This invention relates to computer security and particularly to computer intrusion detection whereby access to a target server is monitored.
Computer networks typically include a server computer (“server”) and a plurality of client computers (“clients”) coupled to permit access by clients to resources on the server. Security of servers on the Internet and other insecure networks is a major concern. Configuration errors and bugs in widely used proprietary and open source software packages allow attackers to enter and gain control of servers. The attackers can then steal proprietary information, destroy the information, or even destroy the file system of the server, rendering it useless. Even worse, attackers can surreptitiously alter the server's system so that they have ongoing control over it. Once an attacker has established ongoing control over a server's system, they can use it to capture sensitive information or to attack other machines on the network. If the attacker's intrusions go undetected, the damage potential is virtually unlimited. Thus, it is desirable to detect intrusions in a timely manner. Preferably such intrusions should be prevented.
Some previous approaches to detecting network intrusion by an attacker have attempted to detect changes in the running system's file system or behavior. For example, the open source Tripwire system computes a hash of the contents of specified system files and stores the hashes of the system files in a database. Then, periodically or on command, the Tripwire system computes the hash values of the files and compares these recomputed values to the database values. If a difference is found, it implies a change to the system files. Assuming no authorized changes have occurred to the system files, changed hash values indicate an intrusion has occurred. Other intrusion detection tools try to discover file system changes by inspecting file modification dates.
The above described intrusion detection systems are vulnerable to defeat by an attacker because the information that is used to infer changes is stored locally on the compromised system. Thus, the attacker can alter the stored information to defeat the detection technique. For example, a common technique used by attackers to avoid intrusion detection is to install a “root kit.” The root kit includes an altered set of commands (such as a directory listing command that fails to display the correct alteration dates of system command files) that mask the actions of the attacker while allowing the attacker unfettered access to the server.
Another common intrusion detection approach attempts to detect abnormal network traffic patterns emanating from the server. While this can work if the normal traffic patterns are well enough defined and different from the traffic pattern an attacker may wish to exploit, these are stringent conditions and do not apply in many cases. In particular, a prudent attacker can generate traffic patterns into which the malicious traffic is then embedded as a small “noise” signal. Finally, these are unlikely to counter the problem of the attacker stealing or destroying the sensitive information on the server itself.
The disclosed method for computer network intrusion detection is implemented on a computer network including a target server, a client on the network and a monitoring server coupled to the target server. The target server is accessible by a client on the network and administered by a system administrator capable of authorizing attempts to execute software on the target server. The method comprising the steps of loading monitored latent software on the target server and monitoring. Attempts to execute monitored latent software on the target server from the client are received and it is determined whether the attempt to execute the monitored latent software by the client is authorized prior to completely executing the monitored latent software. A message is sent to the system administrator and the execution of the monitored latent software is aborted prior to completion when the attempt to execute the monitored latent software is not authorized.
Another disclosed method for computer network intrusion detection is implemented on a computer network including a target server and a monitoring server. The target server is accessible by a plurality of clients on the network and administered by a system administrator capable of authorizing attempts by a client on the network to execute software on the target server. The method includes distinguishing between active software and latent software resident on the target server and permitting attempts to execute active software on the target server by any of the plurality of clients. A client of the plurality of clients is authorized to attempt to execute latent software on the target server thereby defining an authorized client. Attempts to execute latent software on the target server are received from a client of the plurality of clients thereby defining an attempting client. It is determined whether the attempting client is the authorized client prior to completely executing the latent software on the target server. When the attempting client is not the authorized client, a message is sent to the system administrator and execution of the monitored latent software is aborted prior to completion.
A disclosed computer system administered by a system administrator and accessible by a client on an external network includes a target server coupled to the external network and configured to receive connections from the client and to receive requests from the client to execute software thereon, an interface with the system administrator and a monitoring server coupled to the target server but not directly accessible on the external network by the client. The monitoring server has authorization data resident thereon and administration software accessible through the interface for administering the authorization data. The said target server includes software resident thereon having an authorization subroutine for sending a query to the monitoring server indicating that the client is requesting to execute the software and receiving a response from the monitoring server indicating that the client is authorized to execute the software prior to successfully completing execution of the software for the client. The monitoring server includes a subroutine thereon for receiving the query from the target machine, accessing the authorization data to determine whether the client is authorized to execute the software on the target machine, sending a response to the target machine indicating that the client is authorized to execute the software or the client is not authorized to execute the software, and sending a message through the interface to the system administrator if the client is not authorized to execute the software.
Additional features and advantages of the invention will become apparent to those skilled in the art upon consideration of the following detailed description of illustrated embodiments exemplifying the best mode of carrying out the invention as presently perceived.