Communication networks are undergoing a rapid evolution from circuit switched technologies, originally developed for voice communications to packet switched technologies. The packet technologies were originally developed for data communications, but as speed has increased and the technologies have evolved, the packet networks have been able to provide generic transport for all forms of information (voice, video, multimedia, text, etc.). However, as more and more communication applications have migrated to packet transport that was often intended for an open Internet application, they have become subject to many of the security issues that plague the public Internet. Malicious software (malware) and social engineering tactics are becoming of increasing concern.
Malware is software designed to disrupt the operation of a computing device, including personal computers (PCs) and mobile devices such as smart-phones, tablets, and personal digital assistants (PDAs). Malware includes viruses, worms, spyware, Trojans, adware, botnets, spambots, keyloggers, etc. For example, a Trojan is a malicious program hidden within a legitimate application. When activated, a Trojan allows criminals to gain unauthorized access to a user's computer (e.g., mobile device). A botnet is a collection of malware affected devices, ranging in size from a dozen to tens of thousands that can be coordinated by a Command and Control (C&C) server. A botnet can be used in spam, identity theft, or distributed denial of service (DOS) attacks. A spambot is an automated program that harvests personal contact information to send unsolicited email, short message service (SMS) or social media messages. A spambot may even decipher passwords and send its messages directly from a user's account. A keylogger captures passwords, usernames, bank account information, and credit card numbers typed into a computing device to later transmit the information back to the criminals.
Social engineering, in the context of computing device security, is the manipulation of users into performing actions or divulging confidential information. It is deception for the purpose of information gathering, fraud, or unauthorized computing device access. For example, a hacker may contact a system administrator and pretend to be a user who cannot get access to his or her system.
For simplicity, any form of malware or social engineering event or combination of events will be collectively called a “security attack” herein.
Traditionally, users have relied on anti-virus programs for protection. However, anti-virus programs provide limited protection. For example, the antivirus (AV) software may not be up to date or may even be circumvented by malware that is run in stealth mode. Further, hackers may exploit weaknesses of either the anti-virus programs or the Operating System (OS); or hackers may even use social engineering methods (discussed above) to fool a consumer to inadvertently install malware.
An Intrusion Detection System (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station. Existing IDSs address security in a layered approach—at link layer, at network layer, and at the application layer—and at many points in the end-to-end path of service delivery. Network based security has the advantage in being an area where malware cannot hide. No matter how stealthy the malware on the infected computing device (e.g., PC or mobile device), standard IP protocol such as Domain Name Server (DNS), IP addressing, Transmission Control Protocol (TCP), and User Datagram Protocol (UDP) is generally used to communicate back “home” with the stolen digital information. Thus, a security attack uses the network to communicate with a Command and Control (C&C) server. Accordingly, infected computing devices use the same network that is generally used for legitimate purposes.
Intrusion Prevention Systems (IPS) extend IDS by additionally blocking traffic on the network that is suspected to be malware infected. However, what is missing is a system and method that leverages network based security intelligence, communicates the security attack to the device, and triggers corrective action on the device.