The present invention relates to computer network security, and in particular to a method and apparatus for collecting samples of malicious traffic on a network for the purpose of monitoring and analyzing malicious traffic and possibly developing signatures and/or countermeasures used to identify and block malicious traffic.
Computer networks are increasingly subject to attacks from malicious network traffic containing software (exploits) such as “worms,” which steal processing time on individual computers to further propagate the exploit to other computers on the network. Worms and similar exploits disrupt the network by consuming network bandwidth and may steal or damage programs and data on computers.
Referring to FIG. 1, a computer network 10 may connect to an “external” network 12 such as the Internet, through a network connection 14 having at least one network address. Data packets 16 and 17 may be exchanged between two computers (not shown) on networks 12 and 10 according to a number of well-known protocols such as HTTP, NetBIOS/SMB, and DCERPC (the Windows RPC service).
A “network intrusion detection system” 22 (NIDS) can be attached to the network interface 14 to monitor the data packets 16 and 17 flowing between networks 10 and 12. As used herein, data packets 16 from a potentially malicious source will be termed “statements” and data packets 17 from the potential target computer shall be termed “responses”. The NIDS 22 compares the data of both statements 16 and responses 17 to a library of “data signatures” 23 stored in the NIDS 22, each data signature 23 capturing a pattern of statements 16 and responses 17 associated with malicious network traffic. When a series of statements 16 and responses 17 monitored by the NIDS 22 match a stored signature 23, an alert is produced on an output 24 to notify the system administrator or to enable blocking features in a firewall 26 or the like.
Different types of malicious network traffic attack different security weaknesses associated with different types of operating systems and different network software executing different communication protocols. Each type of malicious network traffic may also have variants representing often trivial modifications to the statements 16. These variants are intended to defeat a signature-based NIDS 22 and are constantly evolving. For this reason, the data signatures 23 used by the NIDS 22 must be constantly updated.
Signatures 23 for an NIDS 22 may be created from samples of malicious traffic that have been collected and analyzed. Co-pending U.S. application Ser. No. 11/085,633 filed Mar. 21, 2005 and hereby incorporated by reference, describes a system of analyzing malicious network traffic to automatically generate signatures that may be used by an NIDS-type system.
Samples of malicious network traffic can be obtained through the use of a “honeypot” (a system with no authorized activity that is deployed for the purpose of traffic monitoring or being compromised) or a “honeynet” (a network of honeypot systems) set up to simulate a target for malicious network traffic. Data from honeynets can be valuable for analyzing attack profiles and malicious programs themselves. Since honeypots are live systems, they provide responses to malicious statements that match those that would be provided by a genuine network-connected computer to promote further communication with the exploit allowing better identification and analysis. The honeypots deployed for monitoring only, to the extent possible, are “fully patched,” that is, equipped with the defenses against the anticipated malicious traffic so that they are not themselves infected. Honeypots are typically deployed on network “dark space,” that is, a network with routable addresses but otherwise unpopulated with legitimate hosts, and thus largely free of benign network traffic, therefore simplifying the determination that traffic is malicious.
Early detection of new malicious traffic variants can be facilitated by monitoring a large number of addresses increasing the probability of detecting the malicious traffic in the earliest stages of its propagation. While a given honeypot may handle more than one IP address, for example, on the order of a dozen, honeypot monitoring of dark space for a typical network (e.g., greater than 10,000 addresses) is currently impractical. With changes in the Internet, for example to IPv6, which increases the address space from thirty-two to 128-bits, the ability to monitor a significant sampling of darkspace will become much more difficult.