1. Field of the Invention
The invention is in the field of computer system security, and more particularly to attacks using known vulnerabilities of software running on such computer systems.
2. Related Art
Software programmers write software programs to have functionality for performing a wide variety of tasks. However, such functionality can be used in ways not intended by the original software program. For example, other software programmers known as hackers sometimes use such functionality to circumvent computer system security for improper purposes. Similarly, the software programmers who write software programs also occasionally make mistakes known as bugs or flaws in the software program. Those in the security field often refer to such flaws as vulnerabilities. Some of these flaws simply prevent the software program from running or operating properly. However, as with program functionality, others allow hackers to circumvent computer system security again allowing it to be used for improper purposes.
Whether through improper use of some software program functionality or capitalizing on the existence of a programming mistake, over the years hackers have developed a large variety of attacks on the security and proper use of computer systems using these vulnerabilities. Such attacks have taken the form of computer viruses, spyware, worms, Trojan horses, root kits, etc. The objectives of these attacks have ranged from simple mischief to disabling use of a computer system to criminal actions such as accessing classified information and fraudulent online purchases.
The proliferation of modern computer systems has led to an ever increasing number of attacks on them. Many such attacks seek to capitalize on software features and/or flaws which allow the attack to perform actions not intended by the creator of the software. For example, attackers find ways to take advantage of such features and/or flaws to download software into a computing system in order to take over execution of a system process that is using the flawed software.
Prior approaches to address such attacks have generally followed two methods neither of which prevents attacks from entering a computer system. The first, used by anti-virus and anti-spyware systems, examine computer program code found in the computer system using frequently updated binary patterns of known attack software. In this case the vendors of such systems must constantly find every new attack and develop and distribute a specialized binary pattern for each attack. The second, called intrusion detection and prevention, also allow the attacks to get into a computer system and get established, but look for software behavior patterns based on which system calls are being made. Dealing with new attacks thus typically requires revision to reflect these new behavior patterns.
However, the number of different types of attacks has been large and varied with the only limitation being the creativity of the programmers who create them. In fact, such attack programmers have created hundreds of different types of attacks based on a single known software feature or flaw. This ever-increasing number and variety of such different types of attacks has been a challenge for defensive systems that therefore must constantly stay updated in order to discover and remove each new attack.
It is therefore desirable to prevent such attacks before they can enter a system and hide themselves away, without need for constant attack updates.