1. Field of the Invention
The present invention relates to the propagation of malicious code through a network of interconnected computing entities, and to the restriction of the propagation of such code.
In current network environments virtually any computing entity (or “host”) is at one time or another connected to one or more other hosts. Thus for example in the case of an IT environment, a host in the form of a computer (such as a client, a server, a router, or even a printer for example) is frequently connected to one or more other computers, whether within an intranet of a commercial organisation, or as part of the Internet. Alternatively, in the case of a communications technology environment, a host in the form of a mobile telephone is, merely by virtue of its intrinsic purpose, going to be connected to one or more other hosts from time to time, and an inevitable result is that the opportunities for the propagation of malicious code are enhanced as a result.
Within the context of this specification malicious code is data which is assimilable by a host that may cause a deleterious effect upon the performance of either: the aforesaid host; one or more other hosts; or a network of which any of the above-mentioned hosts are a part. One characteristic of malicious code is that it propagates either through self-propagation or through human interaction. Thus for example, viruses typically act by becoming assimilated within a first host, and subsequent to its assimilation may then cause deleterious effects within that first host, such as corruption and/or deletion of files. In addition the virus may cause self-propagation to one or more further hosts at which it will then cause similar corruption/deletion and further self-propagation. Alternatively a virus may merely be assimilated within the first host and cause no deleterious effects whatsoever, until it is propagated to one or more further hosts where it may then cause such deleterious effects, such as, for example, corruption and/or deletion of files. In yet a further alternative scenario, malicious code such as a worm may become assimilated within a first host, and then cause itself to be propagated to multiple other hosts within the network. The worm may have no deleterious effect upon any of the hosts by whom it is assimilated, however the self-propagation through the network per se may be of a sufficient magnitude to have a negative effect on the speed of “genuine” network traffic, so that the performance of the network is nonetheless affected in a deleterious manner. One example of such a worm is the Code Red worm which, once assimilated within a host operates automatically to generate Internet Protocol (“IP”) addresses of other potential hosts at random, and then instructs the host to send a copy of the worm to each of these randomly-generated IP addresses. Although not all of the randomly-generated IP addresses may actually be occupied by hosts, sufficient of them are to enable the worm to self propagate rapidly through the Internet and harm the performance of the network as a result of the amount of extra traffic generated. These three examples given above are intended for illustration of the breadth of the term malicious code, and are not intended to be regarded in any way as exclusively definitive.
It has been established that in situations where malicious code is likely to cause deleterious effects upon either one or more hosts or the network infrastructure as a whole, one of the most important parameters in attempting to limit and then to reverse such effects is the speed of its propagation. Human responses to events are typically one or more orders of magnitude slower than the propagation speeds of malicious code, and so substantial difficulties are frequently apt to arise within a network before any human network administrator is either aware of the problem, or capable of doing anything to remedy it. Therefore any reduction in the initial rate of propagation of malicious code through a network is likely to be of benefit to attempts to limit any negative effects, and/or to remedy them.
2. Description of Related Art
One existing and relatively popular approach to tackling the problems of the propagation of malicious code within a network may be thought of as an absolutist approach. Infection is prevented using what is known, in common usage as ‘virus-checking’ software (although, in fact, it typically will operate to check for all forms of known infection by worms, Trojan Horses, spyware and so on), which attempts to check all incoming data, for example email attachments. If subsequently an infection is discovered within a host, that host is typically removed from the network immediately, and the infection removed. In accordance with this philosophy each host may be thought of as contributing to protecting the network against widespread infection firstly by avoiding incidence of infection, and secondly in the event of infection, by its sacrificial removal from the network.