If trends continue, e-commerce will continue to grow at an exponential rate every year. Protecting networked information systems and services, such as securing e-commerce transactions over wide-area networks, remains an elusive challenge of ever-growing importance and complexity. These systems and services are increasingly exposed to attacks, resulting in significant disruption of services and damages. Attackers can utilize a growing range of vulnerabilities to compromise a system or a service. Once a vulnerability is identified, an attacker can execute programs to detect further vulnerabilities and exploit them to compromise and potentially damage a large number of systems. For example, an attacker can use vulnerabilities of e-mail services or of www services to gain unauthorized access to confidential information or to transaction capabilities, potentially resulting in significant damage to the owners of these resources. As e-commerce deals with obtaining products and services in a direct exchange for a customer's money (typically by the customer's credit card), attacks on such systems are highly problematic. That is, because a customer uses his own money (e.g., in U.S. dollars) to buy a product or service (e.g., a resource) from a vendor's remote server, the vendor has little, if any, control on who accesses their resources. This will be explained in detail hereinbelow.
Examples of the types of attacks on a system include Denial of Service (DoS) attacks, identity stealing attacks, identity masquerading attacks, trojan horse attacks, runtime stack overflow attacks, and worm attacks. In a DoS attack, the attacker creates a large amount of activity that saturates a resource and prevents legitimate access to the resource. The attacker can render a service practically inaccessible to legitimate users for hours or days. In the identity stealing attacks, an attacker steals a password of another entity, such as a legitimate client, and thus obtains the equivalent accesses rights of the legitimate client. In the identity masquerading attack, the attacker successfully pretends to be a legitimate client and thus gains access to the same resources of the legitimate client. In the trojan horse attack, a resource is exploited and the attacker gains access to all services that the conquered resource can access. In the runtime stack overflow attack, an attacker opens restricted accesses by compromising a resource with a runtime stack overflow. In the worm attack, the attacker exploits a bug in a resource to plant a virus that will spread to other resources in the network.
Unfortunately, attacks are very difficult to detect because detection requires instrumentation to monitor systems and service activities, as well as to correlate this data to identify attack patterns. Current intrusion detection techniques typically provide ad-hoc instrumentation that typically requires off-line manual correlation analysis by expert security administrators. Attack detection typically occurs after an attack has been made. Often attackers manage to change logs of intrusion monitoring instrumentation to prevent such detection.
In addition, current security protection techniques are insufficient to distinguish attacks from normal activities. Moreover, even when an attack has been detected and handled, the attacker can protect its identity and evade accountability for abuses and crimes it commits. Since an attacker can remove all identifying information from attack traffic, the attacker can use a system that has been compromised to execute implanted programs to launch attacks and eliminate traces that identify the source of the attack.
As can be appreciated, several factors increase the vulnerability of networked information systems and services to attacks. First, vulnerability increases with growth in scale (i.e., the number of components involved increases the range of possible vulnerabilities and dependencies), the growth in the variety of components involved (i.e., the range of vulnerabilities), and the growth in the complexity of operations management (i.e., security issues due to specific operating configurations).
Second, rapid changes in technologies increase the vulnerability of systems and services to attackers. A change in an updated component, or in an updated configuration in an existing component, can form new insecurities that can be used by attackers. In other words, an otherwise secure system can be rendered insecure by the addition of a single component. The combinatorics of interactions between new components and existing ones increase exponentially, and with it, the possibilities of vulnerable nodes.
Third, in the absence of a unifying security architecture, it is virtually impossible for component vendors to accomplish a coordinated protection paradigm. Therefore, as stated, protection is often left to ad-hoc designs and configurations, leaving insecure networks for attackers to exploit.
Networked information systems are typically managed by domain administrators. In the absence of a unified security architecture, domain administrators face increasing exposure to security risks and, further, they are unable to control, bound, or even quantify this exposure. Domain administrators require expensive expert manual labor to monitor and correlate access anomalies in order to detect an attack. Further, as stated above, such monitoring is typically accomplished through off-line non-realtime processes completed hours or days after the attack has been completed, giving sufficient time for an attacker to have possibly eliminated its traces.
A significant body of research and implementation work has been devoted to protecting individual resources or whole network domains. Two of the most commonly used protection techniques are (1) firewalls/security gateways (see, e.g., Cheswick, and Bellovin, “Firewalls and Internet Security: Repelling the Wily Hacker,” Addison-Wesley, Reading, Mass. 1994), and (2) a combination of authentication and access control lists (see, e.g., Kaufman, Perlman, and Speciner, “Network Security—Private Communication in a Public World,” Prentice Hall series in computer networking and distributed systems, 1995; Kohl and Neuman, “The Kerberos® Network Authentication Service (V5),” RFC 1510, September 1993; Needham, F L, and V L Schroeder. “Using Encryption for Authentication in Large Networks of Computers,” Communications of ACM, Vol. 21, December 1978, pp. 993-999; and Needham and Schroeder, “Authentication Revisited,” Operating Systems Review, Vol. 21 # 1, January 1987).
Firewalls are typically computers that are positioned between an internal network and the external environment, which filter the data packets being received or transmitted, according to various criteria. Firewalls also provide proxying of internal services, such as e-mail and domain name systems (DNS), to outside accesses in order to reduce the exposure of these services to attacks. However, firewalls (or other security gateways) have the disadvantage of offering only limited security. In addition, they slow down the system operation and require complex configuration management to support access to new applications.
Authentication mechanisms, such as the well-known Kerberos® authentication mechanism, can verify the identity of network entities involved in a transaction. This verification is typically achieved through a certificate generated by a trusted certification authority. Certificates are valid for a period of time during which they authenticate the identities of the entities involved in a transaction. In the Kerberos® authentication mechanism, “tickets,” which are issued as part of the authentication between an entity and a resource it wishes to access, provide the entity with unlimited access to the resource during the validity of the ticket.
Access control lists (ACLs) determine the authorization of the entity to access the specific resource. An ACL is associated with each resource whose access needs to be restricted. However, ACLs become prohibitively expensive as they increase in size, since they become expensive to store, difficult to maintain, and provide relatively little assistance in isolating attack sources, once the source or sources of an attack have been identified.
Another commonly used protection system is known as an intrusion detection system, which can be classified in two main categories:
(a) misuse detection systems, which attempt to identify intrusions by monitoring systems to identify patterns of well-known attacks (see, e.g., Ilgun, Kemmerer, and Porras, “State Transition Analysis: A Rule-based Intrusion Detection Approach,” IEEE Transactions on Software Engineering, 21(3), pp. 181-199, March 1995); and
(b) anomaly detection systems, which attempt to distinguish between normal and abnormal access patterns (see, e.g., Lunt, Tamaru, et al., “A Real-time Intrusion Detection Expert System (IDES)—final technical report,” Technical Report, Computer Science Laboratory, SRI International, February 1992).
Many intrusion detection systems currently involve manual ad-hoc solutions; that is, they rely on the experience of the protection system creators to invent thresholds for differentiating normal from abnormal behavior, and employ hand-coded intrusion patterns in the attempt to identify intrusions. These practices limit the effectiveness and applicability of such intrusion detection systems to future unpredictable attacks. Furthermore, most intrusion detection systems are resource specific, which imposes restrictions on the correlation of events for detecting abnormal access patterns.
Over the past decade, significant research has been performed in the area of e-commerce, resulting in the development of several electronic payment protocols with respective financial institutions, for securing transactions over wide-area networks (see, e.g., Bellare, Garray, et al., “iKP-A family of secure electronic payment Protocols,” First USENIX Workshop on Electronic Commerce, pp. 89-106, July 1995; Chaum, Fiat, and Naor, “Untraceable Electronic Cash,” Advances in cryptology-EUROCRYPT '92 Proceedings, Springer-Verlag, 1990, pp. 319-327; Jarecki, Odlyzko, “An Efficient Micropayment System Based on Probabilistic Polling,” in Proc. of Financial Cryptography '97, R. Hirschfeld, ed., Lecture Notes in Computer Science, Springer, 1997; Manasse, “The Millicent protocols for electronic commerce,”Proceedings of the first USENIX Workshop on Electronic Commerce, July 1995; Okamoto, Ohta “Universal Electronic Cash,” Advances in Cryptography, CRYPTO'91 Proceedings, Springer-Verlag, 1992, pp. 324-337; Pedersen, “Electronic Payment of Small Amounts” Cambridge Workshop of 1996; Schneier, B. “Applied Cryptography,” second edition, John Wiley & Sons, pp. 139-147; “Secure Electronic Transactions: Credit Card Payment on the Web in Theory and Practice,” IBM International Technical Support Organization, June 1997).
However, current financial institutions associated with e-commerce do not address certain key issues. For example, the issues of scalability and transparency are not addressed. Rather, most of their work research focuses on centralized infrastructure particular to the associated payment protocol. A second issue not addressed is the protection of the online financial infrastructure itself from intruders (i.e., from attackers). Furthermore, the volume of transactions created by trading both physical resources and higher level services is orders of magnitude larger than that assumed by typical e-cash protocols. Therefore, it becomes imperative to develop protocols with very low overheads in terms of: bandwidth; information that needs to be stored; and the cost of payment functionality.
Economic-based mechanisms for network resource management have focused on the efficient allocation of resources through the application of economics-based principles, and have provided insights on the role of prices and the operation of markets in a distributed network economy. See, for example, Kurose, J., M. Schwartz, and Y. Yemini “A Microeconomic Approach to Optimization of Channel Access Policies in Multiaccess Networks,” Proc. of the 5th International Conference on Distributed Computer Systems, Denver, Colo., 1995; Sairamesh, J., D. Ferguson, and Y. Yemini “An Approach to Pricing, Optimal Allocation and Quality of Service Provisioning in High-speed Packet Networks,” in Proc. of the Conference on Computer Communications, Boston, Mass., April 1995; and Y. Yemini “Selfish Optimization in Computer Networks,” Proc. of the 20th IEEE Conference on Decision and Control, pp. 281-285, San Diego, Calif., December 1981., each of which is fully incorporated by reference. Such network resource management paradigms can be applied to the creation of a market system for trading access rights to resources, and for controlling prices as a means of achieving access control and protection of resources. However, the above-described electronic payment protocols and economic based mechanisms for network resource management have not been applied to enhancing network security and protecting network resources from unwanted intrusions or attacks.
It is an object of the invention to overcome the deficiencies in the prior art. In particular, the present invention provides a unique approach to enhancing the security of an electronic system, such as a network, and protecting against unauthorized access to resources of the electronic system. The present invention, inter alia, provides a novel method and system which uses electronic security value units (i.e., a form of electronic security value “currency”) to prevent unauthorized access to resources and services (collectively, “resources”) in the electronic system by components of the system.