Most present day DoD computers are monitored and protected by host-based security software such as malware detectors, virus signature detection engines, and signature or protocol based intrusion detection software. Because of the sophistication of today's exploitation code, these host-based security defenses can be easily modified or disabled, leading to generalized system vulnerabilities. Moreover, advanced exploitation code has been known to thwart or bypass some of the most advanced detection modules and gain a persistent foothold within the computer system's underlying hardware/firmware structure. This may result in pervasive and persistent presence on the affected node(s).
These system vulnerabilities are a result of the inherent design of the underlying operating systems design and its associated memory utilization structure. In a most fundamental explanation, the operating system manages the allocation and utilization of the computer system's memory space. Specialized areas within these allowable memory ranges are assigned by the operating system to perform various system level functions. These memory areas or ranges are most generally categorized as either protected or unprotected. The most trusted operating system processes, to include the aforementioned security protection tools, are for the most part, assigned and run within the protected memory space. User applications and data processes are mostly run in the unprotected memory domain. Exploitation code is crafted to exploit the operating system protection domains which can result in a vulnerable or exploited system.
If we now consider the network security environment in a large-scale enterprise, we can identify several key system level design flaws that leave the aggregated system with vulnerabilities and open to advanced persistent threats. The common means of securing both local and enterprise networks is centered on the concept of “defense in depth”. In this structure, network security components are designed and positioned on a network at various hierarchical points of observation and control. For example, the network point of presence (PoP), or point where the telecommunications carrier lines enter a facility is typically the point where a majority of network command, control, and monitoring takes place. In an effort to control the points of entry into the enterprise, a series of incremental PoP consolidation actions were taken over the last decade. The current notional architecture can be best described as being a set number of regional network operation centers in which each of these regional centers provide basic network services to a number of underlying service units or joint bases across the enterprise.
At these network enterprise level entry points, a series of appliances (software and hardware) are arranged and configured to perform a multitude of security application functions. Some of the more common systems employ perform services such as intrusion detection and prevention, network level firewalling, data analytics, routing and switching, system level enterprise management and control. More detailed functions some of the applications may include may be packet filtering and routing, signature monitoring, detection and reporting, proxy port services with redirects, and application, port, and protocol routing and filtering, email filtering, scanning, and containment, HTML (web browser) flow monitoring, and public key infrastructure services.
These security appliances and capabilities listed are not an exhaustive list but are a majority representation of the protection and control systems commonly in use across major enterprise networks. In general each of the outlying service units and satellite installation have retained a certain level of network service capabilities (routing, switching, proxy services and firewalling) however as a standard of practice, a majority of the network services are established at the distributed regional centers. This system level approach of PoP consolidation and with distributed defense-in-depth network security structure has significantly reduced (albeit not completely stopped) the external exploitation vectors which previously existed, however, other exploitation vectors within the enterprise have emerged.
The primary and distinct disadvantage of this latest network security architecture construct is the inability of these upper hierarchical level security systems to monitor, collect, analyze, and control lower level enclave security relevant activities. The task of security monitoring capabilities at these lower enclave levels has been levied on the end systems or host computers which reside on the network. These systems, as previously described, are subject to system level exploitation by a multitude of attack methodologies such as advanced malware, spyware, and botnets. The exploits are able to persist or propagate within and across these lower level enclaves, often bypassing the upper level security appliances.
Therefore, there exists a need in the art for a host-implemented security apparatus operating independently from the operating system and memory space of the host machine.