摘要 |
Methods, apparati, and computer program products for detecting and responding to fast-spreading network worm attacks include a network monitoring module ( 110 ), which observes ( 205 ) failed network connection attempts from multiple sources. A logging module ( 120 ) logs ( 220 ) the failed connection attempts. An analysis module ( 150 ) uses the logged data on the failed connection attempts to determine ( 225 ) whether a sources is infected with a worm using a set of threshold criteria. The threshold criteria indicate whether a source's failed connection attempts are non-normal. In one embodiment, a response module ( 160 ) responds ( 240 ) to the computer worm by, e.g., alerting a user or system administrator, terminating an infected process ( 20 ), or terminating the infected source's network access.
|