Network security management is becoming a more difficult problem as networks grow in size and become a more integral part of organizational operations. Attacks on networks are growing both due to the intellectual challenge such attacks represent for hackers and due to the increasing payoff for the serious attacker. Furthermore, the attacks are growing beyond the current capability of security management tools to identify and quickly respond to those attacks. As various attack methods are tried and ultimately repulsed, the attackers will attempt new approaches with more subtle attack features. Thus, maintaining network security is on-going, ever changing, and an increasingly complex problem.
Computer network attacks can take many forms and any one attack may include many security events of different types. Security events are anomalous network conditions each of which may cause an anti-security effect to a computer network. Security events include stealing confidential or private information; producing network damage through mechanisms such as viruses, worms, or Trojan horses; overwhelming the network's capacities in order to cause denial of service, and so forth.
Network security risk-assessment tools, i.e. “scanners,” may be used by a network manager to simulate an attack against computer systems via a remote connection. Such scanners can probe for network weaknesses by simulating certain types of security events that make up an attack. Such tools can also test user passwords for suitability and security. Moreover, scanners can search for known types of security events in the form of malicious programs such as viruses, worms, and Trojan horses.
As is known in the art, a common method of detecting the foregoing threats is to use a scanning engine to scan for known attacks against computers. These attacks can be identified by their unique “malware signature” which generally consists of a string of binary or text data. Upon the detection of an malware signature by the scanning engine, protective measures can be taken, including: sending alerts; intercepting harmful traffic; or disconnecting users who launch attacks.
Using the foregoing method, the scanner reads data from a disk or any other type memory associated with the computer. Once read, the scanner compares the data against a large number of known malware signatures. If a match is found, the protective measures may be executed.
As the number of known malware signatures increases, the aforementioned comparison step increases accordingly, elongating the scanning process. While the size of the list of malware signatures contributes to the overall delay in the scanning process, no other factor increases such delay as much as the time it takes to read the actual data to be scanned.
In fact, as much as 40% of the time taken to scan data for viruses is due to reading such data from a disk. In prior art systems, disk read performance is usually improved by using a ‘disk cache’ to store data in fast RAM memory as it is read. The next time the data is required from slower memory, it is often already available in faster RAM memory. Unfortunately, one problem with this technique is that the scanner still has to wait for the data to be read in the first place before it can be placed in the cache.
There is thus a need for a technique of minimizing the delay contributable to reading data from memory during the scanning process.