1. Field of the Invention
This invention pertains in general to computer network security, and in particular to network firewalls.
2. Description of the Related Art
Private networks, such as those operated by businesses or other enterprises are often connected a public network such as the Internet. The private networks typically include a firewall positioned at the intersection of the private and public networks. The firewall monitors traffic passing between the networks and blocks unauthorized and/or malicious traffic. The firewall thus prevents malicious entities on the public network from accessing the resources of the private network, and prevents entities on the private network from accessing unauthorized resources of the public network.
A more recent trend in network security is to run so-called “personal firewalls” on the computer systems used by the end-users to access the network. For example, the desktop computer utilized by an employee of an enterprise can run a personal firewall. The personal firewall monitors network activity to/from the computer and blocks malicious traffic.
An advantage of a personal firewall is that it can apply a different security policy to each process executing on the computer. When a personal firewall is first installed on a computer, the personal firewall typically detects each attempt by a process to access the network. With each attempt, the firewall presents a dialog box to the end-user saying something to the effect of “Process X has attempted to access the Internet. Allow it to proceed?” The end-user responds to the dialog box by indicating whether the firewall should allow or block the network access. The personal firewall remembers the end-user's choices and applies the same security policy next time the process attempts to access the network.
A problem with relying on end-users to establish security policies is that the end-users are often not sophisticated enough to evaluate the security threat posed by a given process. A typical end-user might not have any idea whether a process should be allowed to access the network. Some personal firewalls attempt to solve this problem by including additional information in the dialog box, such as the destination address and/or protocol of the access request. However, this additional information often serves to further confuse the end-user. Another problem with this approach is that the personal firewall will remember and continue to apply the end-user's decision, even if it was incorrect.
Therefore, attempts have been made to provide greater intelligence to the personal firewall and remove or reduce its reliance on the end-user. In one personal firewall system, a team of security engineers employed, for example, by the manufacturer of the firewall analyzes popular and common processes to determine the processes' network usage characteristics. The engineers develop security policies based on the processes' characteristics, and these policies are distributed to the personal firewalls “in the field.”
The personal firewalls attempt to identify a particular process seeking to access the network, and apply a corresponding security policy developed by the engineers. However, it is often difficult to positively identify a process that is requesting network access. Certain characteristics of processes, such as the name and file size, can easily be spoofed by malicious software. Therefore, the personal firewalls must include a more reliable way to match a requesting process with its correct security policy.
This latter problem is especially difficult because even legitimate processes change frequently. Processes are often patched, upgraded, or otherwise modified either automatically or manually. These changes can occur so frequently that the engineering team cannot keep up. Therefore, there is a need for a way to reliably identify a process and match it with a corresponding security policy.