During recent years, the number of attacks on computer networks has increased dramatically, as has the dependence of companies and government agencies on their computer networks. Consequently, many efforts have been made in order to provide computer protection.
A single malware (malicious software) in a computerized system, intruding the system from the computer network, can result in the loss and/or unauthorized utilization and/or modification of large amounts of data. One of the most malicious types of software is the computer worm. A computer worm is a self-replicating computer program, similar to a computer virus, which is often designed to propagate by exploiting the data transmission capabilities which are an inherent feature in almost any computer. The main difference between a computer virus and a worm is that a virus cannot propagate by itself, whereas worms can. A worm uses a data network to send copies of itself to other systems without any intervention.
One of the most difficult tasks of a network administrator is to treat a network that has been congested by a new internet worm spreading itself from thousands of client machines. It is often impossible to remotely remove a worm, or to provide worm removal instructions to an inexperienced user. One of the conventional solutions is to operate a virus scanner on a dedicated machine and to analyze all traffic from/to clients. One of the major disadvantages of virus scanners is that they depend on signatures, which in most cases cannot generalize. That is, virus scanners generally are able to detect only malwares whose signatures exist in the database of the virus scanner.
The first step of dealing with computer worms is the identification of their intrusion into the system. A recent review by Kabiri and Ghorbani (the International Journal of Network Security, Vol. 1, No. 2, pages 84-102), describes two major approaches for detecting intrusions in computer systems. The first approach is signature based and the second is anomaly based.
Signature based methods compare any incoming data with known behaviors of malware and determine intrusions once a match has been made. Such a system will therefore be unable to detect an intrusion by an unknown malware. On the other hand, anomaly-based methods model the normal behavior of the computer system and thus, if a deviation from this behavior is observed, the system will alert of an intrusion. Such methods are intended to detect unknown malwares; however, they may cause many false alarms, as there are many abnormal patterns which do not necessarily point at intrusions.
Most of the current techniques for detecting malwares, whether signature or anomaly based, rely on gathering information from certain components in the computer system. For example, some systems analyze executable files on local storage devices; others monitor the contents of packets which have been sent and/or received by the computer, and others monitor the system calls. Furthermore, there exist network based intrusion detection methods in which the network measurements are monitored. If such techniques were directed to more than a few information channels, they would require extremely heavy computational resources. However, monitoring only a few features is not necessarily sufficient and there may be many cases of intrusions that remain undetected, in addition to many false alarms, which, in certain cases, may be even more harmful.
It would therefore be highly desirable to develop a reliable method for detecting malicious behavioral patterns that are related to malware in computerized systems that is capable of monitoring the important features of the computer behavior, in a short time.
It is an object of the present invention to provide a method that is able to accurately assess information gathered from many channels of a computerized system that comprises data exchange channels, and to alert of malware intrusions, particularly intrusions of computer worms. Such a method would enable the disconnection of computers which were intruded by malwares from the network, thereby protecting other computers on the network which were not yet invaded.
It is another object of the present invention to provide a method, which can minimize the number of intrusions that remain undetected.
It is a further object of the present invention to provide such a method that minimizes the number of false alarms.
It is yet a further object of the present invention to provide a method that can detect new types of intrusions.
It is still a further object of the present invention to provide a method that is able to detect intrusions at a relatively high speed, thereby enabling a fast containment of that intrusion, before large portions of the network are infected.
It a further object of the present invention to provide an efficient method that does not require many computational resources.
Further purposes and advantages of this invention will become apparent as the description proceeds.