07159149 is referenced by 180 patents and cites 78 patents.

Methods, apparati, and computer program products for detecting and responding to fast-spreading network worm attacks include a network monitoring module (110), which observes (205) failed network connection attempts from multiple sources. A logging module (120) logs (220) the failed connection attempts. An analysis module (150) uses the logged data on the failed connection attempts to determine (225) whether a sources is infected with a worm using a set of threshold criteria. The threshold criteria indicate whether a source's failed connection attempts are non-normal. In one embodiment, a response module (160) responds (240) to the computer worm by, e.g., alerting a user or system administrator, terminating an infected process (20), or terminating the infected source's network access.

Title
Heuristic detection and termination of fast spreading network worm attacks
Application Number
10/280586
Publication Number
7159149 (B2)
Application Date
October 24, 2002
Publication Date
January 2, 2007
Inventor
William Sobel
Stevenson Ranch
CA, US
Bruce McCorkendale
Los Angeles
CA, US
Mark Spiegel
West Hills
CA, US
Agent
Fenwick & West
Assignee
Symantec Corporation
CA, US
IPC
G06F 11/00
View Original Source