Over the last decade, malicious software has become a pervasive problem for Internet users as most networked resources include software vulnerabilities that are subject to attack. For instance, over the past few years, more and more vulnerabilities are being discovered in software that is loaded onto network devices, such as vulnerabilities within operating systems for example. While some vulnerabilities continue to be addressed through software patches, prior to the release of such software patches, network resources continue to be the targeted by exploits.
In general, an exploit is information that attempts to take advantage of a vulnerability in computer software by adversely influencing or attacking normal operations of a targeted computer. As an illustrative example, a Portable Execution Format (PDF) file may be infected with an exploit that is activated upon execution (opening) of the PDF file and takes advantage of a vulnerability associated with Acrobat® Reader version 9.0.
Currently, one type of security application widely used for detecting exploits is an intrusion prevention system (IPS). Typically implemented as part of a firewall, an IPS is designed to identify packets suspected of containing known exploits, attempt to block/halt propagation of such exploits, and log/report information associated with such packets through an alert. However, conventional IPS technology suffers from a number of disadvantages.
One disadvantage with conventional IPS technology in that the IPS does not rely on any mechanism to automatically verify its results. Rather, verification of the results produced from a conventional IPS is handled manually.
Another disadvantage is that, without automated verification, the IPS tends to produce a large number of false positives, namely incorrect alerts that occur when the IPS reports certain benign objects as exploits. These false positives cause a variety of adverse effects. For instance, due to the large number of false positives, one adverse effect is that actual exploits detected within network traffic may go unnoticed by an administrator. Other adverse effects may include (i) needless blocking of incoming network traffic; (ii) unnecessarily reduction of processing resources; (iii) significant drainage of administrative resources to handle incorrectly classified objects; and (iv) development of a culture (or policy) of sporadically checking only some of the suspect objects.
In efforts to mitigate the number of false positives, the IPS may frequently require customized and periodic tuning of its signature database, which is a costly endeavor. Furthermore, simply tuning the IPS to significantly reduce the number of false positives can severely degrade the effectiveness of the IPS and/or severely disrupt network operability.