1. Field of the Invention
The invention relates to defenses against software attacks in distributed computing environments; examples might include (a) attacks from distributed locations, authentic or “spoofed,” and (b) attacks from within an environment intended to be maintained secure.
2. Related Art
Organizations that are coupled to a distributed computing environment, such as for example, the Internet, or an intranet, are subject to attacks from hostile devices or software coupled to that same distributed computing environment.
Possible Attacks
(1) A first set of possible attacks include DOS (denial of service) attacks, in which one or more hostile devices or software attempt to prevent the target from being able to service legitimate network traffic. The targeted device (or a device along the way to the target device, such as a network router, switch, firewall, load balancer, or the like) is prevented from being able to service legitimate network traffic because it becomes overloaded—reviewing and discarding spoofed request messages, which have no real interest in actually obtaining the offered service. This can cause denial, disruption, or slowing of service; corruption or deletion of data; or otherwise interfere with productive activities. Where the attacked device is important for providing a critical service, the interference with that critical service can cause serious damage.
When a single hostile device attacks the target, the attacker typically spoofs its origin address, so that the attacker cannot determine from where the traffic originates, and thus cannot easily distinguish attack traffic from legitimate traffic.
Alternatively, a single hostile device might take control of multiple insecure devices, sometimes known as “zombie attackers”, and direct those zombie attackers to make the DOS attack on its behalf. It is also common for the multiple zombie attackers to spoof their origin addresses.
(2) A second set of possible attacks also include “worm” attacks, in which hostile software attempts to propagate itself to multiple targets, and from each of those targets, to continue to spread, much like a biological infection. The speed of worm propagation is important. For example, a worm that moves slowly would not manifest itself by elevated traffic whereas a fast moving worm (or a “zero-day worm,” that is, a worm in operation before it is discovered and a defense developed to it) is likely to exhibit elevated traffic in its attempts to self-propagate.
In their simplest form, “worm” attacks effectively create a distributed DOS attack, because the resources of the infected devices are hijacked into propagating the worm, rather than doing the productive work they were originally intended to perform. Many-to-one attacks (like the multi-zombie based attacks described above) are distinct from the one-to-many attacks that characterize each phase of a worm's propagation. In one case, a single victim is attacked by multiple points, whereas in the other case, a single attacker attempts to “infect” multiple points. Spoofing can be used in both instances to obfuscate the identity of the attacker.
In more malicious forms, “worm” attacks might directly attempt to corrupt or delete data, or to send information back to the worm's originator, in an effort to degrade the computing resources or intellectual property of the attacked device. Some “worm” attacks are also known to be pre-set to perform their damage on the occurrence of a selected condition, such as at say, 11:38 p.m., Jan. 13, 2006, or some other malicious date and time.
Once having penetrated security of an enterprise network, a “worm” attack can continue to spread within that enterprise network, even after many of its copies have been rooted out and deleted. Moreover, that “worm” attack can use the resources of the enterprise network to attack other target devices outside the enterprise network.
(3) A third set of possible attacks include “spam” attacks, in which a relatively large number of messages that are unsolicited and unwanted, are distributed to receiving users throughout the network. This is an example of an outside-in one-tomany attack whereby a single payload (such as for example a spam email) is dispersed to multiple destination points (email recipients) while the identity of the originating point (sender) might be spoofed.
Spam attacks are often difficult to distinguish from legitimate traffic because they might require a human user to read the message to make the distinction. For example, spam attacks might be difficult to distinguish from newsletters or from advertising material the recipient is actually interested in. The danger of a false positive error (marking legitimate traffic as spam) is sometimes considered too risky to aggressively remove spam traffic.
In such cases, the additional burden on the attacked device (for processing the spam traffic) and on its human users (for reading the spam traffic) can impose substantial financial costs.
Known Solutions
Known solutions attempt to distinguish attack traffic from legitimate traffic.
(1) One known solution is to interpose a security device between the target device and the rest of the network.
However, it might be difficult for the security device to make the distinction between attack traffic and legitimate traffic near the target device, especially when the attack traffic uses spoofed addresses whose actual origination cannot be inferred near the destination.
Moreover, interposing the security device does not entirely eliminate collateral damage to the network, such as in the form of increased load. And a relatively large attack directed at a relatively weak security device might cause that security device to fail entirely.
(2) A second known solution is to interpose security devices throughout a local network. However, this approach generally limits the multiple devices to a local 6 network, and generally limits the architecture of the system to multiple collectors and single controllers.
However, similar to using a single security device, it might be difficult for multiple security devices to make the distinction between attack traffic and legitimate traffic.
Moreover, due to the relatively larger size of networks using multiple security devices, it might occur that the relatively large amount of network traffic would cause only relatively large attacks to be noticed. And due to the relatively larger size of those networks, each security device might have relatively little in the way of resources (such as for example, communication bandwidth, computing power, or memory), to devote to distinguishing between attack traffic and legitimate traffic.
Accordingly, it would be advantageous to provide a technique for defending against software attacks that is not subject to drawbacks of the known art.