As more and more computers and other computing devices are interconnected through various networks, such as the Internet, computer security has become increasingly more important, particularly from invasions or attacks delivered over a network or over an information stream. As those skilled in the art and others will recognize, these attacks come in many different forms, including, but certainly not limited to, computer viruses, computer worms, system component replacements, denial of service attacks, theft of information, even misuse/abuse of legitimate computer system features—all of which exploit one or more computer system vulnerabilities for illegitimate purposes. While those skilled in the art will realize that the various computer attacks are technically distinct from one another, for purposes of the present invention and for simplicity in description, all of these attacks will be generally referred to hereafter as computer malware, or more simply, malware.
When a computer system is attacked or “infected” by a computer malware, the adverse results are varied, including disabling system devices; erasing or corrupting firmware, applications, or data files; transmitting potentially sensitive data to another location on the network; shutting down the computer system; or causing the computer system to crash. Yet another pernicious aspect of many, though not all, computer malware is that an infected computer system is used to infect other computer systems.
FIG. 1 is a pictorial diagram illustrating an exemplary networked environment 100 over which a computer malware is commonly distributed. As shown in FIG. 1, the typical exemplary networked environment 100 includes a plurality of computers 102-108, all interconnected via a communication network 110, such as an intranet, or via a larger communication network, including the global TCP/IP network commonly referred to as the Internet. For whatever reason, a malicious party on a computer connected to the network 110, such as computer 102, develops a computer malware 112 and releases it on the network 110. The released computer malware 112 is received by and infects one or more computers, such as computer 104, as indicated by arrow 114. As is typical with many computer malware, once infected, computer 104 is used to infect other computers, such as computer 106, as indicated by arrow 116, which in turn, infects yet other computers, such as computer 108, as indicated by arrow 118.
As antivirus software has become more sophisticated and efficient at recognizing thousands of known computer malware, so too have the computer malware become more sophisticated. For example, many recent computer malware are now polymorphic or, in other words, they have no identifiable pattern or “signature” by which they can be recognized by antivirus software in transit. These polymorphic malware are frequently unrecognizable by antivirus software because they modify themselves before propagating to another computer system.
As vulnerabilities are identified and addressed in an operating system or other computer system components, such as device drivers and software applications, the operating system provider will typically release a software update to remedy the vulnerability. These updates, frequently referred to as patches, should be installed on a computer system in order to secure the computer system from the identified vulnerabilities. However, these updates are, in essence, code changes to components of the operating system, device drivers, or software applications. As such, they cannot be released as rapidly and freely as antivirus updates from antivirus software providers. Because these updates are code changes, the software updates require substantial in-house testing prior to being released to the public.
Under the present system of identifying malware and addressing vulnerabilities, computers are susceptible to being attacked by malware in certain circumstances. For example, a computer user may not install patches and/or updates to antivirus software. In this instance, malware may propagate on a network between computers that have not been adequately protected against the malware. However, even when a user regularly updates a computer, there is a period of time, referred to hereafter as a vulnerability window, that exists between when a new computer malware is released on the network and when antivirus software on an operating system component may be updated to protect the computer system from the malware. As the name suggests, it is during this vulnerability window that a computer system is vulnerable, or exposed, to the new computer malware.
FIG. 2 is a block diagram of an exemplary timeline that illustrates a vulnerability window. In regard to the following discussion, significant times or events will be identified and referred to as events in regard to a timeline. While most malware released today are based on known vulnerabilities, occasionally, a computer malware is released on the network 110 that takes advantage of a previously unknown vulnerability. FIG. 2 illustrates a vulnerability window 204 with regard to a timeline 200 under this scenario. Thus, as shown on the timeline 200, at event 202, a malware author releases a new computer malware. As this is a new computer malware, there is neither an operating system patch nor an antivirus update available to protect vulnerable computer systems from the malware. Correspondingly, the vulnerability window 204 is opened.
At some point after the new computer malware is circulating on the network 110, the operating system provider and/or the antivirus software provider detect the new computer malware, as indicated by event 206. As those skilled in the art will appreciate, typically, the presence of the new computer malware is detected within a matter of hours by both the operating system provider and the antivirus software provider.
Once the computer malware is detected, the antivirus software provider can begin its process to identify a pattern or “signature” by which the antivirus software may recognize the computer malware. Similarly, the operating system provider begins its process to analyze the computer malware to determine whether the operating system must be patched to protect it from the computer malware. As a result of these parallel efforts, at event 208, the operating system provider and/or the antivirus software provider releases an update, i.e., a software patch to the operating system or antivirus software, which addresses the computer malware. Subsequently, at event 210, the update is installed on a user's computer system, thereby protecting the computer system and bringing the vulnerability window 204 to a close.
As can be seen from the examples described above—which is only representative of all of the possible scenarios in which computer malware pose security threats to a computer system—a vulnerability window 204 exists between the times that a computer malware 112 is released on a network 110 and when a corresponding update is installed on a user's computer system. Sadly, whether the vulnerability window 104 is large or small, an infected computer costs the computer's owner substantial amounts of money to “disinfect” and repair. This cost can be enormous when dealing with large corporations or entities that may have thousands or hundreds of thousands of devices attached to the network 110. Such a cost is further amplified by the possibility that the malware may tamper or destroy user data, all of which may be extremely difficult or impossible to trace and remedy.
To counter the threats presented by malware, an increasing number of anti-malware services and other event detection systems have been developed to monitor entry points and/or data streams for different types of malware. For example, in the context of anti-malware services, many computers now employ firewalls, behavior blockers, and anti-spyware systems to protect a computer in addition to traditional antivirus software. Those skilled in the art and others will recognize that anti-malware services are typically capable of identifying (1) code and/or activities that are known to be characteristic of malware, and (2) code and/or activities that are “suspicious” or potentially characteristic of malware. When code and/or activities that are known to be characteristic of malware are identified, a malware handling routine will be used to “disinfect” or remove the malware from the computer. However, in instances when code and/or activities are identified that are suspicious, the anti-malware services may not have enough information to declare, with sufficient accuracy, that the code and/or activities are actually characteristic of malware. Moreover, other event detection systems have been developed to monitor entry points, data streams, computer attributes and/or activities, for a variety of number of different purposes. For example, some operating systems track the amount of processing performed by a Central Processing Unit (“CPU”), as well as certain significant “events” related to a computer that may be useful when proactively protecting a computer from malware.