1. Field of the Invention
The present invention relates generally to computer security and, more particularly, to a system and methodology for detecting and preventing intrusions on a per-application basis.
2. Description of the Background Art
The first computers were largely stand-alone units with no direct connection to other computers or computer networks. Data exchanges between computers were mainly accomplished by exchanging magnetic or optical media such as floppy disks. Over time, more and more computers were connected to each other using Local Area Networks or “LANs”. In both cases, maintaining security and controlling what information a computer user could access was relatively simple because the overall computing environment was limited and clearly defined.
With the ever-increasing popularity of the Internet, however, more and more computers are connected to larger networks. Providing access to vast stores of information, the Internet is typically accessed by users through Web “browsers” (e.g., Microsoft® Internet Explorer or Netscape Navigator) or other Internet applications. Browsers and other Internet applications include the ability to access a URL (Universal Resource Locator) or “Web” site. In the last several years, the Internet has become pervasive and is used not only by corporations, but also by a large number of small business and individual users for a wide range of purposes.
As more and more computers are now connected to the Internet, either directly (e.g., over a dial-up or broadband connection with an Internet Service Provider or “ISP”) or through a gateway between a LAN and the Internet, a whole new set of challenges face LAN administrators and individual users alike: these previously closed computing environments are now open to a worldwide network of computer systems. A particular set of challenges involves attacks by perpetrators (hackers) capable of damaging the local computer systems, misusing those systems, and/or stealing proprietary data and programs.
The software industry has, in response, introduced a number of products and technologies to address and minimize these threats, including “firewalls”, proxy servers, and similar technologies—all designed to keep malicious users (e.g., hackers) from penetrating a computer system or corporate network. Firewalls are applications that intercept the data traffic at the gateway to a Wide Area Network (“WAN”) and check the data packets (i.e., Internet Protocol packets or “IP packets”) being exchanged for suspicious or unwanted activities.
Another security measure that has been utilized by many users is to install an end point security (or personal firewall) product on a computer system to control traffic into and out of the system. An end point security product can regulate all traffic into and out of a particular computer. One such product is assignee's ZoneAlarm® product that is described in detail in U.S. Pat. No. 5,987,611, the disclosure of which is hereby incorporated by reference. For example, an end point security product may permit specific “trusted” applications to access the Internet while denying access to other applications on a user's computer. To a large extent, restricting access to “trusted” applications is an effective security method. However, despite the effectiveness of end point security products, issues remain in protecting computer systems against attack by malicious users and applications.
One problem that remains is that trusted applications often have known vulnerabilities that make then susceptible to attack or exploitation by hackers and other malicious users. A vulnerability is a feature or a combination of features of a system that allows a malicious adversary to place the system in a state that is both contrary to the desires of the user(s) of the system and increases the risk (probability or consequence) of undesirable behavior. These vulnerabilities may include, for example, coding errors in applications, means for bypassing certain security safeguards, and the like. An example of a vulnerability is a program with a buffer that can be overflowed with data supplied by the invoker. The vulnerability may also prevent the successful implementation of a particular security policy for the system.
In an ideal case, a user or system administrator that is informed that a program (e.g., application) he or she is using has known vulnerabilities will upgrade the program (e.g., apply a patch) in order to address the specific vulnerabilities that have been discovered. However, in many cases, applying a patch or otherwise upgrading an application to address known problems is not practicable. One problem is that certain widely used programs (e.g., for the Microsoft Windows environment) may require frequent application of patches to address security vulnerabilities. The sheer volume of patches that may be required can deter many users from applying them.
Another obstacle is that applying a patch may cause other problems. Users testing patches before applying them sometimes encounter conflicts and incompatibilities with other programs and/or errors in the patches. These conflicts and errors generally result from the fact that patches are released with little or no testing in an attempt to rapidly respond to reported errors and vulnerabilities. Because patches are usually not subjected to rigorous testing (e.g., beta test programs), they may sometimes introduce more problems than they solve. Many users, particularly more experienced users, are reluctant to install patches for this reason.
Users are also deterred from applying patches by the fact that in many cases the patches that need to be applied are quite large (e.g., in the case of operating system patches). In particular, the size of download files may deter users that only have limited bandwidth available for file downloads (e.g., users with a dial-up connection to the Internet). For reasons such as these, many users do not apply all patches and continue to use applications with known vulnerabilities for extended periods of time.
Another alternative for protecting against known system vulnerabilities is to use intrusion detection and/or intrusion prevention solutions. Typically, both intrusion detection and intrusion prevention solutions work by monitoring the traffic on the network, noting which devices they are communicating with, and categorizing the types of traffic interacting with the devices. Traffic patterns are then compared against known attack or exploit signatures. Generally, an attack is an action conducted by an adversary or intruder with a specific objective in mind against a victim. From the perspective of the victim (e.g., a user or administrator responsible for maintaining a system), an attack is a set of one or more events that may have one or more security consequences. An exploit is the process of using a system vulnerability to violate a system security policy. A tool or defined method that could be used to violate a security policy is often referred to as an exploit script. An exploit seeks, in some way, to take advantage of a vulnerability in a system in the pursuit or achievement of some objective. All vulnerability exploitations are attacks, but not all attacks exploit vulnerabilities. For purposes of the following discussion both attacks and exploits will generally be referred to as “exploits” or “intrusions”.
Intrusion detection and prevention solutions seek to detect and prevent intrusions (i.e., attacks and exploits). These solutions typically use known signatures to recognize traffic patterns (pattern-matching), similar to the way anti-virus products use known signatures to recognize viruses. The signatures are often based on malicious TCP/IP packets, since hackers commonly try to manipulate those packets to perform a malicious action. Intrusion detection solutions report (i.e., warn the user of) patterns that indicate a possible attack (e.g., based upon certain thresholds and severity levels). Intrusion prevention solutions go further by blocking suspicious traffic, terminating the connection, reconfiguring selected firewalls, or taking other actions in response to the detection of any intrusion.
A problem with current intrusion detection and intrusion prevention solutions (sometimes referred to herein as “IDS”) is that these solutions are notorious for reporting a large number of “false positives”. A false positive is an event which is incorrectly identified by the IDS as being an intrusion when none has occurred. In other words, current solutions frequently report and/or block innocent traffic. Blocking innocent traffic, in particular, can be problematic as it introduces the possibility of random network failure based on the (incorrect) matching of traffic with signatures of known exploits. On the other hand, if the IDS uses more narrow pattern matching criteria, then it is less effective as the IDS only recognizes common instances of known exploits and may not detect attacks having minor variations from the common case. For example, a personal computer may be subject to an RPC (remote procedure call) exploit because of a vulnerability of the operating system. If the pattern-matching criteria is defined narrowly (e.g., so as to avoid issuance of “false positives”), then the IDS may detect an MS-Blast attack, but not the entire class of RPC exploits to which the computer may be vulnerable. In practice, providing greater security using current intrusion detection/prevention solutions comes at the expense of requiring the user (or administrator) to sort through a larger number of reported attacks that turn out to be false positives.
Another limitation of current solutions is in handling encrypted traffic. Message encryption is a problem, especially for network-based intrusion systems. Encryption makes the practice of looking for particular patterns in packet bodies difficult if not impossible using current solutions. Useful analysis can be performed only after the message has been decrypted on the target host, and this often occurs within a specific application or at a level which cannot be detected by current intrusion detection/prevention solutions.
What is needed is a solution that is able to determine specific exploits that may apply in particular circumstances enabling a more focused examination of whether particular traffic matches the pattern of the exploits that may apply in particular circumstances. Ideally, the solution should enable intrusions to be more accurately detected and prevented, while also minimizing the number of false positives that are generated by the solution. The present invention provides a solution for these and other needs.