface are combined into a single bi-directional interface.
13. The system of claim 11, wherein the reply is made available to another network.
14. The system of claim 11, wherein the network is a wireless network.
15. The system of claim 11, wherein the network is an Internet Protocol (IP) network.
16. The system of claim 11, wherein the processor is an ASIC.
17. The system of claim 11, wherein the reply is a positive reply if the second representation matches at least one of the plurality of first representations.
18. The system of claim 11, wherein the reply is forwarded to those of a plurality of devices one hop away in the network.
19. The system of claim 11, wherein the system is operable such that the reply is forwarded to an isolation server responsive to operation of an intrusion detection system, for isolating a malicious packet.
20. The system of claim 19, wherein the system is operable such that the reply is related to building a trace of potential paths taken by the malicious packet.
21. The system of claim 11, wherein the system is operable such that the first representations include hash values.
22. The system of claim 11, wherein the system is operable such that the processor executes machine-readable instructions for establishing a bit map of the first representations representative of the at least one received packet.
23. The system of claim 11, wherein the system is operable such that the second representation is a hash of at least a portion of the at least one received packet.
24. The system of claim 11, wherein the system is operable such that the processor executes machine-readable instructions for determining whether a target packet has been encountered in the network.
25. The system of claim 24, wherein the system is operable such that the determining is accomplished using a source path isolation technique.
26. The system of claim 25, wherein the system is operable such that the source path isolation technique includes a breadth-first search.
27. The system of claim 25, wherein the system is operable such that the source path isolation technique includes a depth-first search.
28. The system of claim 11, wherein the reply is used to determine a point of entry of at least one target packet.
29. The system of claim 28, wherein the at least one target packet is a malicious packet.
30. The system of claim 11, wherein the information includes a time-of-arrival.
31. The system of claim 11, wherein the information includes encapsulation link information.
32. The system of claim 11, wherein the comparing the second representation to the one or more of the plurality of first representations includes using a bit map of hash values representative of the one or more of the plurality of first representations.
33. The system of claim 11, wherein the reply includes an address of a router.
34. The system of claim 33, wherein the router is the system.
35. The system of claim 11, wherein the reply includes information about observed packets.
36. The system of claim 11, wherein the reply includes information about transformed packets.
37. The system of claim 36, wherein the transformed packets have passed through the system.
38. The system of claim 11, wherein the system is operable to receive at least one executable instruction for instructing the system to modify the operation of the system, and wherein the at least one executable instruction facilitates a response to network intrusion.
3956615 | May 11, 1976 | Anderson et al. |
4104721 | August 1, 1978 | Markstein et al. |
4177510 | December 4, 1979 | Appell et al. |
4200770 | April 29, 1980 | Hellman et al. |
4289930 | September 15, 1981 | Connolly et al. |
4384325 | May 17, 1983 | Slechta, Jr. et al. |
4386233 | May 31, 1983 | Smid et al. |
4386416 | May 31, 1983 | Giltner et al. |
4405829 | September 20, 1983 | Rivest et al. |
4442484 | April 10, 1984 | Childs, Jr. et al. |
4532588 | July 30, 1985 | Foster |
4584639 | April 22, 1986 | Hardy |
4590470 | May 20, 1986 | Koenig |
4607137 | August 19, 1986 | Jansen et al. |
4621321 | November 4, 1986 | Boebert et al. |
4641274 | February 3, 1987 | Swank |
4648031 | March 3, 1987 | Jenner |
4701840 | October 20, 1987 | Boebert et al. |
4710763 | December 1, 1987 | Franke et al. |
4713753 | December 15, 1987 | Boebert et al. |
4713780 | December 15, 1987 | Schultz et al. |
4754428 | June 28, 1988 | Schultz et al. |
4837798 | June 6, 1989 | Cohen et al. |
4853961 | August 1, 1989 | Pastor |
4864573 | September 5, 1989 | Horsten |
4868877 | September 19, 1989 | Fischer |
4870571 | September 26, 1989 | Frink |
4885789 | December 5, 1989 | Burger et al. |
4910774 | March 20, 1990 | Barakat |
4914568 | April 3, 1990 | Kodosky et al. |
4926480 | May 15, 1990 | Chaum |
4947430 | August 7, 1990 | Chaum |
4951196 | August 21, 1990 | Jackson |
4975950 | December 4, 1990 | Lentz |
4979210 | December 18, 1990 | Nagata et al. |
4996711 | February 26, 1991 | Chaum |
5005200 | April 2, 1991 | Fischer |
5008814 | April 16, 1991 | Mathur |
5020059 | May 28, 1991 | Gorin et al. |
5051886 | September 24, 1991 | Kawaguchi et al. |
5054096 | October 1, 1991 | Beizer |
5070528 | December 3, 1991 | Hawe et al. |
5093914 | March 3, 1992 | Coplien et al. |
5105184 | April 14, 1992 | Pirani et al. |
5119465 | June 2, 1992 | Jack et al. |
5124984 | June 23, 1992 | Engel |
5144557 | September 1, 1992 | Wang et al. |
5144659 | September 1, 1992 | Jones |
5144660 | September 1, 1992 | Rose |
5144665 | September 1, 1992 | Takaragi et al. |
5153918 | October 6, 1992 | Tuai |
5164988 | November 17, 1992 | Matyas et al. |
5167011 | November 24, 1992 | Priest |
5191611 | March 2, 1993 | Lang |
5200999 | April 6, 1993 | Matyas et al. |
5204961 | April 20, 1993 | Barlow |
5210795 | May 11, 1993 | Lipner et al. |
5210824 | May 11, 1993 | Putz et al. |
5210825 | May 11, 1993 | Kavaler |
5214702 | May 25, 1993 | Fischer |
5224163 | June 29, 1993 | Gasser et al. |
5226080 | July 6, 1993 | Cole et al. |
5228083 | July 13, 1993 | Lozowick et al. |
5235642 | August 10, 1993 | Wobber et al. |
5239466 | August 24, 1993 | Morgan et al. |
5241594 | August 31, 1993 | Kung |
5247661 | September 21, 1993 | Hager et al. |
5263147 | November 16, 1993 | Francisco et al. |
5263157 | November 16, 1993 | Janis |
5265163 | November 23, 1993 | Golding et al. |
5265164 | November 23, 1993 | Matyas et al. |
5267313 | November 30, 1993 | Hirata |
5272754 | December 21, 1993 | Boerbert |
5276735 | January 4, 1994 | Boebert et al. |
5276736 | January 4, 1994 | Chaum |
5276737 | January 4, 1994 | Micali |
5276869 | January 4, 1994 | Forrest et al. |
5276901 | January 4, 1994 | Howell et al. |
5278901 | January 11, 1994 | Shieh et al. |
5280527 | January 18, 1994 | Gullman et al. |
5283887 | February 1, 1994 | Zachery |
5293250 | March 8, 1994 | Okumura et al. |
5299263 | March 29, 1994 | Beller et al. |
5303303 | April 12, 1994 | White |
5305385 | April 19, 1994 | Schanning et al. |
5311591 | May 10, 1994 | Fischer |
5311593 | May 10, 1994 | Carmi |
5313521 | May 17, 1994 | Torii et al. |
5313637 | May 17, 1994 | Rose |
5315657 | May 24, 1994 | Abadi et al. |
5315658 | May 24, 1994 | Micali |
5319776 | June 7, 1994 | Hile et al. |
5325370 | June 28, 1994 | Cleveland et al. |
5329623 | July 12, 1994 | Smith et al. |
5333266 | July 26, 1994 | Boaz et al. |
5341426 | August 23, 1994 | Barney et al. |
5347578 | September 13, 1994 | Duxbury |
5351293 | September 27, 1994 | Michener et al. |
5355472 | October 11, 1994 | Lewis |
5355474 | October 11, 1994 | Thuraisngham et al. |
5359659 | October 25, 1994 | Rosenthal |
5361002 | November 1, 1994 | Casper |
5367621 | November 22, 1994 | Cohen et al. |
5371794 | December 6, 1994 | Diffie et al. |
5377354 | December 27, 1994 | Scannell et al. |
5379340 | January 3, 1995 | Overend et al. |
5379374 | January 3, 1995 | Ishizaki et al. |
5386470 | January 31, 1995 | Carter et al. |
5388189 | February 7, 1995 | Kung |
5404231 | April 4, 1995 | Bloomfield |
5406557 | April 11, 1995 | Baudoin |
5406628 | April 11, 1995 | Beller et al. |
5410326 | April 25, 1995 | Goldstein |
5414650 | May 9, 1995 | Hekhuis |
5414833 | May 9, 1995 | Hershey et al. |
5416842 | May 16, 1995 | Aziz |
5418908 | May 23, 1995 | Keller et al. |
5424724 | June 13, 1995 | Williams et al. |
5432932 | July 11, 1995 | Chen et al. |
5436972 | July 25, 1995 | Fischer |
5440723 | August 8, 1995 | Arnold et al. |
5455828 | October 3, 1995 | Zisapel |
5479411 | December 26, 1995 | Klein |
5481312 | January 2, 1996 | Cash et al. |
5481613 | January 2, 1996 | Ford et al. |
5483466 | January 9, 1996 | Kawahara et al. |
5485409 | January 16, 1996 | Gupta et al. |
5485460 | January 16, 1996 | Schrier et al. |
5491750 | February 13, 1996 | Bellare et al. |
5495610 | February 27, 1996 | Shing et al. |
5499294 | March 12, 1996 | Friedman |
5504454 | April 2, 1996 | Daggett et al. |
5509074 | April 16, 1996 | Choudhury et al. |
5511122 | April 23, 1996 | Atkinson |
5511163 | April 23, 1996 | Lerche et al. |
5513126 | April 30, 1996 | Harkins et al. |
5513323 | April 30, 1996 | Williams et al. |
5521910 | May 28, 1996 | Matthews |
5530852 | June 25, 1996 | Meske, Jr. et al. |
5535276 | July 9, 1996 | Ganesan |
5537533 | July 16, 1996 | Staheli et al. |
5539824 | July 23, 1996 | Bjorklund et al. |
5541993 | July 30, 1996 | Fan et al. |
5544320 | August 6, 1996 | Konrad |
5548646 | August 20, 1996 | Aziz et al. |
5550984 | August 27, 1996 | Gelb |
5550994 | August 27, 1996 | Tashiro et al. |
5553145 | September 3, 1996 | Micali |
5555309 | September 10, 1996 | Kruys |
5557346 | September 17, 1996 | Lipner et al. |
5557742 | September 17, 1996 | Smaha et al. |
5557765 | September 17, 1996 | Lipner et al. |
5561703 | October 1, 1996 | Arledge et al. |
5564106 | October 8, 1996 | Puhl et al. |
5566170 | October 15, 1996 | Bakke et al. |
5572590 | November 5, 1996 | Chess |
5572643 | November 5, 1996 | Judson |
5577209 | November 19, 1996 | Boyle et al. |
5583940 | December 10, 1996 | Vidrascu et al. |
5583995 | December 10, 1996 | Gardner et al. |
5586260 | December 17, 1996 | Hu |
5602918 | February 11, 1997 | Chen et al. |
5604490 | February 18, 1997 | Blakley, III et al. |
5606668 | February 25, 1997 | Shwed |
5608819 | March 4, 1997 | Ikeuchi |
5608874 | March 4, 1997 | Ogawa et al. |
5615340 | March 25, 1997 | Dai et al. |
5619648 | April 8, 1997 | Canale et al. |
5621579 | April 15, 1997 | Yuen |
5621889 | April 15, 1997 | Lermuzeaux et al. |
5623598 | April 22, 1997 | Voigt et al. |
5623600 | April 22, 1997 | Ji et al. |
5623601 | April 22, 1997 | Vu |
5623637 | April 22, 1997 | Jones et al. |
5625695 | April 29, 1997 | M'Raihi et al. |
5627977 | May 6, 1997 | Hickey et al. |
5629982 | May 13, 1997 | Micali |
5631961 | May 20, 1997 | Mills et al. |
5632011 | May 20, 1997 | Landfield et al. |
5636371 | June 3, 1997 | Yu |
5638487 | June 10, 1997 | Chigier |
5640454 | June 17, 1997 | Lipner et al. |
5644404 | July 1, 1997 | Hashimoto et al. |
5644571 | July 1, 1997 | Seaman |
5647000 | July 8, 1997 | Leighton |
5649095 | July 15, 1997 | Cozza |
5655081 | August 5, 1997 | Bonnell et al. |
5657461 | August 12, 1997 | Harkins et al. |
5666416 | September 9, 1997 | Micali |
5666530 | September 9, 1997 | Clark et al. |
5671279 | September 23, 1997 | Elgamal |
5673322 | September 30, 1997 | Pepe et al. |
5675507 | October 7, 1997 | Bobo, II |
5675733 | October 7, 1997 | Williams |
5677955 | October 14, 1997 | Doggett et al. |
5684951 | November 4, 1997 | Goldman et al. |
5687235 | November 11, 1997 | Perlman et al. |
5689565 | November 18, 1997 | Spies et al. |
5689566 | November 18, 1997 | Nguyen |
5694616 | December 2, 1997 | Johnson et al. |
5696822 | December 9, 1997 | Nachenberg |
5699431 | December 16, 1997 | Van Oorschot et al. |
5699513 | December 16, 1997 | Feigen et al. |
5706442 | January 6, 1998 | Anderson et al. |
5706507 | January 6, 1998 | Schloss |
5708780 | January 13, 1998 | Levergood et al. |
5708826 | January 13, 1998 | Ikeda et al. |
5710883 | January 20, 1998 | Hong et al. |
5717757 | February 10, 1998 | Micali |
5717758 | February 10, 1998 | Micali |
5724428 | March 3, 1998 | Rivest |
5724512 | March 3, 1998 | Winterbottom |
5727156 | March 10, 1998 | Herr-Hoyman et al. |
5740231 | April 14, 1998 | Cohn et al. |
5742759 | April 21, 1998 | Nessett et al. |
5742769 | April 21, 1998 | Lee et al. |
5745573 | April 28, 1998 | Lipner et al. |
5745574 | April 28, 1998 | Muftic |
5751956 | May 12, 1998 | Kirsch |
5758343 | May 26, 1998 | Vigil et al. |
5761531 | June 2, 1998 | Ohmura et al. |
5764906 | June 9, 1998 | Edelstein et al. |
5765030 | June 9, 1998 | Nachenberg et al. |
5768388 | June 16, 1998 | Goldwasser et al. |
5768528 | June 16, 1998 | Stumm |
5769942 | June 23, 1998 | Maeda |
5771348 | June 23, 1998 | Kubatzki et al. |
5778372 | July 7, 1998 | Cordell et al. |
5781729 | July 14, 1998 | Baker et al. |
5781735 | July 14, 1998 | Southard |
5781857 | July 14, 1998 | Hwang et al. |
5781901 | July 14, 1998 | Kuzma |
5790664 | August 4, 1998 | Coley et al. |
5790789 | August 4, 1998 | Suarez |
5790790 | August 4, 1998 | Smith et al. |
5790793 | August 4, 1998 | Higley |
5790856 | August 4, 1998 | Lillich |
5793763 | August 11, 1998 | Mayes et al. |
5793868 | August 11, 1998 | Micali |
5793954 | August 11, 1998 | Baker et al. |
5793972 | August 11, 1998 | Shane |
5796830 | August 18, 1998 | Johnson et al. |
5796942 | August 18, 1998 | Esbensen |
5796948 | August 18, 1998 | Cohen |
5798706 | August 25, 1998 | Kraemer et al. |
5799083 | August 25, 1998 | Brothers et al. |
5801700 | September 1, 1998 | Ferguson |
5802178 | September 1, 1998 | Holden et al. |
5802277 | September 1, 1998 | Cowlard |
5802371 | September 1, 1998 | Meier |
5805719 | September 8, 1998 | Pare, Jr. et al. |
5805801 | September 8, 1998 | Holloway et al. |
5812398 | September 22, 1998 | Nielsen |
5812763 | September 22, 1998 | Teng |
5812776 | September 22, 1998 | Gifford |
5812844 | September 22, 1998 | Jones et al. |
5815573 | September 29, 1998 | Johnson et al. |
5815657 | September 29, 1998 | Williams et al. |
5821398 | October 13, 1998 | Speirs et al. |
5822526 | October 13, 1998 | Waskiewicz |
5822527 | October 13, 1998 | Post |
5826013 | October 20, 1998 | Nachenberg |
5826014 | October 20, 1998 | Coley et al. |
5826022 | October 20, 1998 | Nielsen |
5826029 | October 20, 1998 | Gore, Jr. et al. |
5828832 | October 27, 1998 | Holden et al. |
5828893 | October 27, 1998 | Wied et al. |
5832208 | November 3, 1998 | Chen et al. |
5835087 | November 10, 1998 | Herz et al. |
5835090 | November 10, 1998 | Clark et al. |
5835600 | November 10, 1998 | Rivest |
5835758 | November 10, 1998 | Nochur et al. |
5842216 | November 24, 1998 | Anderson et al. |
5845084 | December 1, 1998 | Cordell et al. |
5850442 | December 15, 1998 | Muftic |
5852665 | December 22, 1998 | Gressel et al. |
5855020 | December 1998 | Kirsch |
5857022 | January 5, 1999 | Sudia |
5859966 | January 12, 1999 | Hayman et al. |
5860068 | January 12, 1999 | Cook |
5862325 | January 19, 1999 | Reed et al. |
5864667 | January 26, 1999 | Barkan |
5864683 | January 26, 1999 | Boebert et al. |
5864852 | January 26, 1999 | Luotonen |
5872844 | February 16, 1999 | Yacobi |
5872849 | February 16, 1999 | Sudia |
5872931 | February 16, 1999 | Chivaluri |
5878230 | March 2, 1999 | Weber et al. |
5884033 | March 16, 1999 | Duvall et al. |
5889943 | March 30, 1999 | Ji et al. |
5892825 | April 6, 1999 | Mages et al. |
5892903 | April 6, 1999 | Klaus |
5892904 | April 6, 1999 | Atkinson et al. |
5893114 | April 6, 1999 | Hashimoto et al. |
5896499 | April 20, 1999 | McKelvey |
5898830 | April 27, 1999 | Wesinger, Jr. et al. |
5898836 | April 27, 1999 | Freivald et al. |
5901227 | May 4, 1999 | Perlman |
5903651 | May 11, 1999 | Kocher |
5903723 | May 11, 1999 | Beck et al. |
5903882 | May 11, 1999 | Asay et al. |
5905859 | May 18, 1999 | Holloway et al. |
5907618 | May 25, 1999 | Gennaro et al. |
5907620 | May 25, 1999 | Klemba et al. |
5911776 | June 15, 1999 | Guck |
5912972 | June 15, 1999 | Barton |
5919257 | July 6, 1999 | Trostle |
5919258 | July 6, 1999 | Kayashima et al. |
5920630 | July 6, 1999 | Wertheimer et al. |
5922074 | July 13, 1999 | Richard et al. |
5923846 | July 13, 1999 | Gage et al. |
5923885 | July 13, 1999 | Johnson et al. |
5928329 | July 27, 1999 | Clark et al. |
5930479 | July 27, 1999 | Hall |
5933478 | August 3, 1999 | Ozaki et al. |
5933498 | August 3, 1999 | Schneck et al. |
5933647 | August 3, 1999 | Aronberg et al. |
5937066 | August 10, 1999 | Gennaro et al. |
5937164 | August 10, 1999 | Mages et al. |
5940591 | August 17, 1999 | Boyle et al. |
5941998 | August 24, 1999 | Tillson |
5946679 | August 31, 1999 | Ahuja et al. |
5948062 | September 7, 1999 | Tzelnic et al. |
5948104 | September 7, 1999 | Gluck et al. |
5950195 | September 7, 1999 | Stockwell et al. |
5951644 | September 14, 1999 | Creemer |
5951698 | September 14, 1999 | Chen et al. |
5956403 | September 21, 1999 | Lipner et al. |
5956481 | September 21, 1999 | Walsh et al. |
5958005 | September 28, 1999 | Thorne et al. |
5958010 | September 28, 1999 | Agarwal et al. |
5959976 | September 28, 1999 | Kuo |
5960170 | September 28, 1999 | Chen et al. |
5963915 | October 5, 1999 | Kirsch |
5964889 | October 12, 1999 | Nachenberg |
5970248 | October 19, 1999 | Meier |
5974141 | October 26, 1999 | Saito |
5978799 | November 2, 1999 | Hirsch |
5983012 | November 9, 1999 | Bianchi et al. |
5983228 | November 9, 1999 | Kobayashi et al. |
5987606 | November 16, 1999 | Cirasole et al. |
5987609 | November 16, 1999 | Hasebe |
5991406 | November 23, 1999 | Lipner et al. |
5991807 | November 23, 1999 | Schmidt et al. |
5991879 | November 23, 1999 | Still |
5991881 | November 23, 1999 | Conklin et al. |
5996011 | November 30, 1999 | Humes |
5996077 | November 30, 1999 | Williams |
5999723 | December 7, 1999 | Nachenberg |
5999932 | December 7, 1999 | Paul |
5999967 | December 7, 1999 | Sundsted |
6000041 | December 7, 1999 | Baker et al. |
6003027 | December 14, 1999 | Prager |
6006329 | December 21, 1999 | Chi |
6009103 | December 28, 1999 | Woundy |
6009274 | December 28, 1999 | Fletcher et al. |
6009462 | December 28, 1999 | Birrell et al. |
6012144 | January 4, 2000 | Pickett |
6014651 | January 11, 2000 | Crawford |
6021510 | February 1, 2000 | Nachenberg |
6023723 | February 8, 2000 | McCormick et al. |
6026414 | February 15, 2000 | Anglin |
6029256 | February 22, 2000 | Kouznetsov |
6035423 | March 7, 2000 | Hodges et al. |
6038233 | March 14, 2000 | Hamamoto et al. |
6049789 | April 11, 2000 | Frison et al. |
6052531 | April 18, 2000 | Waldin, Jr. et al. |
6052709 | April 18, 2000 | Paul |
6052788 | April 18, 2000 | Wesinger, Jr. et al. |
6055519 | April 25, 2000 | Kennedy et al. |
6058381 | May 2, 2000 | Nelson |
6058482 | May 2, 2000 | Liu |
6061448 | May 9, 2000 | Smith et al. |
6061722 | May 9, 2000 | Lipa et al. |
6067410 | May 23, 2000 | Nachenberg |
6070243 | May 30, 2000 | See et al. |
6072942 | June 6, 2000 | Stockwell et al. |
6073140 | June 6, 2000 | Morgan et al. |
6075863 | June 13, 2000 | Krishnan et al. |
6078929 | June 20, 2000 | Rao |
6085320 | July 4, 2000 | Kaliski, Jr. |
6088803 | July 11, 2000 | Tso et al. |
6088804 | July 11, 2000 | Hill et al. |
6092067 | July 18, 2000 | Girling et al. |
6092102 | July 18, 2000 | Wagner |
6092114 | July 18, 2000 | Shaffer et al. |
6092191 | July 18, 2000 | Shimbo et al. |
6092194 | July 18, 2000 | Touboul |
6092201 | July 18, 2000 | Turnbull et al. |
6094277 | July 25, 2000 | Toyoda |
6094731 | July 25, 2000 | Waldin et al. |
6097811 | August 1, 2000 | Micali |
6104500 | August 15, 2000 | Alam et al. |
6108683 | August 22, 2000 | Kamada et al. |
6108688 | August 22, 2000 | Nielsen |
6108691 | August 22, 2000 | Lee et al. |
6108786 | August 22, 2000 | Knowlson |
6112181 | August 29, 2000 | Shear et al. |
6118856 | September 12, 2000 | Paarsmarkt et al. |
6119137 | September 12, 2000 | Smith et al. |
6119142 | September 12, 2000 | Kosaka |
6119157 | September 12, 2000 | Traversat et al. |
6119165 | September 12, 2000 | Li et al. |
6119230 | September 12, 2000 | Carter |
6119231 | September 12, 2000 | Foss et al. |
6119236 | September 12, 2000 | Shipley |
6122661 | September 19, 2000 | Stedman et al. |
6123737 | September 26, 2000 | Sadowsky |
6134550 | October 17, 2000 | Van Oorschot et al. |
6134551 | October 17, 2000 | Aucsmith |
6138254 | October 24, 2000 | Voshell |
6141695 | October 31, 2000 | Sekiguchi et al. |
6141778 | October 31, 2000 | Kane et al. |
6144744 | November 7, 2000 | Smith, Sr. et al. |
6145083 | November 7, 2000 | Shaffer et al. |
6151643 | November 21, 2000 | Cheng et al. |
6151675 | November 21, 2000 | Smith |
6154769 | November 28, 2000 | Cherkasova et al. |
6154844 | November 28, 2000 | Touboul et al. |
6154879 | November 2000 | Pare et al. |
6161130 | December 12, 2000 | Horvitz et al. |
6161137 | December 12, 2000 | Ogdon et al. |
6167407 | December 26, 2000 | Nachenberg et al. |
6167438 | December 26, 2000 | Yates et al. |
6169969 | January 2, 2001 | Cohen |
6178242 | January 23, 2001 | Tsuria |
6178509 | January 23, 2001 | Nardone et al. |
6182142 | January 30, 2001 | Win et al. |
6182226 | January 30, 2001 | Reid et al. |
6185678 | February 6, 2001 | Arbaugh et al. |
6185682 | February 6, 2001 | Tang |
6185689 | February 6, 2001 | Todd, Sr. et al. |
6192360 | February 20, 2001 | Dumais et al. |
6192407 | February 20, 2001 | Smith et al. |
6199102 | March 6, 2001 | Cobb |
6202157 | March 13, 2001 | Brownlie et al. |
6215763 | April 10, 2001 | Doshi et al. |
6216265 | April 10, 2001 | Roop et al. |
6219706 | April 17, 2001 | Fan et al. |
6219714 | April 17, 2001 | Inhwan et al. |
6223094 | April 24, 2001 | Muehleck et al. |
6223172 | April 24, 2001 | Hunter et al. |
6223213 | April 24, 2001 | Cleron et al. |
6226666 | May 1, 2001 | Chang et al. |
6230190 | May 8, 2001 | Edmonds et al. |
6230194 | May 8, 2001 | Frailong et al. |
6230266 | May 8, 2001 | Perlman et al. |
6233577 | May 15, 2001 | Ramasubramani et al. |
6240401 | May 29, 2001 | Oren et al. |
6243815 | June 5, 2001 | Antur et al. |
6249575 | June 19, 2001 | Heilmann et al. |
6249585 | June 19, 2001 | McGrew et al. |
6249807 | June 19, 2001 | Shaw et al. |
6253337 | June 26, 2001 | Maloney et al. |
6260043 | July 10, 2001 | Puri et al. |
6260142 | July 10, 2001 | Thakkar et al. |
6266337 | July 24, 2001 | Marco |
6266668 | July 24, 2001 | Vanderveldt et al. |
6266692 | July 24, 2001 | Greenstein |
6266700 | July 24, 2001 | Baker et al. |
6266774 | July 24, 2001 | Sampath et al. |
6269380 | July 31, 2001 | Terry et al. |
6269447 | July 31, 2001 | Maloney et al. |
6269456 | July 31, 2001 | Hodges et al. |
6272532 | August 7, 2001 | Feinleib |
6272632 | August 7, 2001 | Carman et al. |
6275937 | August 14, 2001 | Hailpern et al. |
6275942 | August 14, 2001 | Bernhard et al. |
6275977 | August 14, 2001 | Nagai et al. |
6279113 | August 21, 2001 | Vaidya |
6279133 | August 21, 2001 | Vafai et al. |
6282565 | August 28, 2001 | Shaw et al. |
6285991 | September 4, 2001 | Powar |
6289214 | September 11, 2001 | Backstrom |
6292833 | September 18, 2001 | Liao et al. |
6298445 | October 2, 2001 | Shostack et al. |
6301668 | October 9, 2001 | Gleichauf et al. |
6301699 | October 9, 2001 | Hollander et al. |
6304898 | October 16, 2001 | Shiigi |
6304904 | October 16, 2001 | Sathyanarayan et al. |
6304973 | October 16, 2001 | Williams |
6311207 | October 30, 2001 | Mighdoll et al. |
6311273 | October 30, 2001 | Helbig et al. |
6314190 | November 6, 2001 | Zimmermann |
6317829 | November 13, 2001 | Van Oorschot |
6320948 | November 20, 2001 | Heilmann et al. |
6321267 | November 20, 2001 | Donaldson |
6324569 | November 27, 2001 | Ogilvie et al. |
6324647 | November 27, 2001 | Bowman-Amuah |
6324656 | November 27, 2001 | Gleichauf et al. |
6327579 | December 4, 2001 | Crawford |
6327594 | December 4, 2001 | Van Huben et al. |
6327620 | December 4, 2001 | Tams et al. |
6327652 | December 4, 2001 | England et al. |
6330551 | December 11, 2001 | Burchetta et al. |
6330589 | December 11, 2001 | Kennedy |
6330670 | December 11, 2001 | England et al. |
6332163 | December 18, 2001 | Bowman-Amuah |
6338141 | January 8, 2002 | Wells |
6341369 | January 22, 2002 | Degenaro et al. |
6347374 | February 12, 2002 | Drake et al. |
6347375 | February 12, 2002 | Reinert et al. |
6353886 | March 5, 2002 | Howard et al. |
6356859 | March 12, 2002 | Talbot et al. |
6356935 | March 12, 2002 | Gibbs |
6357008 | March 12, 2002 | Nachenberg |
6362836 | March 26, 2002 | Shaw et al. |
6363489 | March 26, 2002 | Comay et al. |
6367009 | April 2, 2002 | Davis et al. |
6367012 | April 2, 2002 | Atkinson et al. |
6370648 | April 9, 2002 | Diep |
6373950 | April 16, 2002 | Rowney |
6381694 | April 30, 2002 | Yen |
6385596 | May 7, 2002 | Wiser et al. |
6385655 | May 7, 2002 | Smith et al. |
6389419 | May 14, 2002 | Wong et al. |
6393465 | May 21, 2002 | Leeds |
6393568 | May 21, 2002 | Ranger et al. |
6397259 | May 28, 2002 | Lincke et al. |
6397335 | May 28, 2002 | Franczek et al. |
6400804 | June 4, 2002 | Bilder |
6401210 | June 4, 2002 | Templeton |
6405318 | June 11, 2002 | Rowland |
6411716 | June 25, 2002 | Brickell |
6424650 | July 23, 2002 | Yang et al. |
6430184 | August 6, 2002 | Robins et al. |
6430688 | August 6, 2002 | Kohl et al. |
6434536 | August 13, 2002 | Geiger |
6438549 | August 20, 2002 | Aldred et al. |
6438576 | August 20, 2002 | Huang et al. |
6438612 | August 20, 2002 | Ylonen et al. |
6442588 | August 27, 2002 | Clark et al. |
6442686 | August 27, 2002 | McArdle et al. |
6442688 | August 27, 2002 | Moses et al. |
6442689 | August 27, 2002 | Kocher |
6446109 | September 3, 2002 | Gupta |
6449367 | September 10, 2002 | Van Wie et al. |
6449640 | September 10, 2002 | Haverstock et al. |
6452613 | September 17, 2002 | Lefebvre et al. |
6453345 | September 17, 2002 | Trcka et al. |
6453352 | September 17, 2002 | Wagner et al. |
6453419 | September 17, 2002 | Flint et al. |
6460050 | October 1, 2002 | Pace et al. |
6460141 | October 1, 2002 | Olden |
6469969 | October 22, 2002 | Carson et al. |
6470086 | October 22, 2002 | Smith |
6477651 | November 5, 2002 | Teal |
6484203 | November 19, 2002 | Porras et al. |
6487599 | November 26, 2002 | Smith et al. |
6487658 | November 26, 2002 | Micali |
6487666 | November 26, 2002 | Shanklin et al. |
6496974 | December 17, 2002 | Sliger et al. |
6496979 | December 17, 2002 | Chen et al. |
6499107 | December 24, 2002 | Gleichauf et al. |
6502191 | December 31, 2002 | Smith et al. |
6507851 | January 14, 2003 | Fujiwara et al. |
6510431 | January 21, 2003 | Eichstaedt et al. |
6510464 | January 21, 2003 | Grantges, Jr. et al. |
6510466 | January 21, 2003 | Cox et al. |
6516316 | February 4, 2003 | Ramasubramani et al. |
6516411 | February 4, 2003 | Smith |
6519264 | February 11, 2003 | Carr et al. |
6519703 | February 11, 2003 | Joyce |
6526171 | February 25, 2003 | Furukawa |
6529498 | March 4, 2003 | Cheng |
6539430 | March 25, 2003 | Humes |
6546416 | April 8, 2003 | Kirsch |
6546493 | April 8, 2003 | Magdych et al. |
6550012 | April 15, 2003 | Villa et al. |
6560632 | May 6, 2003 | Chess et al. |
6574611 | June 3, 2003 | Matsuyama et al. |
6574737 | June 3, 2003 | Kingsford et al. |
6577920 | June 10, 2003 | Hypponen et al. |
6578025 | June 10, 2003 | Pollack et al. |
6578147 | June 10, 2003 | Shanklin et al. |
6584488 | June 24, 2003 | Brenner et al. |
6584564 | June 24, 2003 | Olkin et al. |
6587949 | July 1, 2003 | Steinberg |
6606708 | August 12, 2003 | Devine et al. |
6609196 | August 19, 2003 | Dickinson, III et al. |
6609205 | August 19, 2003 | Bernhard et al. |
6611869 | August 26, 2003 | Eschelbeck et al. |
6611925 | August 26, 2003 | Spear |
6615242 | September 2, 2003 | Riemers |
6622150 | September 16, 2003 | Kouznetsov et al. |
6647400 | November 11, 2003 | Moran |
6650890 | November 18, 2003 | Irlam et al. |
6654787 | November 25, 2003 | Aronson et al. |
6658568 | December 2, 2003 | Ginter et al. |
6662230 | December 9, 2003 | Eichstaedt et al. |
6668269 | December 23, 2003 | Kamada et al. |
6675153 | January 6, 2004 | Cook et al. |
6675209 | January 6, 2004 | Britt |
6678270 | January 13, 2004 | Garfinkel |
6681331 | January 20, 2004 | Munson et al. |
6684335 | January 27, 2004 | Epstein, III et al. |
6687687 | February 3, 2004 | Smadja |
6687732 | February 3, 2004 | Bector et al. |
6691156 | February 10, 2004 | Drummond et al. |
6694023 | February 17, 2004 | Kim |
6697950 | February 24, 2004 | Ko |
6701440 | March 2, 2004 | Kim et al. |
6704874 | March 9, 2004 | Porras et al. |
6707915 | March 16, 2004 | Jobst et al. |
6711127 | March 23, 2004 | Gorman et al. |
6711679 | March 23, 2004 | Guski et al. |
6715082 | March 30, 2004 | Chang et al. |
6721721 | April 13, 2004 | Bates et al. |
6725223 | April 20, 2004 | Abdo et al. |
6725377 | April 20, 2004 | Kouznetsov |
6728886 | April 27, 2004 | Ji et al. |
6731756 | May 4, 2004 | Pizano et al. |
6732101 | May 4, 2004 | Cook |
6732149 | May 4, 2004 | Kephart |
6732157 | May 4, 2004 | Gordon et al. |
6735700 | May 11, 2004 | Flint et al. |
6735703 | May 11, 2004 | Kilpatrick et al. |
6738462 | May 18, 2004 | Brunson |
6738814 | May 18, 2004 | Cox et al. |
6738932 | May 18, 2004 | Price |
6741595 | May 25, 2004 | Maher, III et al. |
6742015 | May 25, 2004 | Bowman-Amuah |
6742124 | May 25, 2004 | Kilpatrick et al. |
6742128 | May 25, 2004 | Joiner |
6745192 | June 1, 2004 | Libenzi |
6748531 | June 8, 2004 | Epstein |
6754705 | June 22, 2004 | Joiner et al. |
6757830 | June 29, 2004 | Tarbotton et al. |
6760765 | July 6, 2004 | Asai et al. |
6760845 | July 6, 2004 | Cafarelli et al. |
6766450 | July 20, 2004 | Micali |
6768991 | July 27, 2004 | Hearnden |
6769016 | July 27, 2004 | Rothwell et al. |
6772334 | August 3, 2004 | Glawitsch |
6772346 | August 3, 2004 | Chess et al. |
6775657 | August 10, 2004 | Baker |
6775704 | August 10, 2004 | Watson et al. |
6779033 | August 17, 2004 | Watson et al. |
6782503 | August 24, 2004 | Dawson |
6785728 | August 31, 2004 | Schneider et al. |
6785732 | August 31, 2004 | Bates et al. |
6785818 | August 31, 2004 | Sobel et al. |
6789202 | September 7, 2004 | Ko et al. |
6792546 | September 14, 2004 | Shanklin et al. |
6799197 | September 28, 2004 | Shetty et al. |
6802002 | October 5, 2004 | Corella |
6804237 | October 12, 2004 | Luo et al. |
6804778 | October 12, 2004 | Levi et al. |
6804783 | October 12, 2004 | Wesinger, Jr. et al. |
6826698 | November 30, 2004 | Minkin et al. |
6842860 | January 11, 2005 | Branstad et al. |
6842861 | January 11, 2005 | Cox et al. |
6845449 | January 18, 2005 | Carman et al. |
6847888 | January 25, 2005 | Fox et al. |
6851057 | February 1, 2005 | Nachenberg |
6859793 | February 22, 2005 | Lambiase |
6862581 | March 1, 2005 | Lambiase |
6870849 | March 22, 2005 | Callon et al. |
6883101 | April 19, 2005 | Fox et al. |
6892178 | May 10, 2005 | Zacharia |
6892179 | May 10, 2005 | Zacharia |
6892237 | May 10, 2005 | Gai et al. |
6892241 | May 10, 2005 | Kouznetsov et al. |
6895385 | May 17, 2005 | Zacharia et al. |
6895436 | May 17, 2005 | Caillau et al. |
6907430 | June 14, 2005 | Chong et al. |
6909205 | June 21, 2005 | Corcoran et al. |
6910134 | June 21, 2005 | Maher, III et al. |
6910135 | June 21, 2005 | Grainger |
6915426 | July 5, 2005 | Carman et al. |
6922776 | July 26, 2005 | Cook et al. |
6928550 | August 9, 2005 | Le Pennec et al. |
6928556 | August 9, 2005 | Black et al. |
6934857 | August 23, 2005 | Bartleson et al. |
6941348 | September 6, 2005 | Petry et al. |
6941467 | September 6, 2005 | Judge et al. |
6944673 | September 13, 2005 | Malan et al. |
6947442 | September 20, 2005 | Sato et al. |
6947936 | September 20, 2005 | Suermondt et al. |
6950933 | September 27, 2005 | Cook et al. |
6952776 | October 4, 2005 | Chess |
6954775 | October 11, 2005 | Shanklin et al. |
6968336 | November 22, 2005 | Gupta |
6968461 | November 22, 2005 | Lucas et al. |
6971019 | November 29, 2005 | Nachenberg |
6976168 | December 13, 2005 | Branstad et al. |
6976271 | December 13, 2005 | Le Pennec et al. |
6978223 | December 20, 2005 | Milliken |
6981146 | December 27, 2005 | Sheymov |
6981158 | December 27, 2005 | Sanchez et al. |
6985923 | January 10, 2006 | Bates et al. |
6993660 | January 31, 2006 | Libenzi et al. |
7010696 | March 7, 2006 | Cambridge et al. |
7055173 | May 30, 2006 | Chaganty et al. |
7058974 | June 6, 2006 | Maher, III et al. |
7080000 | July 18, 2006 | Cambridge |
7085934 | August 1, 2006 | Edwards |
7093002 | August 15, 2006 | Wolff et al. |
7107618 | September 12, 2006 | Gordon et al. |
7117358 | October 3, 2006 | Bandini et al. |
7117533 | October 3, 2006 | Libenzi |
7120252 | October 10, 2006 | Jones et al. |
7127743 | October 24, 2006 | Khanolkar et al. |
7134141 | November 7, 2006 | Crosbie et al. |
7136487 | November 14, 2006 | Schon et al. |
7150042 | December 12, 2006 | Wolff et al. |
7159237 | January 2, 2007 | Schneier et al. |
7181015 | February 20, 2007 | Matt |
7213260 | May 1, 2007 | Judge |
7222157 | May 22, 2007 | Sutton et al. |
7225255 | May 29, 2007 | Favier et al. |
7225466 | May 29, 2007 | Judge |
7234168 | June 19, 2007 | Gupta et al. |
7308715 | December 11, 2007 | Gupta et al. |
7310818 | December 18, 2007 | Parish et al. |
7328349 | February 5, 2008 | Milliken |
7366764 | April 29, 2008 | Vollebregt |
7409714 | August 5, 2008 | Gupta et al. |
7458098 | November 25, 2008 | Judge et al. |
7519994 | April 14, 2009 | Judge et al. |
7533272 | May 12, 2009 | Gordon et al. |
7624274 | November 24, 2009 | Alspector et al. |
7693945 | April 6, 2010 | Dulitz et al. |
20010005889 | June 28, 2001 | Albrecht |
20010009580 | July 26, 2001 | Ikeda |
20010011308 | August 2, 2001 | Clark et al. |
20010034839 | October 25, 2001 | Karjoth et al. |
20010039579 | November 8, 2001 | Trcka et al. |
20010049793 | December 6, 2001 | Sugimoto |
20020001384 | January 3, 2002 | Buer et al. |
20020004902 | January 10, 2002 | Toh et al. |
20020016826 | February 7, 2002 | Johansson et al. |
20020016910 | February 7, 2002 | Wright et al. |
20020019945 | February 14, 2002 | Houston et al. |
20020023140 | February 21, 2002 | Hile et al. |
20020026591 | February 28, 2002 | Hartley et al. |
20020032860 | March 14, 2002 | Wheeler et al. |
20020032871 | March 14, 2002 | Malan et al. |
20020035683 | March 21, 2002 | Kaashoek et al. |
20020038339 | March 28, 2002 | Xu |
20020042876 | April 11, 2002 | Smith |
20020042877 | April 11, 2002 | Wheeler et al. |
20020046041 | April 18, 2002 | Lang |
20020049853 | April 25, 2002 | Chu et al. |
20020069263 | June 6, 2002 | Sears et al. |
20020071438 | June 13, 2002 | Singh |
20020078381 | June 20, 2002 | Farley et al. |
20020078382 | June 20, 2002 | Sheikh et al. |
20020080888 | June 27, 2002 | Shu et al. |
20020083033 | June 27, 2002 | Abdo et al. |
20020083342 | June 27, 2002 | Webb et al. |
20020083343 | June 27, 2002 | Crosbie et al. |
20020087882 | July 4, 2002 | Schneier et al. |
20020091697 | July 11, 2002 | Huang et al. |
20020091757 | July 11, 2002 | Cuomo et al. |
20020095492 | July 18, 2002 | Kaashoek et al. |
20020107853 | August 8, 2002 | Hofmann et al. |
20020112008 | August 15, 2002 | Christenson et al. |
20020112168 | August 15, 2002 | Filipi-Martin et al. |
20020112185 | August 15, 2002 | Hodges |
20020116463 | August 22, 2002 | Hart |
20020116627 | August 22, 2002 | Tarbotton et al. |
20020120705 | August 29, 2002 | Schiavone et al. |
20020120853 | August 29, 2002 | Tyree |
20020120874 | August 29, 2002 | Shu et al. |
20020129002 | September 12, 2002 | Alberts et al. |
20020129277 | September 12, 2002 | Caccavale |
20020133365 | September 19, 2002 | Grey et al. |
20020133586 | September 19, 2002 | Shanklin et al. |
20020138416 | September 26, 2002 | Lovejoy et al. |
20020138755 | September 26, 2002 | Ko |
20020138759 | September 26, 2002 | Dutta |
20020138762 | September 26, 2002 | Horne |
20020143963 | October 3, 2002 | Converse et al. |
20020147734 | October 10, 2002 | Shoup et al. |
20020147780 | October 10, 2002 | Liu et al. |
20020147915 | October 10, 2002 | Chefalas et al. |
20020147925 | October 10, 2002 | Lingafelt et al. |
20020152399 | October 17, 2002 | Smith |
20020161718 | October 31, 2002 | Coley et al. |
20020165971 | November 7, 2002 | Baron |
20020169954 | November 14, 2002 | Bandini et al. |
20020172367 | November 21, 2002 | Mulder et al. |
20020174358 | November 21, 2002 | Wolff et al. |
20020178227 | November 28, 2002 | Matsa et al. |
20020178383 | November 28, 2002 | Hrabik et al. |
20020181703 | December 5, 2002 | Logan et al. |
20020186698 | December 12, 2002 | Ceniza |
20020188864 | December 12, 2002 | Jackson |
20020194161 | December 19, 2002 | McNamee et al. |
20020194469 | December 19, 2002 | Dominique et al. |
20020194490 | December 19, 2002 | Halperin et al. |
20020199095 | December 26, 2002 | Bandini et al. |
20030004688 | January 2, 2003 | Gupta et al. |
20030004689 | January 2, 2003 | Gupta et al. |
20030005326 | January 2, 2003 | Flemming |
20030009554 | January 9, 2003 | Burch et al. |
20030009693 | January 9, 2003 | Brock et al. |
20030009696 | January 9, 2003 | Bunker et al. |
20030009698 | January 9, 2003 | Lindeman et al. |
20030009699 | January 9, 2003 | Gupta et al. |
20030014662 | January 16, 2003 | Gupta et al. |
20030014664 | January 16, 2003 | Hentunen |
20030021280 | January 30, 2003 | Makinson et al. |
20030023692 | January 30, 2003 | Moroo |
20030023695 | January 30, 2003 | Kobata et al. |
20030023873 | January 30, 2003 | Ben-Itzhak |
20030023874 | January 30, 2003 | Prokupets et al. |
20030023875 | January 30, 2003 | Hursey et al. |
20030028803 | February 6, 2003 | Bunker et al. |
20030033516 | February 13, 2003 | Howard et al. |
20030033542 | February 13, 2003 | Goseva-Popstojanova et al. |
20030037141 | February 20, 2003 | Milo et al. |
20030041263 | February 27, 2003 | Devine et al. |
20030041264 | February 27, 2003 | Black et al. |
20030046421 | March 6, 2003 | Horvitz et al. |
20030051026 | March 13, 2003 | Carter et al. |
20030051163 | March 13, 2003 | Bidaud |
20030051168 | March 13, 2003 | King et al. |
20030055931 | March 20, 2003 | Cravo De Almeida et al. |
20030061502 | March 27, 2003 | Teblyashkin et al. |
20030061506 | March 27, 2003 | Cooper et al. |
20030065791 | April 3, 2003 | Garg et al. |
20030065943 | April 3, 2003 | Geis et al. |
20030084020 | May 1, 2003 | Shu |
20030084280 | May 1, 2003 | Bryan et al. |
20030084320 | May 1, 2003 | Tarquini et al. |
20030084323 | May 1, 2003 | Gales |
20030084347 | May 1, 2003 | Luzzatto |
20030088680 | May 8, 2003 | Nachenberg et al. |
20030088792 | May 8, 2003 | Card et al. |
20030093667 | May 15, 2003 | Dutta et al. |
20030093695 | May 15, 2003 | Dutta |
20030093696 | May 15, 2003 | Sugimoto |
20030095555 | May 22, 2003 | McNamara et al. |
20030097439 | May 22, 2003 | Strayer et al. |
20030097564 | May 22, 2003 | Tewari et al. |
20030101381 | May 29, 2003 | Mateev et al. |
20030105827 | June 5, 2003 | Tan et al. |
20030105859 | June 5, 2003 | Garnett et al. |
20030105976 | June 5, 2003 | Copeland, III |
20030110392 | June 12, 2003 | Aucsmith et al. |
20030110393 | June 12, 2003 | Brock et al. |
20030110396 | June 12, 2003 | Lewis et al. |
20030115485 | June 19, 2003 | Milliken |
20030115486 | June 19, 2003 | Choi et al. |
20030120604 | June 26, 2003 | Yokota et al. |
20030120647 | June 26, 2003 | Aiken et al. |
20030123665 | July 3, 2003 | Dunstan et al. |
20030126464 | July 3, 2003 | McDaniel et al. |
20030126472 | July 3, 2003 | Banzhof |
20030135749 | July 17, 2003 | Gales et al. |
20030140137 | July 24, 2003 | Joiner et al. |
20030140250 | July 24, 2003 | Taninaka et al. |
20030145212 | July 31, 2003 | Crumly |
20030145225 | July 31, 2003 | Bruton, III et al. |
20030145226 | July 31, 2003 | Bruton, III et al. |
20030145232 | July 31, 2003 | Poletto et al. |
20030149887 | August 7, 2003 | Yadav |
20030149888 | August 7, 2003 | Yadav |
20030154393 | August 14, 2003 | Young |
20030154399 | August 14, 2003 | Zuk et al. |
20030154402 | August 14, 2003 | Pandit et al. |
20030158905 | August 21, 2003 | Petry et al. |
20030159069 | August 21, 2003 | Choi et al. |
20030159070 | August 21, 2003 | Mayer et al. |
20030167402 | September 4, 2003 | Stolfo et al. |
20030172120 | September 11, 2003 | Tomkow et al. |
20030172166 | September 11, 2003 | Judge et al. |
20030172167 | September 11, 2003 | Judge et al. |
20030172289 | September 11, 2003 | Soppera |
20030172291 | September 11, 2003 | Judge et al. |
20030172292 | September 11, 2003 | Judge |
20030172294 | September 11, 2003 | Judge |
20030172301 | September 11, 2003 | Judge et al. |
20030172302 | September 11, 2003 | Judge et al. |
20030187996 | October 2, 2003 | Cardina et al. |
20030212791 | November 13, 2003 | Pickup |
20030233328 | December 18, 2003 | Scott et al. |
20030236845 | December 25, 2003 | Pitsos |
20040015554 | January 22, 2004 | Wilson |
20040025044 | February 5, 2004 | Day |
20040054886 | March 18, 2004 | Dickinson, III et al. |
20040058673 | March 25, 2004 | Irlam et al. |
20040059811 | March 25, 2004 | Sugauchi et al. |
20040083384 | April 29, 2004 | Hypponen |
20040088570 | May 6, 2004 | Roberts et al. |
20040103315 | May 27, 2004 | Cooper et al. |
20040111531 | June 10, 2004 | Staniford et al. |
20040139160 | July 15, 2004 | Wallace et al. |
20040139334 | July 15, 2004 | Wiseman |
20040143763 | July 22, 2004 | Radatti |
20040167968 | August 26, 2004 | Wilson et al. |
20040177120 | September 9, 2004 | Kirsch |
20040181462 | September 16, 2004 | Bauer et al. |
20040193482 | September 30, 2004 | Hoffman et al. |
20040203589 | October 14, 2004 | Wang et al. |
20040205135 | October 14, 2004 | Hallam-Baker |
20040221062 | November 4, 2004 | Starbuck et al. |
20040236884 | November 25, 2004 | Beetz |
20040267893 | December 30, 2004 | Lin |
20050014749 | January 20, 2005 | Chen et al. |
20050021738 | January 27, 2005 | Goeller et al. |
20050043936 | February 24, 2005 | Corston-Oliver et al. |
20050052998 | March 10, 2005 | Oliver et al. |
20050058129 | March 17, 2005 | Jones et al. |
20050065810 | March 24, 2005 | Bouron |
20050081059 | April 14, 2005 | Bandini et al. |
20050086526 | April 21, 2005 | Aguirre |
20050102366 | May 12, 2005 | Kirsch |
20050188045 | August 25, 2005 | Katsikas |
20050204159 | September 15, 2005 | Davis et al. |
20050235360 | October 20, 2005 | Pearson |
20050262209 | November 24, 2005 | Yu |
20050262210 | November 24, 2005 | Yu |
20060036693 | February 16, 2006 | Hulten et al. |
20060036727 | February 16, 2006 | Kurapati et al. |
20060042483 | March 2, 2006 | Work et al. |
20060047794 | March 2, 2006 | Jezierski |
20060095404 | May 4, 2006 | Adelman et al. |
20060095966 | May 4, 2006 | Park |
20060123083 | June 8, 2006 | Goutte et al. |
20060168006 | July 27, 2006 | Shannon et al. |
20060168017 | July 27, 2006 | Stern et al. |
20060212925 | September 21, 2006 | Shull et al. |
20060212930 | September 21, 2006 | Shull et al. |
20060212931 | September 21, 2006 | Shull et al. |
20060230039 | October 12, 2006 | Shull et al. |
20060253458 | November 9, 2006 | Dixon et al. |
20060259551 | November 16, 2006 | Caldwell, Jr. |
20080060075 | March 6, 2008 | Cox et al. |
20090064329 | March 5, 2009 | Okumura et al. |
20090083413 | March 26, 2009 | Levow et al. |
20100017487 | January 21, 2010 | Patinkin |
20100049848 | February 25, 2010 | Levow et al. |
WO9605673 | February 1996 | WO |
WO0028420 | May 2000 | WO |
WO0155927 | August 2001 | WO |
WO0173523 | October 2001 | WO |
WO02101516 | December 2002 | WO |
- US 5,373,559, 12/1994, Kaufman et al. (withdrawn)
- Notice of Allowance from U.S. Appl. No. 12/248,790 which was mailed on Aug. 15, 2011.
- Office Action from U.S. Appl. No. 12/762,368 which was mailed on Oct. 13, 2011.
- Paul Graham; A Plan for Spam; http://www.paulgraham.com/spam.html; Aug. 2002; pp. 1-11.
- Paul Vixie; Distributed Checksum Clearninghouse; Rhyolite Software; http://www.rhyolite.com/anti-spam/dcc/dcc-tree/dcc.html; Aug. 26, 2002; pp. 1-9.
- RFC #1123; R. Braden; Requirements for Internet Hosts—Application and Support; Oct. 1989; pp. 1-97.
- RFC #2045; N. Freed et al.; Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies; Nov. 1996; pp. 1-29.
- RFC #2046; N. Freed et al.; Multipurpose Internet Mail Extensions (MIME) Part Two: Media Types; Nov. 1996; pp. 1-19.
- RFC #2047; K. Moore; MIME (Multipurpose Internet Mail Extensions) Part Three: Message Header Extensions for Non-ASCII Text); Nov. 1996; pp. 1-15.
- RFC #2048; N. Freed et al.; Multipurpose Internet Mail Extensions (MIME) Part Four: Registration Procedures; Nov. 1996; pp. 1-20.
- RFC #2049; N. Freed et al.; Multipurpose Internet Mail Extensions MIME) Part Five: Conformance Criteria and Examples; Nov. 1996; pp. 1-23.
- RFC #2231; N. Freed et al.; MIME Parameter Value and Encoded Word Extensions: Character Sets, Languages, and Continuations; Nov. 1997; pp. 1-10.
- RFC #822; David H. Crocker; Standard for the Format of ARPA Internet Text Message; Aug. 13, 1982; pp. 1-49.
- S. Staniford-Chen, and L. Todd Herberlein; “Holding Intruders Accountable on the Internet”; Proceedsings of the 1995 IEEE Symposium on Security and Privacy; Oakland, CA, pp. 39-49, May 8-10, 1995.
- Savage et al., “Practical Network Support for IP Traceback,” Department of Computer Science and Engineering, University of Washington, (2000).
- Schwartz et al., “Smart Packets: Applying Active Networks to Network Management,” ACM Transaction on Computer Systems, 18(1):67-88, (2000).
- Skipper, Chad, “Polymorphism and IDS,” Symantec, (2001).
- Todd Heberlein; “Worm Detection and Prevention: Concept, Approach, and Experience”; Net Squared, Inc.; http://www.attackcenter.com/Information/WhitePapers/WormDetect/; Aug. 14, 2002; pp. 1-7.
- International Search Report for PCT/US2004/028896 mailed on Dec. 13, 2004.
- Bace, Rebecca Gurley, “Intrusion Detection—Technology Series”—Copyright 2000 by MacMillan Technical Publishing.
- Amoroso, Edward G., “Intrusion Detection—An Introduction to Surveillance, Correlation, Traps, Trace Back, and Response.” AT&T Laboratories, First Edition.—Copyright 1999 by AT&T, Inc.
- Jackson, Kathleen, DuBois, David H., and Stallings, Cathy A., “A Phased Approach to Network Intrusion Detection,” 14th National Computing Security Conference, 1991.
- Paxson, Vern, “Bro: A System for Detecting Network Intruders in Real-Time,” Proceedings of The 7th USENIX Security Symposium, San Antonio, TX, 1998.
- Snapp, Steven R, Brentano, James, Dias, Gihan V., Goan, Terrance L., Heberlein, L. Todd, Ho, Che-Lin, Levitt, Karl N., Mukherjee, Biswanath, Smaha, Stephen E., Grance, Tim, Teal, Daniel M. and Mansur, Doug, “DIDS (Distributed Intrusion Detection System)—Motivation, Architecture, and An Early Prototype,” The 14th National Computer Security Conference, Oct. 1991, pp. 167-176.
- US App No. 00-4039CIP3.
- U.S. Appl. No. 09/881,074, filed Jun. 14, 2001.
- U.S. Appl. No. 09/881,145, filed Jun. 14, 2001.
- U.S. Appl. No. 10/251,403, filed Sep. 20, 2002.
- US App No. Frentz Jan. 14, 2003.
- Notice of Allowance from U.S. Appl. No. 09/881,074 which was mailed on Jan. 6, 2005.
- Notice of Allowance from U.S. Appl. No. 10/251,403 which was mailed on Aug. 10, 2007.
- Office Action from U.S. Appl. No. 09/881,145 which was mailed on Nov. 30, 2006.
- Office Action from U.S. Appl. No. 09/881,145 which was mailed on Apr. 20, 2005.
- Office Action from U.S. Appl. No. 09/881,145 which was mailed on Aug. 16, 2007.
- Office Action from U.S. Appl. No. 10/251,403 which was mailed on Dec. 8, 2006.
- Office Action from U.S. Appl. No. 10/251,403 which was mailed on Apr. 25, 2006.
- Office Action from U.S. Appl. No. 10/654,771 which was mailed on Jan. 13, 2011.
- Office Action from U.S. Appl. No. 10/654,771 which was mailed on Dec. 11, 2008.
- Office Action from U.S. Appl. No. 10/654,771 which was mailed on Jul. 22, 2010.
- Office Action from U.S. Appl. No. 12/243,778 which was mailed on Oct. 7, 2010.
- Office Action from U.S. Appl. No. 12/248,790 which was mailed on Feb. 11, 2010.
- Office Action from U.S. Appl. No. 12/248,790 which was mailed on May 27, 2010.
- Office Action from U.S. Appl. No. 12/243,785 which was mailed on Sep. 1, 2010.
- Office Action from U.S. Appl. No. 12/243,785 which was mailed on Mar. 30, 2011.
- Office Action from U.S. Appl. No. 12/249,803 which was mailed on Oct. 19, 2010.
- Office Action from U.S. Appl. No. 12/249,803 which was mailed on Mar. 10, 2011.
- Office Action from U.S. Appl. No. 12/249,804 which was mailed on Apr. 20, 2011.
- Office Action from U.S. Appl. No. 12/249,804 which was mailed on Aug. 30, 2010.
- Office Action from U.S. Appl. No. 12/249,823 which was mailed on Dec. 1, 2010.
- Office Action from U.S. Appl. No. 12/249,832 which was mailed on Oct. 12, 2010.
- Office Action from U.S. Appl. No. 12/762,365 which was mailed on Dec. 14, 2010.
- Office Action from U.S. Appl. No. 12/762,366 which was mailed on Nov. 10, 2010.
- Notice of Allowance from U.S. Appl. No. 12/248,790 which was mailed on Feb. 2, 2012.
- Office Action from U.S. Appl. No. 12/762,368 which was mailed on Feb. 23, 2012.
Type: Grant
Filed: Apr 18, 2010
Date of Patent: Apr 24, 2012
Patent Publication Number: 20100205671
Assignee: Stragent, LLC (Longview, TX)
Inventors: Walter Clark Milliken (Dover, NH), William Timothy Strayer (West Newton, MA), Stephen Douglas Milligan (Stow, MA), Luis Sanchez (Mayaguez, PR), Craig Partridge (East Lansing, MI)
Primary Examiner: Longbit Chai
Attorney: The Caldwell Firm, LLC
Application Number: 12/762,367
International Classification: H04L 9/00 (20060101); H04L 29/06 (20060101);