As E-commerce or doing business over the Internet becomes a way of life rather than being characterized as novel commercial activity, protecting computer systems against malicious attacks or alleged pranks will be vital to both businesses and individuals because of potential economic disasters. In other words, because businesses and individuals are becoming more and more dependent upon computer systems and computer systems that are integrated with the Internet, any interrupts in service or attacks on such computer systems could have devastating financial repercussions.
Attacks on computer systems that are integrated with the Internet typically comprise malware. Malware is a term of art which is a combination of the word “malicious” and the word “software”. Examples of malware include, but are not limited to, the following: computer viruses, worms and Trojan horses. A computer virus is a broad term for a program that replicates itself. A virus can cause many different kinds of damage, such as deleting data files, erasing programs, or destroying everything found on a computer hard drive. Not every virus can cause damage; some viruses simply flash annoying messages on a computer screen. A virus can be received by downloading files from the Internet to a personal computer. Another way in which a personal computer can be infected with a computer virus can occur when files are sent via e-mail over the Internet or through a company's internal network.
Similar to viruses, worms are programs designed to infect network such as the Internet. They travel from network computer to network computer, replicating themselves along the way. Unlike traditional computer viruses and worms, Trojan horses emulate their Homeric namesake by pretending to be a program that a user wants to launch. Trojan horses can be programs or files that disguise themselves as normal, helpful programs or files, but in fact are viruses. For example, if a program purported to be a financial calculator, but really deleted every file on your hard disk, that program will be called a Trojan horse. One of the most famous Trojan horses of all, was “Melissa”, which was disguised as a Word document sent via e-mail. The “Melissa” Trojan horse wreaked enough havoc that it crashed many Internet and corporate mail servers.
In addition to the malware mentioned above, other computer incidents can include attacks against an Internet service provider (ISP) or any computer connected to the Internet. One of the most common attacks against an ISP or any computer connected to the Internet is called a Smurf attack, or smurfing. In a Smurf attack, a target, such as an ISP or a computer connected to the Internet, is flooded with many “garbage” packets that all of the target's available bandwidth is used up and the target or customers of the target or both cannot send or receive data by using e-mail, browsing the web, or any other Internet service. In a Smurf attack, a commonly used Internet service such as echo request packet generated from a packet Internet groper (PING) program is exploited. A PING program, utilizing echo request packets, permits a user to determine whether a particular computer or server is currently attached to the Internet and is working.
When a computer or server receives an echo request packet generated from a PING program, it sends a return echo response packet to the user who sent the echo request packet. In a typical Smurf attack, return addresses of a broadcast echo request packet are forged so that the return echo response packets do not go back to the computer incident source that generated the harmful broadcast echo request, but instead, back to the target. Smurf attacks are difficult to fight since echo response packets can originate from legitimate networks and not the computer incident source. The source of each echo response packet must be tracked down and then the source of each echo response packet, such as a network, is then asked to disallow echo requests to broadcast addresses. Adding to the complexity of the situation, when a target goes down, often legitimate customers will send echo request packets to see whether the target is operating. Therefore, a target under a Smurf attack has a very difficult time separating legitimate echo packets from Smurf echo packets.
As noted above, the nature of a distributed network, such as the Internet, makes it vulnerable to attack. The Internet was designed to allow for the freest possible exchange of information, data, and files. However, this free exchange of information carries a price: many users will try to attack the Internet and computers connected to the Internet; many users will also try to invade other users' privacy and attempt to crack databases of sensitive information or snoop around for information as it travels across Internet routes.
While many intrusion detection systems (IDS) and software programs that can gather information or make changes to security configurations of network computers (or both) currently exist, these conventional systems do not meet the threshold necessary to be admissible in a court of law. In other words, most conventional detection systems do not generate substantive evidence in the form of written records that can be admitted as tangible evidence during a trial. Furthermore, conventional intrusion detection systems do not provide a systematic approach to computer incidents that is readily reproducible. The conventional art typically requires highly skilled programmers or security administrators, who probably do not have any training in the production of forensic evidence: evidence that can be admitted into a court of law because of its authenticity, accuracy, and completeness.
Additionally, conventional intrusion detection systems in existing software do not provide any instruction as to how to accurately track and maintain a record of computer security incidents. At most, the conventional art may provide specific tools or software that permit the real time monitoring of packets on a network link by comparing packets against a library of signatures or by detecting unusual patterns in packets, or monitoring activity on a host/network device by comparing the activity against a library of signatures or by detecting unusual patterns of computer behavior. The prior art does not provide any uniform or systematic approach to detecting, monitoring, and responding to computer security incidents.
Accordingly, there is a need in the art for a method and system for determining whether an actual security incident exists. That is, there is a need in the art to determine whether security within a network or over a network has been compromised or if an incident is just some odd behavior that should be disregarded. Another need exists in the art for a method and system for automatically creating a record for one or more security incidents and reactions thereto that can be admitted as evidence in a court of law. There is a further need in the art for a method and system that records detection and responses to computer incidents that is also permanent and protected. A further need exists in the art for the uniform and systematic approach to documenting and responding to computer incidents that is readily reproducible. Additionally, there is a need in the art for a method and system for organizing and recording the actions to one or more computer security incidents that permits less skilled users to conduct investigations and respond to security incidents. A further need exist in the art for a method and system for automatically creating a record of one or more computer security incidents that can permit advanced users to implement their own procedures when investigating and responding to computer security incidents. Another need exists in the art for a method and system for automatically creating a record for one or more computer security incidents that is adaptable or modifiable so that evolving computer threats can be assessed and neutralized.
Similarly, another need exist in the art for a method and system for creating a record of one or more security incidents that is flexible. In other words, there is a need in the art for a method and system for investigating and responding to computer security incidents that provides a step-by-step approach that can be interrupted at any time to prevent network security breaches, to stop any potential damage to a network, and to provide adequate time to investigate an incident before reacting to it. An additional need in the art exist for a method and system for creating a record of computer incidents that can be programmed to automatically respond to computer security incidents that match predefined criteria. A further need exists for a method and system for selecting a computer that is strategically located relative to a source of a computer security incident such that the computer can interrogate the source of the computer security incident.