Computer security systems have to contend with increasingly sophisticated attacks, or exploits from malicious persons (i.e. hackers) attempting to gain access to data or software in a computer. An Intrusion Detection System (IDS) is an information security device that monitors and analyses data to detect when security is breached, while an Intrusion Prevention System (IPS) is a device that identifies malicious activity and attempts to stop or block the activity. IDS and IPS devices are often integrated into an IDS/IPS or Intrusion Detection and Prevention System (IDPS).
Techniques of bypassing an information security device in order to deliver an attack to a target network entity without detection are known as evasions. Evasions are typically used to counter a network-based IDS/IPS but can also be used to by-pass firewalls. Just as viruses can be detected and blocked by anti-virus software, evasions can be stopped through anti-evasion solutions. However, it has recently been recognised that more advanced evasion techniques (AETs) have been developed, and it has been reported that most, if not all currently available IDS/IPS solutions are unable to detect or prevent an attack if more than one AET is used concurrently.
The present invention has been conceived with the foregoing in mind. However, before describing this further some explanation is required of the terms that will be used particularly in relation to the embodiments described.
An attack is any attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of a computer asset. An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on a computer. Examples might include gaining control of a computer system or allowing a privilege escalation or a denial of service attack. Malware is malicious software designed to secretly access a computer system without the owner's informed consent, and may include a variety of forms of hostile, intrusive, or annoying software or program code, such as computer viruses, worms, trojan horses, spyware, dishonest adware, scareware, crimeware, most rootkits, and other malicious or undesirable software.
As used herein, an attack may be considered also to include any of the above.
The term “vulnerability”, as used herein refers to the term defined by the Common Vulnerabilities and Exposures (CVE®). CVE defines a vulnerability as a mistake in software that can be directly used by a hacker to gain access to a system or network. CVE is a dictionary of identifiers of known vulnerabilities that makes it easier to share data across different network security databases.
Embodiments are described below in relation to network communications at certain levels, or layers, such as described in the ISO's Open Systems Interconnection (OSI) model. In the OSI model a layer is a collection of conceptually similar functions, implemented within each layer by one or more entities. Each entity interacts directly only with the layer immediately beneath it, and provides facilities for use by the layer above it. Protocols enable an entity in one host to interact with a corresponding entity at the same layer in another host. Most network protocols used today are based on TCP/IP stacks.
In at least one version of the OSI model there are seven layers. Starting at the lowest layer, layer 1, which is the physical layer, the layers above are, in order, 2—the data Link layer, 3—the Network layer, 4—the Transport layer, 5—the Session layer, 6—the Presentation layer, and 7—the Application layer. At any given layer, N, two entities (N-peers) interact by means of the N protocol by transmitting protocol data units (PDUs). A Service Data Unit (SDU) is a specific unit of data that has been passed down from one layer to a lower layer, and which the lower layer has not yet encapsulated into a protocol data unit (PDU) of its own layer. Thus, an SDU is a set of data that is sent by a user of the services of a given layer, and is transmitted semantically unchanged to a peer service user. The SDU is the ‘payload’ of a given PDU. Accordingly, where the embodiments described below refer to a particular level or layer, such as the Application level, to describe the principles of the invention, it should be understood that the same principles may be applied at other layers, and where data is referred to as payload it should not be construed as being limited to data at any particular layer.