As more and more computers, and other computing devices, are inter-connected through various networks, such as the Internet, computer security has become increasingly more important, particularly from invasions or attacks delivered over a network or over an information stream. As those skilled in the art will recognize, these attacks come in many different forms, including, but certainly not limited to, computer viruses, computer worms, system component replacements, denial of service attacks, even misuse/abuse of legitimate computer system features, all of which exploit one or more computer system vulnerabilities for illegitimate purposes. While those skilled in the art will realize that the various computer attacks are technically distinct from one another, for purposes of the present invention and for simplicity in description, all malicious computer programs that spread on computer networks, such as the Internet, will be generally referred to hereinafter as computer malware, or more simply, malware.
When a computer system is attacked or “infected” by computer malware, the adverse results are varied, including disabling system devices; erasing or corrupting firmware, applications, or data files; transmitting potentially sensitive data to another location on the network; shutting down the computer system; or causing the computer system to crash. Yet another pernicious aspect of many, though not all, computer malware is that an infected computer system is used to infect other systems.
A traditional defense against computer malware, and particularly computer viruses and worms, is anti-virus software. Generally, anti-virus software scans incoming data, arriving over a network, looking for identifiable patterns associated with known computer malware. Upon detecting a pattern associated with a known computer malware, the anti-virus software may respond by removing the computer virus from the infected data, quarantining the data, or deleting the infected incoming data. Unfortunately, anti-virus software typically works with known, identifiable computer malware. Frequently, this is done by matching patterns within the data to what is referred to as a “signature” of the malware. One of the core deficiencies in this malware detection model is that an unknown computer malware may propagate unchecked in a network until a computer's anti-virus software is updated to identify and respond to the malware.
FIG. 1 is a pictorial diagram illustrating an exemplary networked environment 100 over which computer malware is commonly distributed. As shown in FIG. 1, the typical exemplary networked environment 100 includes a plurality of computing devices 102-108 all inter-connected via a communication network 110, such as an intranet or via a larger communication network including the global TCP/IP network commonly referred to as the Internet. For whatever reason, a malicious party on a computing device connected to the network 110, such as computing device 102, develops a computer malware 112 and releases it on the network. The released computer malware 112 is received by, and infects, one or more computing devices, such as computing device 104, as indicated by arrow 114. As is typical with many computer malware, once infected, computing device 104 is used to infect other computing devices, such as computing device 106 as indicated by arrow 116, which in turn infects yet other computing devices, such as computing device 108 as indicated by arrow 118. Clearly, due to the speed and reach of the modern computer networks, a computer malware 112 can “grow” at an exponential rate, and quickly become a local epidemic that quickly escalates into a global computer pandemic.
In light of the above-identified problems, it would be beneficial to law enforcement organizations, anti-virus vendors, and other entities to have a system and method of tracing the release of malware in a communication network.