1. Field of the Invention
The present invention relates to a technique of detecting and isolating viruses and worms infecting a server and a PC connected to a network at an early stage using a network management technique of an existing network management technique, for example, a simple network management protocol (SNMP) so as to prevent damage by viruses and worms.
The present invention can detect and control an unauthorized access program without implementing special software for each network and computer in a network system in which network management is implemented.
2. Description of the Related Art
Recently, in the Internet and intranets, there is a problem of the damage by a program, such as a worm, virus, which accesses unauthorized sites. FIG. 9 shows an example of an unauthorized access program detection and isolation system. Conventionally, an unauthorized access program detecting and isolating system uses a method of implementing an antivirus software 902 on each computer 901 of an end point to detect infection or monitoring network traffic using an unauthorized access program control (worm control) appliance hardware 903 provided in a network (for example, “Check Point InterSpect Catalog” in January, 2004 by Check Point Software Technologies Inc.)
Since the antivirus software 902 is a signature-based program operating a detecting process on the basis of matching the specific binary pattern of an unauthorized access program, it is effective in detecting known worms.
However, since variations or new types of an unauthorized access programs have different binary patterns, the detecting process hardly works. Then, it is necessary for the antivirus software 902 to quickly update the latest binary pattern for detecting an unauthorized access program from a vendor of the antivirus software 902.
There is another problem regarding some pieces of antivirus software 902 provided with facilities of preventing infection by detecting an unknown unauthorized access program. Since they sometimes cause erroneous detection, there few unauthorized access programs can be correctly detected.
On the other hand, the worm control appliance hardware 903 provided for a network is dedicated for collecting and analyzing all packets transmitted over the network and detects the communications not in accordance with protocol rules, the traffic exploiting the fragility and so on, thereby detecting the activities of unauthorized access programs on the network.
The worm control appliance hardware 903 can detect the activity of a variation or a new type of unauthorized access program. However, in order to capture the traffic of unauthorized access, it is necessary to monitor all traffic of an intranet 906 (network) from a mirroring port 905 of a switch router 904 in each network segment, and to determine whether or not it is unauthorized traffic. Therefore, the processes of software and hardware become heavy burden, and cannot be sufficiently performed when the network traffic increases.
Furthermore, since dedicated hardware is required in each segment of a network, a large network requires plural monitor systems (worm control appliance hardware 903). Accordingly, the number of systems to be managed increases and the number of managing steps explodes.