In recent years the Internet has seen the eruption of numerous fast-spreading worm attacks. Unlike viruses, a worm is a self-propagating code that automatically spreads itself from one infected machine to others. The worm author typically identifies a security vulnerability in a relatively widespread service. The author then devises a computer program that scans the Internet for vulnerable servers, utilizes the security vulnerability to take control of these servers and transfers the malicious program code to each of the attacked servers, thus “infecting them with the worm.” Each infected server continues to scan the Internet and infect new servers, resulting in an exponential spreading pattern. Worm infection is often a method for launching coordinated Distributed Denial of Service (DDoS) attacks, in which a target host is bombarded with a large amount of traffic from multiple sources, eventually preventing it from serving its legitimate clients.
Worm attacks may spread so quickly that within seconds after a new attack is initiated, it is already widespread, infects many servers, and causes significant worldwide service disruptions. Research and simulations show the importance of beginning countermeasures against worm attacks as soon as possible after the initial outbreak. Provos, in a research paper entitled “A Virtual Honeypot Framework”, Technical Report 03-1, CITI (University of Michigan), October 2003, which is incorporated herein by reference, demonstrates by simulation that in order to have hope of containing an epidemic before 50% of the vulnerable hosts become infected, preventive action must begin before 5% of these hosts are infected.
Two major approaches are known in the art for mitigating Internet attacks: signature-based and anomaly-based. Worm signatures are byte patterns that typically appear as part of malicious traffic. These patterns are often parts of the payload code that the worm uses in its infection attempts. Traffic sequences with payloads that match a worm signature can be assumed to carry malicious code. The signature-based approach, utilized in Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS), provides detection and prevention of known worms by maintaining an updated worm-signature database and blocking every session that contains a worm signature.
The anomaly-based approach establishes a baseline of normal network behavior, and interprets deviations from that baseline as suspicious. This technique enables an anomaly detector to identify new attacks as they emerge, without the need for an updated signature database. However, to identify which sources are infected and should be blocked, the anomaly detection needs to wait for these sources to generate an anomaly. Consequently, some attack traffic is allowed to pass through into the protected network prior to blocking the source.
Several schemes have been proposed in which anomaly detection and signature-based detection are combined in a single solution. For example, Kim et al., in a paper entitled “Autograph: Toward Automated, Distributed Worm Signature Detection,” (Intel Research Seminar, Seattle, Wash., September 2004), which is incorporated herein by reference, describe a system for automatic generation of worm signatures. The system uses anomaly detection for collecting malicious traffic sequences and feeds them to a signature generator that attempts to find recurring byte patterns. The concept of combining anomaly detection with signature-based detection is also described in PCT Patent Publication WO 03/050644 A2, entitled “Protecting Against Malicious Traffic,” which is incorporated herein by reference.
The present invention will be more fully understood from the following detailed description of the embodiments thereof, taken together with the drawings in which: