Computers get attacked by malicious software like viruses, worms, and so on. Signature based anti-virus systems and methods take a prophylactic approach to attempt to protect computers by recognizing known unique strings within strains of malicious software and then taking actions like quarantining the code, removing the code, disabling the code, and so on. However, signature based anti-virus systems may tend to lag behind virus writers leaving a computer vulnerable to newly written viruses that do not include known, identifiable unique strings. In one example, a virus signature may be regarded as being a set of bytes in a code fragment that uniquely identify the code fragment as a virus.
Computers with which an infected computer may communicate may also be vulnerable. For example, during virus propagation, an infected machine may attempt to connect to a large number of different machines in a short time period. By contrast, an uninfected machine may attempt fewer connections, and those connections may be locally correlated, representing repeat connections to recently accessed machines.
Thus, some computers may also use immune response-like approaches like virus throttling. These types of systems and methods attempt to respond to viruses that have not yet been identified by their signature and thus for which there is no vaccine. Therefore, “immune response”, as used herein, refers to recognizing that a system like a computer may be infected and then taking actions in response to the virus. The “immune response” does not depend on identifying what virus is infecting a computer, merely identifying that a virus is infecting a computer. Virus throttling techniques identify when a computer is exhibiting suspicious “virus-like” behavior and then take preventative measures. For example, if a computer begins to make unusual connections and/or unusual numbers of connections, then it may be infected and under the influence of malicious software. A virus throttling technique may therefore make it more difficult, if possible at all, for the affected computer to make connections to other computers. This facilitates mitigating damages to other computers.
In one example, a throttling system or method may implement a filter on a network stack. The filter may be configured with a set of timeouts that facilitate restricting the rate of connection establishment to new hosts. Normal behavior will not stress the timeouts and thus will not be affected. However, abnormal behavior like a large number of attempted connections to a large number of newly accessed machines in a short period of time may stress the timeouts and thus be restricted. This may be referred to as “behavior blocking” in that a policy for allowed behavior(s) of a system are defined and transgressions of those policies are detected and responded to. Virus throttling based behavior blocking seeks to mitigate damages incurred when a system is infected by limiting the rate of connections to new hosts and thus limiting the spread of the infection.
Throttling systems may have components that operate substantially in parallel. A connection system may identify whether connection requests are directed to hosts outside the typical set of hosts accessed by the system while a timing system may limit the rate at which those connections may be made. The rate at which connections may be made may depend, for example, on the volume of connections that are being attempted. Throttling systems have been demonstrated to be effective in determining that a system is exhibiting behavior associated with virus infection and also in limiting the spread of the infection by choking off communications leaving the system.
Viruses may attempt to spread from computer to computer by attaching themselves to a host program that may be transmitted to computers reachable from an infected system. Worms may scan networks and attempt to replicate themselves. One main threat from viruses and worms is their ability to rapidly infect large numbers of hosts and to negatively impact computer networks by creating vast amounts of network traffic. Malicious software becomes even more dangerous when it spreads faster than it can be eradicated.
Under normal conditions, a computer may have a relatively low rate of connections and a relatively short list of computers to which it connects. Under infected conditions, an infected system may have a relatively high rate of connections and relatively large list of computers to which it attempts to connect. Thus, throttling systems may, upon detecting a connection request, identify the intended destination to determine whether it is on the short list of commonly accessed systems. If so, it may be processed directly. If not, the packet may be sent to a delay queue. Packets may be released from the delay queue at regular intervals and then processed. The rate at which packets are released may be configurable. In one example, if the delay queue holds several packets for the same host, when the first of these packets is processed, the remaining packets may also be processed. However, if the delay queue fills because, for example, the rate of new connection requests exceeds an acceptable rate, then this may be an indication of suspicious infection-indicating behavior.