| 发明名称 | Identifying source of malicious network messages | ||
| 摘要 | System, method and program for identifying a subset of a multiplicity of source networks. The subset including one or more source networks which have sent messages to one of a plurality of destination locations having a same IP address. For each of the multiplicity of source networks, a determination is made whether there are fewer intervening hops from the source network to the one destination location than from the source network to other of the plurality of destination locations. If so, the source network is included in the subset. If not, the source network is not included in the subset. One application of the present invention is to identify a source of a denial of service attack. After the subset is identified, filters can be sequentially applied to block messages from respective source networks in the subset to determine which source network in the subset is sending the messages. | ||
| 申请公布号 | US9191396(B2) | 申请公布日期 | 2015.11.17 |
| 申请号 | US200511221619 | 申请日期 | 2005.09.08 |
| 申请人 | International Business Machines Corporation | 发明人 | Nesbitt Richard E.;O'Connell Brian M.;Pearthree Herbert D.;Vaughan Kevin E. |
| 分类号 | H04L29/06 | 主分类号 | H04L29/06 |
| 代理机构 | Yee & Associates, P.C. | 代理人 | Yee & Associates, P.C. ;Ulrich Lisa J. |
| 主权项 | 1. A method for identifying source of malicious network messages, said method comprising steps implemented by a computer of: identifying a subset of a multiplicity of source networks, said subset including one or more source networks which have sent messages to one of a plurality of destination locations having a same Internet Protocol (IP) address, wherein identifying said subset comprises: the computer determining for each of said multiplicity of source networks whether there are fewer intervening hops from said each source network to said one destination location than from said each source network to other of said plurality of destination locations;responsive to a determination that there are fewer intervening hops for said each source network of said multiplicity of source networks, the computer identifying said each source network as included in said subset, andresponsive to determining there are not fewer intervening hops for said each source network of said multiplicity of source networks, the computer not identifying said each source network as included in said subset;wherein one or more source networks are continuing to send messages to said one destination location, and further comprising a step of sequentially applying filters to block messages from respective source networks in said subset to determine which source network in said subset is sending said messages, wherein one of said source networks in said subset has sent said messages to said one destination location and said messages are malicious. | ||
| 地址 | Armonk NY US | ||