As the information technology progresses rapidly and the Internet becomes ubiquitous, the daily life pattern of the society changes. Although the information technology has brought much convenience, the related security problem has also arisen to an alarming level. The recent attacks on the network security vulnerability have caused much to the society. The network security is one of the most prominent issues in modern society.
Although most organizations and institutes have Internet firewall in place, the firewall installation itself is insufficient to assure the network security. When the web pages are replaced or any internal host is implanted with a backdoor program, the firewall can be bypassed and the security is compromised. In the development of network security, the multi-layer security defense mechanism includes a second layer defense mechanism, namely, intrusion detection system (IDS), which is gaining popularity.
However, the detection function of the conventional IDS is based on the intrusion rule and signature information, instead of the behavior. Therefore, the detection of intrusion is limited to the pre-defined system events. The major drawback of this type of detection mechanism is that the malicious codes, which refer to machine codes entering software system to execute unauthorized operations, may come as an unforeseeable combination.
FIG. 1 shows a schematic view of a conventional memory structure. The well-known buffer overflow is used to explain the operation of a malicious code. The buffer overflow includes stack overflow and heap overflow. As shown in FIG. 1, a memory 10 at least includes three segments, namely, a code segment 11, a data segment 12, and a heap segment 13. When a program copies data to the local variable, it does not check the range limitation of the buffer so that data segment 12 or heap segment 13 of the buffer will be overflown with the data originated from the malicious code, which leads to a segment fault. After that, the intruder can modify an instruction pointer 14, or use a return address to change the flow of the program, or execute the attack assigned by the malicious code.
Because the malicious code is written by the intruder, the intruder can modify or write different code to suit the purpose of the attack; therefore, the attack can have a different signature so that a pre-defined signature analysis may mistake and miss the attack. In addition, the ubiquity of Internet has caused the widespread of the malicious codes, this further exposes the drawbacks of the pre-defined signature analysis approach.
The conventional IDS relies on the specific and known data, known as signature, to identify if an attack has occurred. As the technique and the types of attack are increasingly evolving, the conventional signature database faces the problem of size explosion, and is yet insufficient to contain the necessary information.
It is therefore necessary to provide a detection method and apparatus to satisfy the following two conditions: first, the detection does not rely on signatures to get rid of the signature database, and second, the detection method must have a high correct rate.