Typically, any computer system operated by a user in a standard usage calls for a number of system files, including program files and data files, among which some are not supposed to be modified frequently which are called here “vital files”. This is also the case for other devices operating in an unattended way, such as the so-called, NFS and other file servers, DNS/BIND and other name servers, database servers, communication servers, gateways, web servers, and any type of server using a computing device driven by an operating system.
In a network environment, a System Administrator is the only person authorized to modify those vital programs and system files either on the computer itself or from a centralized monitoring computer (Manager/Administrator machine). More and more crackers, hostile hackers or intruders try to compromise these files in order to gain later access to the system. New system leaks are regularly discovered, leading to so-called “exploits” allowing almost anybody—from the inside or from the outside of a Company—with or without gaining the System Administrator privileges for a while. Those means may include—but not limited to—“race conditions”, buffer overflows, stack overflows, etc.
As soon as the intruder gains the System Administrator privilege access, he/she will modify some system files and/or data files in order to enter the system more easily at a later time, should the breach he came in by be filled in.
State of the art of solutions to detect such kind of intrusion is first to compute the well-known “MD5 signature” of all the vital files, at computer installation time and before the computer is connected to any network, and then to store these computed MD5 signatures in a safe place (e.g. on a diskette which will be set read-only once written, on a CD/R, or by sending them securely on another computer on the network, either in a crypted form than can be cross-checked, or preferably in a write once/read many mode). Complete details on computation of MD5 signature may easily be found in the literature and particularly in “The MD5 Message-Digest Algorithm” (Rivest, R., and S. Dusse—RFC 1321—MIT Laboratory for Computer Science, RSA Data Security Inc., Apr. 1992).
U.S. Pat. No. 5,440,723 from the Assignee discloses an automatic immune system for computers and computer networks. In the operated method, periodic monitoring of a data processing system to check for anomalous behavior that may indicate the presence of an undesirable software entity and automatic scanning for occurrences of known types of undesirable software entities are performed. Remedial action are taken if they are discovered, among which the extraction and identification of signature from the executable code portion and the adding of the signature to a signature database. The immediate use of the signature by a scanner provides protection from subsequent infections of the system, and also a network of systems, by the same or an altered form of the undesirable software entity.
MD5 signature based solutions are implemented on some known commercial products such as “Tripwire”, a free software in its former open-source versions and a commercial software in its present licensed ones, or such as the “Enterprise Security Manager” product from Symantec Corporation.
Using the MD5 signature is an interesting approach, because changing just one bit in a file totally changes its MD5 signature, but also because there is no way for the intruder to generate a new file having the same MD5 signature. So if a file is modified by an intruder, its MD5 signature is necessarily changed. However, it remains that one has to check all the files on a regular basis, by applying an auto-checking procedure on each computer and collecting the results on a security log that is to be analyzed by the System Administrator or by a software tool. The drawbacks of this approach is that if the checking is done too often, the computer resources are intensively solicited, and on the contrary if the checking is made at larger time intervals, the intruder will have more available time to experiment with the compromised system before he/she is detected.
In the majority of the client environments as illustrated on FIG. 1-a these checking are done every night, for example around 3 a.m., thereby leaving on the average twelve hours to the intruder to both cause a lot of trouble on the system. Moreover he/she gets also a lot of time to restore a sane situation before the checking begins. Even the system time stamps associated the last operations on each file can be modified when the intruder has System Administrator's access, thereby covering his/her traces. The local system logs have the same vulnerability.
Thus, there is a need for a system and method detecting offensive intrusions, that does not consume resources uselessly and that operates in real-time, by the use of a system interrupt whenever a vital file is accessed for modifications.
The subject invention herein solves the aforementioned problems in a new and unique manner that has not been part of the art previously.