A host computer is a computer configured to communicate with one or more other computers via a network. FIG. 1 is a schematic diagram illustrating a client computer configured to communicate with a server computer via a network. A client host computer system 102 is connected via network 104 to a router 106. The router 106 is associated with a server host computer system 108 and connected to server host computer system 108 via a switch 110. The network 104 may be a public network, such as the Internet or the public switched telephone network (PSTN), or another network, such as a virtual private network (VPN) or other private network.
A network protocol may be used to facilitate communication between computers such as client 102 and server 108 shown in FIG. 1. Some well-known examples of such a protocol include the Hypertext Transfer Protocol (HTTP), which is used by browser software to enable users to navigate the World Wide Web, and the Simple Mail Transfer Protocol (SMTP), used to send and receive electronic mail messages. One important network protocol is the Transmission Control Protocol (TCP), which is the basic communication protocol that enables computers to communicate via the Internet.
HTTP and SMTP are application layer protocols, used to provide certain functionality to users (e.g., browser, in the case of HTTP, or electronic mail in the case of SMTP). Application layer protocols such as HTTP and SMTP may be employed in connection with more basic communication protocols, such as TCP, to send and receive messages via a network. The TCP protocol provides for the exchange of data in the form of discrete data packets. A communication session is established with the destination host computer. The outgoing message is broken into discrete packets, each assigned a sequence number indicating its place in the message. The packets may be received out of order, or not, and are reassembled at the destination host computer using the sequence numbers.
When a computer system, such as server 108 of FIG. 1, is made accessible to one or more other computers via a network, the computer may be exposed to an attack aimed at destroying data or equipment associated with the computer, gaining unauthorized access to data or other resources, or denying access or use of the computer to others.
One way to identify a potential attack on a network-connected computer system, such as server 108 of FIG. 1, is to check the data packets as they are received to determine if a packet or group of packets matches a string or pattern associated with a prior attack or known type of attack. For example, router 106 may be configured to serve as a firewall that screens incoming packets and attempts to identify strings or patterns that may indicate that an attack is taking place. Such a firewall may be configured to send an alert to a system administrator, for example, if a suspect string or pattern is matched. This approach is limited, however, to the detection of attacks that are the same as, or very similar to, prior attacks.
A second approach makes limited use of knowledge about the network protocol being used by the computers to communicate. For example, the router 106 may be configured to serve as a firewall or proxy programmed to screen incoming data packets to determine if they are valid under the network protocol being used. For example, a validly formatted request to synchronize would be delivered to the server, but a request to synchronize that was not validly formatted (for example, it exceeded a length limitation) or a packet that did not correspond to any valid symbol or command for the protocol would be rejected and not delivered to the server.
This latter approach, however, is limited to the validation of the format of individual messages and does not provide for the analysis of the entire protocol stream to identify a possible attack.
Moreover, neither of the approaches described above provides an efficient way to represent the various states in which either the client or server system may be with respect to a network protocol communication session, the interrelationship between states, nor the permissible transitions between states defined by the protocol, for purposes of modeling a normal and valid protocol stream and identifying possible attacks by detecting deviations from such normal and valid behavior. Therefore, there is a need for a way to efficiently model normal and valid protocol streams and to detect when an actual protocol stream deviates from the normal and valid behavior in a way that may indicate that an attack is taking place.