Computer attacks are common today. Some examples of computer attacks are buffer overflow attacks, malformed URL attacks, brute force attacks, viruses and worms. Most attacks are malicious in intent. Computer attacks are typically received via a network intranet or Internet interface targeted at the operating system or an installed service. While computer firewalls can prevent some types of malicious attacks they should not be considered a complete solution for stopping a malicious hacker from penetrating a computer on a network.
A computer virus is a computer program that is normally harmful in nature to a computer user. Computer viruses are received via several media, such as a computer diskette, e-mail or vulnerable program. Once a virus is received by a user, it remains “dormant” until it is executed by the user (or other program). The main difference of a virus versus a worm is the need for the user or program to execute the virus program for it to spread and infect others.
A computer worm is a computer program similar to a computer virus, except that a computer worm does not require action by a person to become active. A computer worm exploits some vulnerability in a system to gain access to that system. Once the worm has infected a particular system, it replicates by executing itself. Normally, worms execute themselves and spawn a process that searches for other computers on nearby networks. If a vulnerable computer is found, the worm infects this computer and the cycle continues.
Most computer attacks have a characteristic “signature” by which the attack can be identified. The signature can take various forms depending on the nature of the attack, but typically comprises several consecutive lines of plain text or executable code that are distinctive and appear in the attack. Once a signature is determined for a new computer attack, intrusion detection or intrusion prevention software can be created and distributed to customers. The intrusion detection or intrusion prevention software detects the attack from a network interface card (NIC) or when the attack attempts to pass through a firewall. The detection is by a “key word” search for the signature of the attack. The intrusion prevention or intrusion detection software will then thwart the attack by deleting it or preventing its execution by appropriate command to the operating system.
It is important to identify new computer attacks (and their signatures), as soon as possible after the new attack is released. Then, its signatures can be identified and the intrusion prevention or intrusion detection software can be created and distributed to customers.
Likewise, it is important to detect a manual attempt to “hack” a victim's server or workstation, whereby a (hacker) person at a remote workstation attempts in real time to gain access to the victim's server or workstation. This typically begins by the hacker entering many combinations of userIDs and passwords, hoping that one such combination will gain access to sensitive software or data in the server or workstation. Hacking can also be facilitated if there is an improper configuration to a server which allows unknown third parties to gain administrative authority to a program or data base. After a hacking, there will usually be some residual evidence in log files or as binary executable code, as deleted or modified system files, etc.
A hacker may also transmit exploitation code to the victim's server or workstation, which code automatically exploits vulnerabilities in a victim's server, as would a hacker do manually. For example, a buffer overflow attack exploitation program exploits a vulnerability, typically caused by programmer error, that allows for arbitrary code execution on the target system. As another example, an attacker can inject special machine code into a program variable (usually input by a user) to cause arbitrary code execution in a program. This special code, once given to the program to execute, is placed in the correct area of computer memory, such that the executing program is unaware of the malicious intent of the injected code. There are several classes of buffer overflow, including format string, remote and local. It is important to thwart hackers (as well as viruses and worms).
An Intrusion Detection System (“IDS”) is currently known and has a known (i.e. “used”) address to detect known computer attacks by matching key aspects of that attack to a known “signature”. The IDS is associated with an enterprise, and has a list of known signatures of known viruses and worms, and other common attacks. The IDS searches each packet it receives for the known signatures, and thereby detects when the enterprise is being “attacked” by virus, worm or any other attack which has a known signature. When this occurs, the IDS notifies a security operations center (“SOC”), and the SOC will check that the proper anti-virus, anti-worm or other intrusion protection software is currently installed in the enterprise or customer network. While the IDS is effective in safeguarding an enterprise against known “exploits” (for example, computer viruses, worms and exploitation code), it does not identify or safeguard against new exploits for which the signatures are not yet known.
A “honeypot” is currently known to collect suspicious Internet message packets. The honeypot is a device such as a server, workstation or embedded device (for example, an old workstation, Single Board Computer (SBC) or de-commissioned server) that has an IP address on the Internet or company intranet, but the IP address is unused, i.e. the device has no function that requires input or service from any other server or workstation, the IP address is not registered with a domain name service, the IP address is not sent or broadcast to any other server or workstation, and the honeypot is not serving any useful function to the enterprise or network (other than gathering information). So, all packets sent to the honeypot are unsolicited and suspect. It is known for a human analyst to analyze all of the packets received by the honeypot to determine their type and whether they represent a known or unknown computer attack. For example, the analyst will determine which packets are harmless broadcast traffic, network administration, or web crawler requests. The analyst will also look for harmful known viruses, worms, and exploitation code contained in the packets. The analyst will also look at residual evidence of hacking in the honeypot (for example, changes to data bases, software, system files, etc.). The analyst will also identify new computer attacks by filtering through network packets (logged by the honeypot) for known attacks. Once known attacks are filtered, the analyst has a smaller set of data to analyze. This smaller set of data is scrutinized for anything suggesting a new attack. Packets must have a purpose or be explained before they are discounted as known or harmless. While the foregoing human analysis of the honeypot process is effective, it is time consuming, requires a computer savvy human to make the analysis and is prone to error. Also, the shear number of packets received by the honeypot delays the detection of new computer attacks, viruses, computer worms and exploitation code.
Therefore, an object of the present invention is to facilitate the identification of new computer viruses, worms, exploitation code or other unwanted intrusions.