1. Field of the Invention
The present invention relates generally to computer networks, and more particularly to preventing the spread of malware.
2. Background Art
Detecting and distinguishing computer worms from ordinary communications traffic within a computer network is a challenging problem. Moreover, modern computer worms operate at an ever increasing level of sophistication and complexity. Consequently, it has become increasingly difficult to detect computer worms.
A computer worm can propagate through a computer network by using active propagation techniques. One such active propagation technique is to select target systems to infect by scanning network address space (e.g., a scan-directed computer worm). Another active propagation technique is to use topological information from an infected system to actively propagate the computer worm in the system (e.g., a topologically directed computer worm). Still another active propagation technique is to select target systems to infect based on some combination of previously generated lists of target systems (e.g., a hit-list directed computer worm).
In addition to the active propagation techniques, a computer worm may propagate through a computer network by using passive propagation techniques. One passive propagation technique is for the worm to attach itself to a normal network communication not initiated by the computer worm itself (e.g., a stealthy or passive contagion computer worm). The computer worm then propagates through the computer network in the context of normal communication patterns not directed by the computer worm.
It is anticipated that next-generation computer worms will have multiple transport vectors, use multiple target selection techniques, have no previously known signatures, and will target previously unknown vulnerabilities. It is also anticipated that next generation computer worms will use a combination of active and passive propagation techniques and may emit chaff traffic (i.e., spurious traffic generated by the computer worm) to cloak the communication traffic that carries the actual exploit sequences of the computer worms. This chaff traffic will be emitted in order to confuse computer worm detection systems and to potentially trigger a broad denial-of-service by an automated response system.
Approaches for detecting computer worms in a computer system include misuse detection and anomaly detection. In misuse detection, known attack patterns of computer worms are used to detect the presence of the computer worm. Misuse detection works reliably for known attack patterns but is not particularly useful for detecting novel attacks. In contrast to misuse detection, anomaly detection has the ability to detect novel attacks. In anomaly detection, a baseline of normal behavior in a computer network is created so that deviations from this behavior can be flagged as anomalous. The difficulty inherent in this approach is that universal definitions of normal behavior are difficult to obtain. Given this limitation, anomaly detection approaches strive to minimize false positive rates of computer worm detection.
In one suggested computer worm containment system, detection devices are deployed in a computer network to monitor outbound network traffic and detect active scan directed computer worms within the computer network. To achieve effective containment of these active computer worms, as measured by the total infection rate over the entire population of systems, the detection devices are widely deployed in the computer network in an attempt to detect computer worm traffic close to a source of the computer worm traffic. Once detected, these computer worms are contained by using an address blacklisting technique. This computer worm containment system, however, does not have a mechanism for repair and recovery of infected computer networks.
In another suggested computer worm containment system, the protocols (e.g., network protocols) of network packets are checked for standards compliance under an assumption that a computer worm will violate the protocol standards (e.g., exploit the protocol standards) in order to successfully infect a computer network. While this approach may be successful in some circumstances, this approach is limited in other circumstances. Firstly, it is possible for a network packet to be fully compatible with published protocol standard specifications and still trigger a buffer overflow type of software error due to the presence of a software bug. Secondly, not all protocols of interest can be checked for standards compliance because proprietary or undocumented protocols may be used in a computer network. Moreover, evolutions of existing protocols and the introduction of new protocols may lead to high false positive rates of computer worm detection when “good” behavior cannot be properly and completely distinguished from “bad” behavior. Encrypted communications channels further complicate protocol checking because protocol compliance cannot be easily validated at the network level for encrypted traffic.
In another approach to computer worm containment, “honey farms” have been proposed. A honey farm includes “honeypots” that are sensitive to probe attempts in a computer network. One problem with this approach is that probe attempts do not necessarily indicate the presence of a computer worm because there may be legitimate reasons for probing a computer network. For example, a computer network can be legitimately probed by scanning an Internet Protocol (IP) address range to identify poorly configured or rogue devices in the computer network. Another problem with this approach is that a conventional honey farm does not detect passive computer worms and does not extract signatures or transport vectors in the face of chaff emitting computer worms.
Another approach to computer worm containment assumes that computer worm probes are identifiable at a given worm sensor in a computer network because the computer worm probes will target well known vulnerabilities and thus have well known signatures which can be detected using a signature-based intrusion detection system. Although this approach may work for well known computer worms that periodically recur, such as the CodeRed computer worm, this approach does not work for novel computer worm attacks exploiting a zero-day vulnerability (e.g., a vulnerability that is not widely known).
One suggested computer worm containment system attempts to detect computer worms by observing communication patterns between computer systems in a computer network. In this system, connection histories between computer systems are analyzed to discover patterns that may represent a propagation trail of the computer worm. In addition to false positive related problems, the computer worm containment system does not distinguish between the actual transport vector of a computer worm and a transport vector including a spuriously emitted chaff trail. As a result, simply examining malicious traffic to determine the transport vector can lead to a broad denial of service (DOS) attack on the computer network. Further, the computer worm containment system does not determine a signature of the computer worm that can be used to implement content filtering of the computer worm. In addition, the computer worm containment system does not have the ability to detect stealthy passive computer worms, which by their very nature cause no anomalous communication patterns.
One problem with creating signatures to block or eliminate worms, viruses, Trojan horses, spyware, hacker attacks, or other malware, is that creating signatures can take considerable time. In one example, a virus is often received several times and studied before it can be identified and the attack recognized. During the time to manually create virus signatures, the virus may infect thousands of computers that will have to be subsequently disinfected. Unfortunately, the damage caused by the virus may never be corrected.
Further, even when a signature has been created, it may be narrowly defined and only block or identify one type of malware. Signatures are often created that only recognize a pattern of code and not the vulnerability attacked. In one example, a virus may cause a buffer overflow in a particular application to gain control. The virus may cause the buffer overflow with 64 bytes within a select region of data transmitted from an attacker. A signature may be created to recognize the 64 bytes within the select region of data to block the virus. However, the vulnerability may be that the buffer overflow occurs whenever 60 bytes or more are input. As a result, the virus may be modified (e.g., a polymorphic virus) to either move the 64 bytes to another region of the transmitted data, thereby sidestepping recognition by the signature, or attacking the same buffer overflow with 63 bytes rather than 64 bytes. Again, the signature may not recognize the pattern of the virus and the attack is conducted until yet another signature is created and more damage is done.