Technical Field
This invention relates to computer system security, and more particularly, to a system and method for autonomously identifying and disrupting multiple forms of malicious software attacks through the correlation of hardware, operating system, and user space events.
Background Information
A mix of high false positives, complex management, unacceptable performance load, and a lack of automatic responses have critically reduced the efficacy and adoption of current security technologies in use at the endpoint. These technologies include anti-virus and malicious code detection products, network and host-based monitoring agents, and traditional host-based IPS and IDS technologies. These technologies are focused on detecting malware and automated attack mechanisms by recognizing direct representations (signatures) of known attack payloads, or by identifying a limited base of inappropriate or unauthorized actions. These approaches have proven increasingly ineffective as attackers use techniques such as polymorphism to change the appearance of attacks and increase their use of zero-day attacks, for which no signatures exist.
Modern attackers also leverage vulnerabilities in common applications and interfaces to elevate their privilege, providing them with the ability to co-opt the system configuration authority of the root user or administrator. From this position, the attackers and their tools can disable, remove, or reconfigure other software that is installed on the system. Existing technologies rely on their ability to instantiate themselves with priority over malware, and that priority is vulnerable in the case of privilege escalation attacks.
The preceding weaknesses in current technologies have led to the development of security systems that operate as nearly fully virtualized versions of the systems they seek to protect. By abstracting the actual operation of system-level functions from processes and users, these security systems can better identify patterns of behavior, and prevent malicious behavior, within the context of the virtualized image. However, the amount of data acquisition and process intermediation required by a fully virtualized or sandboxed environment often creates unacceptable performance impacts on the users of the systems along with other issues.
As a result of these multiple inadequacies, there are few automated solutions available to organizations looking to protect their endpoint systems. In an absence of trusted data and consistent reporting, endpoint security technologies instead provide monitoring data to human interpreters and remote data aggregation suites, from which attack identification and response decisions are made. This latency, between the attack, the detection of the attack, and the disruption or mitigation of the attack often takes months. Skilled individuals capable of recognizing attack patterns, and infrastructures capable of supporting them, also come at a high cost, making them inappropriate for all but the largest of organizations.