1. Field of the Invention
This invention relates to the arts of networked computer system security, and especially to the arts of detecting and preventing unauthorized access or “log-on” to such computers.
2. Description of the Related Art
Networked computer systems are often provided with remote console or terminal capabilities, be it through a direct data connection or through a network such as a corporate intranet, a dial-up modem, or through the Internet.
The most fundamental form of security for preventing unauthorized remote access to these types of computer systems is a “log-on” or “log-in” procedure during which a remote user provides a user name or ID and a password. The log-on management process, typically provided in the computer system's operating system such as Unix, Linux, Microsoft's Windows [TM] or International Business Machines' (IBM) AIX [TM], checks the supplied user name and password against a registry of known and system users. If the password and user name do not match an entry in the registry, the log-on attempt is denied. The user can then re-attempt the log-on, perhaps he or she incorrectly input their user name or password or is trying one of several possible passwords they believe are correct. Typical log-on management processes will restrict the number of total failed attempts for a given user name, and then will require system administrator intervention to re-enable that user name.
In computer security parlance, “systematic attack” is a term which refers to an attempt to gain access or control of a networked computer through a systematic approach, which is usually automated. In its simplest form, a systematic attack may simply comprise a series of log-in attempts using computer generated user names and passwords in every combination possible, starting with, for example, all possible combinations of 5 characters and numbers (e.g. aaaaa, aaaab, aaaac, . . . 99999), and then progressing to 6 characters and numbers, then 7, etc., until a valid combination is found.
Most corporations who operate networked computer and information systems have established security policies which must be followed in the implementation of such systems in order to protect the assets of the corporation, including but not limited to database contents, e-mail and telephone lists, e-mail engines, web servers and web content, corporate sales and marketing data, and manufacturing information.
These corporate security standards typically apply also to all providers of network and computing services for practices used in and on network and computing environments within the corporation.
According to the security standards and policies used by IBM, Operating System Resources (OSR) file and directory, permissions and owners are verified under their standard, which determines the configuration of the machine and verifies that default shipped passwords have been changed. The standard tool provided by IBM for meeting these requirements or objectives records login failure events when the certain administrator-defined thresholds have been exceeded. For example, an administrator of a particular system may define 5 failures as a threshold to be recorded into a log file. The administrator may later review the log file to determine if there have been patterns of failures that may indicate a systematic attack occurred. This not only can be a time consuming task, but the tedious nature of the task may result in it not being thoroughly and routinely performed, leading to the possibility that systematic attacks are not noticed and appropriate security measures will not be taken.
Similar system administrator tools are used in other corporations for the same purpose, whether they be “third party” tools or proprietary tools.
A systematic attack may also be more sophisticated in its approach to subvert any potential security measures running on the host machine, such as timing the attempts to login to pace them over a period of hours or days to avoid making the attempt obvious to a system administrator by creating too many invalid login attempts in a short time, or by randomizing the combinations tried to avoid creating a more noticeable pattern in the failure log file.
Should a systematic attack be successful in finding a valid user name and password combination, the “user” or “hacker” may gain access to the computer system and proceed to steal corporate information, vandalize application programs and data, and even launch viruses and systematic attacks against other computer systems using the hacked system as a the attacker in order to “cover his or her tracks” (e.g. make it more difficult to find the source of an attack).
For these reasons, a process of controls must be in place for detecting and handling systematic attacks, such as attempts to “logon”, to a networked computer. A system security administrator should be notified whenever the number of revokes and invalid logon attempts exceed an installation defined limit, according to most corporate policies.
Therefore, there is a need in the art for a system and method for detecting a systematic attack against a networked computer system. Preferably, this system and method shall provide the following capabilities to a system administrator: Some of the basic requirements of such a systematic attack detector are:                (a) report failed logins and revocation separately;        (b) allow the threshold for failed logins and threshold for revocations to be set by the administrator;        (c) allow a specific time period for failed logins and revocations to be set; and        (d) write or output the results to a report file which may be examined by a system administrator or another process later.        
Further, there is a need in the art for this new method and system to be realizable and useful for a variety of operating systems and computer platforms, such as Unix, Linux, IBM AIX [TM], IBM OS/2 [TM], or Microsoft Windows [TM].