(19) United States
`(12) Patent Application Publication (10) Pub. No.: US 2012/0233691 A1
`(43) Pub. Date:
`Sep. 13, 2012
`JANG
`
`US 20120233691A1
`
`(54) METHOD, DEVICE AND SYSTEM FOR
`ALERTING AGAINST UNKNOWN
`MALICOUS CODES
`
`(75) Inventor:
`(73) Assignee:
`
`(21) Appl. No.:
`
`Wu JIANG, Beijing (CN)
`CHENGDU HUAWE
`SYMANTIEC TECHNOLOGIES
`CO.,LTD., Chengdu (CN)
`13/481,273
`
`(22) Filed:
`
`May 25, 2012
`Related U.S. Application Data
`(63) Continuation of application No. PCT/CN2010/
`078951, filed on Nov. 22, 2010.
`Foreign Application Priority Data
`
`(30)
`
`Nov. 26, 2009 (CN) ......................... 2009102471728
`
`Publication Classification
`
`(51) Int. Cl.
`(2006.01)
`G06F2L/00
`(52) U.S. Cl. .......................................................... 726/22
`
`ABSTRACT
`(57)
`A method, a device, and a system for alerting against
`unknown malicious codes are disclosed. The method
`includes: detecting characteristics of a packet; judging
`whether any suspicious code exists in the packet according to
`a result of the detection; recording a source address of the
`Suspicious code if the Suspicious code exists in the packet;
`and sending alert information that carries the source address
`to a monitoring device. The embodiments of the present
`invention can report Source addresses of numerous Suspicious
`codes proactively at the earliest possible time, lay a founda
`tion for shortening the time required for overcoming virus
`threats, and avoid the trouble of installing software on the
`client.
`
`
`
`
`
`as
`Detect characteristics of a packet
`
`/ 105
`
`code exists in the packet
`according to a result of
`the detection
`
`110
`
`Record a source address of the / 128
`Suspicious code
`
`Send alert information
`
`130
`/
`
`Juniper Ex. 1027-p. 1
`Juniper v Huawei
`
`

`

`Patent Application Publication
`
`Sep. 13, 2012 Sheet 1 of 3
`
`US 2012/0233691 A1
`
`Detect characteristics of a packet
`
`
`
`
`
`code exists in the packet
`according to a result of
`the detection
`
`105
`
`110
`
`Record a source address of the / 128
`Suspicious code
`
`Send alert information
`
`130
`/
`
`FIG. 1
`
`Juniper Ex. 1027-p. 2
`Juniper v Huawei
`
`

`

`Patent Application Publication
`
`Sep. 13, 2012 Sheet 2 of 3
`
`US 2012/0233691 A1
`
`48
`Detect characteristics of a packet
`
`/ 105
`
`
`
`
`
`
`
`
`
`Judge
`Whether any Suspicious
`code exists in the packet
`according to a result of
`the detection
`
`110
`
`Record a source address of the / 128
`Suspicious code
`
`Send alert information
`
`130
`/
`
`204
`Receive alarm information sent by /
`the monitoring device
`
`Intercept Suspicious codes that are
`malicious according to
`maliciousness of the Suspicious
`codes
`
`216
`/
`
`FIG. 2
`
`Juniper Ex. 1027-p. 3
`Juniper v Huawei
`
`

`

`Patent Application Publication
`
`Sep. 13, 2012 Sheet 3 of 3
`
`US 2012/0233691 A1
`
`301 /
`First detecting module
`4. 302
`First detecting
`Submodule
`
`303
`First detecting
`Submodule
`
`/ 312
`First iudgi
`" d sing
`
`336
`First sending
`module
`345
`—%
`First receiving
`module
`
`325
`First recording
`module
`352
`4.
`First intercepting
`module
`
`FIG. 3
`
`401
`
`412
`
`NetWork device
`
`Monitoring device
`
`FIG. 4
`
`Juniper Ex. 1027-p. 4
`Juniper v Huawei
`
`

`

`US 2012/0233691 A1
`
`Sep. 13, 2012
`
`METHOD, DEVICE AND SYSTEM FOR
`ALERTING AGAINST UNKNOWN
`MALICOUS CODES
`
`CROSS-REFERENCE TO RELATED
`APPLICATION
`0001. This application is a continuation of International
`Application No. PCT/CN2010/078951, filed on Nov. 22,
`2010, which claims priority to Chinese Patent Application
`No. 200910247172.8, filed on Nov. 26, 2009, which is hereby
`incorporated by reference in its entirety.
`
`FIELD OF THE INVENTION
`0002 The present invention relates to network security
`technologies, and in particular, to a method, a device, and a
`system for alerting against unknown malicious codes.
`
`BACKGROUND OF THE INVENTION
`0003. With popularization of the Internet, higher network
`security is required. Loopholes are frequently used for
`launching attacks. The time from discovery to use of a secu
`rity loophole is now shortened from a few months to a few
`days. Once a loophole is discovered, it is used for launching
`attacks shortly. For Such attacks, it usually takes a long time
`for the vendor to obtain a sample of malicious codes, and it is
`slower to release the corresponding patches. Therefore, Such
`attacks tend to cause huge damages. MS Blast was used for
`launching attacks hardly in less than 25 days after it was
`discovered, and Nachi (a variant of MS Blast) was used for
`launching attacks in less than one week after it was discov
`ered. If the malicious codes are discovered early, the attacks
`can be prevented in time, and the loss caused by malicious
`codes will be reduced.
`0004. In the prior art, network devices are unable to report
`Suspicious codes. After the malicious code attack is launched,
`it takes alongtime for the vendor to obtain the malicious code
`sample. Antivirus software analyzes files downloaded to the
`computer and reports the analysis result to the monitoring
`center. However, the computer may still be attacked by down
`loaded malicious codes if the downloaded data is not treated
`properly, which brings a heavy burden onto the computer.
`Antivirus software has to be installed on the computer, which
`is troublesome to the user. For Such reasons, some users
`refuse to installantivirus software on network devices so that
`Such devices are more Vulnerable to propagation of malicious
`codes.
`
`SUMMARY OF THE INVENTION
`0005. An embodiment of the present invention provides a
`method, a device, and a system for alerting against unknown
`malicious codes, so as to report source addresses of numerous
`Suspicious codes proactively at the earliest possible time, lay
`a foundation for shortening the time required for overcoming
`virus threats, and avoid the trouble of installing software on
`the client.
`0006 An embodiment of the present invention provides a
`method for alerting against unknown malicious codes,
`including:
`0007 detecting characteristics of a packet;
`0008 judging whether any suspicious code exists in the
`packet according to a result of the detection;
`recording a source address of the Suspicious code if
`0009
`the Suspicious code exists in the packet; and
`
`0010 sending alert information that carries the source
`address to a monitoring device.
`0011. An embodiment of the present invention provides a
`network device, including:
`0012 a first detecting module, configured to detect char
`acteristics of a packet;
`0013 a first judging module, configured to judge whether
`any Suspicious code exists in the packet according to a result
`of the detection performed by the first detecting module:
`0014 a first recording module, configured to record a
`Source address of the Suspicious code if the first judging
`module determines that the Suspicious code exists in the
`packet; and
`00.15
`a first sending module, configured to send alert
`information that carries the source address to a monitoring
`device.
`0016. An embodiment of the present invention provides a
`system for alerting against unknown malicious codes. The
`system includes a network device and a monitoring device.
`The monitoring device is configured to: receive alert infor
`mation; resolve the alert information to obtain a source
`address; download a suspicious code corresponding to the
`Source address; and judge whether the Suspicious code is
`malicious; and send alarm information when determining the
`Suspicious code as malicious.
`0017. Therefore, the method, the device, and the system
`for alerting against unknown malicious codes in the embodi
`ments of the present invention report source addresses of
`numerous suspicious codes proactively at the earliest possible
`time, enable the vendor to obtain the source addresses of
`malicious code samples shortly after the malicious codes
`occur, ensure comprehensiveness of the alert information
`Source, lay a foundation for shortening the time required for
`overcoming virus threats, and avoid the trouble of installing
`software on the client.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`0018 To make the technical solution under the present
`invention or in the prior art clearer, the following outlines the
`accompanying drawings involved in the description of the
`embodiments of the present invention or the prior art. Appar
`ently, the accompanying drawings outlined below are illus
`trative rather than exhaustive, and persons of ordinary skill in
`the art can derive other drawings from them without any
`creative effort.
`0019 FIG. 1 is a schematic diagram of a method for alert
`ing against unknown malicious codes according to an
`embodiment of the present invention;
`0020 FIG. 2 is a schematic diagram of a method for alert
`ing against unknown malicious codes according to an
`embodiment of the present invention;
`0021
`FIG. 3 is a schematic diagram of a network device
`according to an embodiment of the present invention; and
`0022 FIG. 4 is a schematic diagram of a system for alert
`ing against unknown malicious codes according to an
`embodiment of the present invention.
`
`DETAILED DESCRIPTION OF THE
`EMBODIMENTS
`0023 The following detailed description is given in con
`junction with the accompanying drawings to provide a thor
`ough understanding of the present invention. Evidently, the
`drawings and the detailed description are merely representa
`
`Juniper Ex. 1027-p. 5
`Juniper v Huawei
`
`

`

`US 2012/0233691 A1
`
`Sep. 13, 2012
`
`tive of particular embodiments of the present invention rather
`than all embodiments. All other embodiments, which can be
`derived by those skilled in the art from the embodiments
`given herein without any creative effort, shall fall within the
`protection scope of the present invention.
`0024. The following describes the technical solution of the
`present invention in detail.
`0025 FIG. 1 is a schematic diagram of a method for alert
`ing against unknown malicious codes according to an
`embodiment of the present invention. The method in this
`embodiment includes the following steps:
`0026 Step 105: Detect characteristics of a packet.
`0027 Step 110: Judge whether any suspicious code exists
`in the packet according to a result of the detection.
`0028 Step 128: Record a source address of the suspicious
`code if the Suspicious code exists in the packet.
`0029 Step 130: Send alert information that carries the
`Source address to a monitoring device.
`0030 The entity for performing the steps of this embodi
`ment is a network device. The source address of the Suspi
`cious code in the packet is sent to the monitoring device so
`that the monitoring device is alerted for Suspicious codes in
`time.
`0031. In this embodiment, the characteristics of the packet
`are detected. For example, the detection method is to detect
`whether the name of the suspicious code is included in the
`packet, whether the file header of the suspicious code is
`included in the data stream, or both.
`0032 Specifically, at the time of detecting whether the
`name of the Suspicious code is included in the packet, if a
`string like get *.exe is detected in the packet, it indicates that
`an executable file is being transmitted, in which *.exe is a
`Suspicious code, and * represents a string of a random length.
`The executable file may leak information of the terminal user,
`damage the terminal system, or even let the terminal be con
`trolled by the attacker. Or, if a packet includes Strings like get
`*.dll or get *.ocx, it indicates that an executable file or a string
`of malicious codes is being transmitted, which may leak
`information of the terminal user, damage the terminal system,
`or even let the terminal be controlled by the attacker. Such
`codes need to be reported.
`0033. At the time of detecting whether the file header of
`the suspicious code is included in the data stream, if a PE
`(portable executable) file header characteristic code "MZ' is
`detected (MZ is expressed by American Standard Code for
`Information Interchange (ASCII) codes), the PE file may leak
`information of the terminal user, damage the terminal system,
`or even let the terminal be controlled by the attacker when the
`PE file is executed. Therefore, the PE file is a string of suspi
`cious codes.
`0034. When the two detection methods above are com
`bined, if get *.jpg is detected and a PE file header character
`istic code “MZ' is detected (MZ is expressed by ASCII
`codes) in the corresponding data, the PE file is a string of
`Suspicious codes, because the user attempts to download a
`picture but an executable file is returned. The spoofing indi
`cates that the PE file is probably is a string of malicious codes.
`0035. The source of the suspicious code needs to be
`located after the suspicious code is detected. Specifically, if
`the Suspicious code is detected by checking whether the name
`of the Suspicious code is included in the data stream, the
`Source address generally appears in the URL after get. If the
`suspicious code is detected by checking whether the file
`header of the Suspicious code is included in the data stream,
`
`the source address of the packet may be searched out accord
`ing to the information in the packet. If both of the detection
`methods are applied in detecting the Suspicious code, the
`Source address generally appears in the URL after get.
`0036. After the source address of the suspicious code is
`recorded, alert information that carries the Source address is
`sent to the monitoring device. After the alert information is
`sent, the network device receives alarm information returned
`by the monitoring device.
`0037. The method for alerting against unknown malicious
`codes in this embodiment reports source addresses of numer
`ous Suspicious codes proactively at the earliest possible time,
`enables the vendor to obtain the source addresses of malicious
`code samples shortly after the malicious codes occur, ensures
`comprehensiveness of the alert information source, lays a
`foundation for shortening the time required for overcoming
`virus threats, and avoids the trouble of installing software on
`the client.
`0038 FIG. 2 is a schematic diagram of a method for alert
`ing against unknown malicious codes according to an
`embodiment of the present invention. The method in this
`embodiment includes the following steps:
`0039 Step 105: Detect characteristics of a packet.
`0040 Step 110: Judge whether any suspicious code exists
`in the packet according to a result of the detection.
`0041 Step 128: Record a source address of the suspicious
`code if the Suspicious code exists in the packet.
`0042 Step 130: Send alert information that carries the
`source address to a monitoring device.
`0043 Step 204: Receive alarm information sent by the
`monitoring device. The alarm information includes mali
`ciousness of the Suspicious code, or includes both the mali
`ciousness of the Suspicious code and the Botnet topology
`information.
`0044) This embodiment differs from the previous embodi
`ment in that: the network device receives alarm information
`returned by the monitoring device after sending alert infor
`mation. The alarm information includes maliciousness of the
`Suspicious code against which the alert is raised, or includes
`both the maliciousness of the suspicious code and the Botnet
`topology information.
`0045. The monitoring device may identify maliciousness
`of the Suspicious code through characteristics detection,
`sandbox test, or both.
`0046. If the monitoring device uses characteristics detec
`tion to calculate possibility of maliciousness, the monitoring
`device compares the Suspicious code with a more detailed
`repository of malicious code characteristics. If the Suspicious
`code matches any characteristics in the repository of mali
`cious code characteristics, the monitoring device can calcu
`late the probability of attacks launched by the malicious code
`according to the matching extent, and identify possibility of
`Such attacks, namely, maliciousness possibility. For example,
`if the Suspicious code matches a string of Suspicious code
`characteristics regarded as having an 80% probability of
`launching attacks in the characteristics repository, the Suspi
`cious code is also regarded as having an 80% probability of
`launching attacks. If this probability exceeds the alarm
`threshold, the Suspicious code is possibly malicious.
`0047. If the monitoring device uses a sandbox to calculate
`the maliciousness possibility, the monitoring device runs the
`Suspicious code in the Sandbox automatically, records the
`execution result and the running status, and calculates the
`maliciousness possibility according to the record. The sand
`
`Juniper Ex. 1027-p. 6
`Juniper v Huawei
`
`

`

`US 2012/0233691 A1
`
`Sep. 13, 2012
`
`box is a professional virtual environment. The program that
`runs in the sandbox is redirected into the sandbox when
`modifying a registry or a file. In this way, if the program is
`malicious, no impact is caused outside the Sandbox. Even if
`an attack is launched in the sandbox, the attack impact is
`cancelled by restarting the sandbox. For example, the moni
`toring device detects that a malicious event is triggered in the
`process of running a Suspicious code, and the probability of
`launching attacks from the event is 40%. Therefore, the mali
`ciousness possibility of the suspicious code is 40%. If this
`probability exceeds the alarm threshold, the suspicious code
`is possibly malicious.
`0048 If the suspicious code is determined as malicious,
`the monitoring device may retrieve the Botnet topology infor
`mation in the malicious code, and generates and sends alarm
`information that carries the Botnet topology information.
`0049. The Botnet topology information in the foregoing
`malicious code includes Bot hosts as well as the IP address,
`port, or URL that controls the hosts.
`0050. After the monitoring device sends the alarm infor
`mation that carries the Botnet topology information, the net
`work device receives the alarm information sent by the moni
`toring device. The alarm information includes maliciousness
`of the Suspicious code, or includes both the maliciousness of
`the Suspicious code and the Botnet topology information.
`0051. The method in this embodiment may further include
`the following steps:
`0052 Step 216: Intercept suspicious codes that are mali
`cious according to maliciousness of the Suspicious codes; or
`0053 Step 225: Intercept the suspicious codes that are
`malicious and the packets in the Botnet corresponding to the
`Botnet topology information according to maliciousness of
`the Suspicious codes and the Botnet topology information.
`0054. After receiving the alarm information, the network
`device intercepts the corresponding Suspicious codes and the
`packets in the Botnet.
`0055. The method for alerting against unknown malicious
`codes in this embodiment reports Source addresses of numer
`ous Suspicious codes proactively at the earliest possible time,
`ensures comprehensiveness of the alert information sources,
`lays a foundation for shortening the time required for over
`coming virus threats, and avoids the trouble of installing
`software on the client. Moreover, because the network device
`sends the Source address of the Suspicious codes rather than
`the Suspicious codes themselves, the occupancy of user band
`width is reduced; the monitoring device analyzes the Suspi
`cious codes and sends alarms to the network device so that the
`network device can intercept malicious codes; the monitoring
`device retrieves the Botnet topology information and sends
`Botnet alarms to the network device, and therefore, the net
`work device intercepts the packets in the Botnet, which
`reduces possibility of the host being attacked.
`0056 FIG. 3 is a schematic diagram of a network device
`according to an embodiment of the present invention. The
`network device in this embodiment includes:
`0057 a first detecting module 301, configured to detect
`characteristics of a packet;
`0058 a first judging module 312, configured to judge
`whether any suspicious code exists in the packet according to
`a result of the detection performed by the first detecting
`module;
`
`0059 a first recording module 325, configured to record a
`Source address of the Suspicious code if the first judging
`module determines that the Suspicious code exists in the
`packet; and
`0060 a first sending module 336, configured to send alert
`information that carries the source address to a monitoring
`device.
`0061. In this embodiment, the first detecting module
`detects characteristics of the packet, for example, by detect
`ing whether the name of the Suspicious code is included in the
`packet, whether the file header of the suspicious code is
`included in the data stream, or both. The first judging module
`judges whether any suspicious code exists in the packet
`according to the result of the detection performed by the first
`detecting module. The first recording module records the
`Source address of the Suspicious code if the first judging
`module determines that the Suspicious code exists in the
`packet, and the first sending module sends alert information
`to the monitoring device. After the alert information is sent,
`the network device receives alarm information returned by
`the monitoring device.
`0062. The first detecting module in this embodiment may
`further include:
`0063 a first detecting submodule 302, configured to detect
`whether the name of the Suspicious code exists in the data
`stream; and/or
`0064 a second detecting submodule 303, configured to
`detect whether the file header of the suspicious code exists in
`the data stream.
`0065. This embodiment may further include:
`0.066
`a first receiving module 345, configured to receive
`alarm information sent by the monitoring device, where the
`alarm information includes maliciousness of the Suspicious
`code, or includes both the maliciousness of the Suspicious
`code and the Botnet topology information.
`0067. This embodiment may further include:
`0068 a first intercepting module 352, configured to inter
`cept Suspicious codes that are malicious according to mali
`ciousness of the Suspicious codes; or
`0069 a second intercepting module 367, configured to
`intercept the Suspicious codes that are malicious and the
`packets in the Botnet corresponding to the Botnet topology
`information according to maliciousness of the Suspicious
`codes and the Botnet topology information.
`0070 The network device provided in this embodiment
`reports source addresses of numerous Suspicious codes pro
`actively at the earliest possible time, ensures comprehensive
`ness of the alert information sources, lays a foundation for
`shortening the time required for overcoming virus threats,
`and avoids the trouble of installing software on the client.
`Moreover, the first receiving module receives the alarm infor
`mation from the monitoring device, and therefore, the net
`work device interrupts malicious codes and the packets in the
`Botnet, which reduces the possibility of the host being
`attacked.
`0071
`FIG. 4 is a schematic diagram of a system for alert
`ing against unknown malicious codes according to an
`embodiment of the present invention. The system in this
`embodiment includes the network device 401 and the moni
`toring device 412 shown in FIG. 3. The monitoring device is
`configured to: receive alert information; resolve the alert
`information to obtain a source address; download a Suspi
`cious code corresponding to the source address; and judge
`
`Juniper Ex. 1027-p. 7
`Juniper v Huawei
`
`

`

`US 2012/0233691 A1
`
`Sep. 13, 2012
`
`whether the Suspicious code is malicious; and send alarm
`information when determining the Suspicious code as mali
`cious.
`0072 An embodiment of the present invention provides a
`system for alerting against unknown malicious codes. The
`system collects source addresses of numerous Suspicious
`codes proactively at the earliest possible time, ensures com
`prehensiveness of the alert information sources, lays a foun
`dation for shortening the time required for overcoming virus
`threats, and avoids the trouble of installing software on the
`client.
`0073. After reading the foregoing embodiments, those
`skilled in the art are clearly aware that the embodiments of the
`present invention may be implemented through hardware, or,
`preferably in most circumstances, through software in addi
`tion to a necessary universal hardware platform. Therefore,
`all or part of the novelty of the present invention may be
`embodied in a software product. The software product may be
`stored in storage media such as ROM/RAM, magnetic disk,
`or CD-ROM, and incorporates several instructions for
`instructing a computer device (such as personal computer,
`server, or network device) to execute the method specified in
`any embodiment of the present invention or a part of the
`embodiment.
`0074 Finally, it should be noted that the above embodi
`ments are merely provided for describing the technical solu
`tions of the present invention, but not intended to limit the
`present invention. It is apparent that persons skilled in the art
`can make various modifications and variations to the inven
`tion without departing from the spirit and scope of the inven
`tion. The present invention is intended to cover the modifica
`tions and variations provided that they fall in the scope of
`protection defined by the following claims or their equiva
`lents.
`What is claimed is:
`1. A method for alerting against unknown malicious codes,
`comprising:
`a network device detects characteristics of a packet;
`the network device judges whether any Suspicious code
`exists in the packet according to a result of the detection;
`the network records a source address of the Suspicious code
`if the Suspicious code exists in the packet; and
`the network sends alert information that carries the source
`address to a monitoring device.
`2. The method according to claim 1, wherein the network
`device detects of the characteristics of the packet comprises:
`the network detects whether a name of the suspicious code
`exists in a data stream; and/or
`the network detects whether a file header of the suspicious
`code exists in the data stream.
`3. The method according to claim 1, further comprising:
`the network receives alarm information sent by the moni
`toring device, wherein the alarm information comprises
`maliciousness of the Suspicious code, or comprises both
`the maliciousness of the Suspicious code and Botnet
`topology information.
`4. The method according to claim 3, further comprising:
`the network intercepts Suspicious codes that are malicious
`according to the maliciousness of the Suspicious code if
`the alarm information comprises the maliciousness of
`the Suspicious code; and
`the network intercepts Suspicious codes that are malicious
`and packets in a Botnet corresponding to the Botnet
`topology information according to the maliciousness of
`
`the Suspicious code and the Botnet topology information
`if the alarm information comprises the maliciousness of
`the Suspicious code and the Botnet topology informa
`tion.
`5. The method according to claim 2, further comprising:
`the network receives alarm information sent by the moni
`toring device, wherein the alarm information comprises
`maliciousness of the Suspicious code, or comprises both
`the maliciousness of the Suspicious code and Botnet
`topology information.
`6. The method according to claim 5, further comprising:
`the network intercepts Suspicious codes that are malicious
`according to the maliciousness of the Suspicious code if
`the alarm information comprises the maliciousness of
`the Suspicious code; and
`the network intercepts Suspicious codes that are malicious
`and packets in a Botnet corresponding to the Botnet
`topology information according to the maliciousness of
`the Suspicious code and the Botnet topology information
`if the alarm information comprises the maliciousness of
`the Suspicious code and the Botnet topology informa
`tion.
`7. A network device, comprising:
`a first detecting module, configured to detect characteris
`tics of a packet;
`a first judging module, configured to judge whether any
`Suspicious code exists in the packet according to a result
`of the detection performed by the first detecting module:
`a first recording module, configured to record a source
`address of the Suspicious code if the first judging module
`determines that the Suspicious code exists in the packet;
`and
`a first sending module, configured to sendalert information
`that carries the source address to a monitoring device.
`8. The network device according to claim 7, wherein the
`first detecting module comprises:
`a first detecting Submodule, configured to detect whethera
`name of the Suspicious code exists in a data stream;
`and/or
`a second detecting Submodule, configured to detect
`whether a file header of the suspicious code exists in the
`data stream.
`9. The network device according to claim 7, further com
`prising:
`a first receiving module, configured to receive alarm infor
`mation sent by the monitoring device, wherein the alarm
`information comprises maliciousness of the Suspicious
`code, or comprises both the maliciousness of the Suspi
`cious code and Botnet topology information.
`10. The network device according to claim 7, further com
`prising:
`a first intercepting module, configured to intercept Suspi
`cious codes that are malicious according to malicious
`ness of the Suspicious codes; or
`a second intercepting module, configured to intercept the
`Suspicious codes that are malicious and packets in a
`Botnet corresponding to Botnet topology information
`according to the maliciousness of the Suspicious codes
`and the Botnet topology information.
`11. A system for alerting against unknown malicious
`codes, comprising:
`a network device, comprising: a first detecting module,
`configured to detect characteristics of a packet; a first
`judging module, configured to judge whether any Suspi
`
`Juniper Ex. 1027-p. 8
`Juniper v Huawei
`
`

`

`US 2012/0233691 A1
`
`Sep. 13, 2012
`
`cious code exists in the packet according to a result of the
`detection performed by the first detecting module; a first
`recording module, configured to record a source address
`of the Suspicious code if the first judging module deter
`mines that the Suspicious code exists in the packet; and a
`first sending module, configured to send alert informa
`tion that carries the Source address to a monitoring
`device; and
`
`a monitoring device, configured to: receive alert informa
`tion; resolve the alert information to obtain a source
`address; download a Suspicious code corresponding to
`the source address; and judge whether the Suspicious
`code is malicious; and send alarm information if deter
`mining the Suspicious code as malicious.
`
`c
`
`c
`
`c
`
`c
`
`c
`
`Juniper Ex. 1027-p. 9
`Juniper v Huawei
`
`