The increasing dependence of companies and government agencies on their computer networks highlights the importance of protecting these systems from attacks. A single malware (malicious software) in a computer which is a part of a computer network can result in the loss or unauthorized utilization or modification of large amounts of data and cause users to question the reliability of all of the information on the network.
A typical problem for a network administrator is observing the network being congested by a new Internet virus or worm spreading itself from thousands of client machines. It is often impossible to remotely remove a worm or to get in touch with an inexperienced user to give virus removal instructions. The obvious choice would be to start a virus scanner on a dedicated machine and analyze all traffic from/to clients. This would involve huge CPU resources in case of high network load and thus it is not practical and also will require knowing the attacking worm signature, which usually takes a lot of time to produce, during which time the worm continues to propagate.
In addition to the worm-related attacks which propagate automatically, other types of malicious codes are propagated manually and in many cases the malicious code is actually an unobtrusive information-gathering probe. Client-side vulnerabilities target the computer systems of individual user computers rather than servers of an organization. The perpetrators exploiting client-side vulnerabilities target applications such as: Web browsers, email clients, P2P networks, Instant Messaging clients, and media players. They are often, but not always, the result of logic errors or flaws in access-control systems, and are often easily exploitable, particularly in browsers. Active exploitation of browser vulnerabilities has shown that client-side vulnerabilities are very attractive to attackers. This is because it is much easier to exploit a single vulnerable workstation through universally-exploitable client-side vulnerability than to penetrate a target organization from outside the perimeter defenses. Compounding this risk is the fact that the users on client systems may not be as security conscious as security administrators, whose primary role is to secure networks and servers. Examples of different categories of electronic threats (eThreats) are:                Trojans are increasingly being installed via malicious Web sites. They exploit browser vulnerabilities that allow malicious code authors to download and execute the Trojans with little or no conscious user interaction. Trojans appear to serve some useful purpose, which encourages users to download and run them, but actually carry a destructive function. They may masquerade as legitimate applications available for download from various sources or be sent to an unsuspecting user as an email attachment. If Trojans are executed on a computer they can be extremely destructive, with payloads ranging from unauthorized export of confidential data to surreptitious reformatting of hard drives.        Adware packages perform numerous operations including displaying pop-up ads, dialing to high-cost numbers through the system's modem if one is present, modifying browser settings such as the default home page and monitoring the user's surfing activity to display targeted advertisements. Their effects range from mere user annoyance to privacy violations to monetary loss.        Spyware is often installed surreptitiously on a user's computer when the user downloads free software from the Internet. It may be downloaded in conjunction with legitimate applications or through illegitimate means, such as exploitation of client-side vulnerabilities in Web browsers. In addition to privacy and confidentiality issues, this software often will redirect users to adult Web sites, provide unwanted pop-up ads, and even update itself dynamically.        Spam messages are annoying on individual computers. However, high volumes of spam can create Denial of Service (DoS) conditions wherein email systems are so overloaded that legitimate email and network traffic are unable to get through. The volume of email generated by Spammers forces administrators and users to expend already overextended resources filtering suspect messages and scanning for malicious code. As such, the costs associated with preventive and mitigating strategies are increasing.        Phishing (password hijacking) is an attempt by a third party to solicit confidential information from an individual, group, or organization, often for financial gain. Perpetrators attempt to trick users into disclosing credit card numbers, passwords, online banking information, or other sensitive information that is then used to commit fraudulent acts. Phishing may be conducted through email, spam, spyware, and blended threats. Perpetrators have used email to trick users into entering confidential information into fraudulent Web sites or forms.        
The threatening situation described above has been amplified in part by increased global terrorism and criminal activities on the Web in recent years. Today the Web is used as an enabling platform for a plethora of illegal activities ranging from credit card fraud, through identity phishing, to transferring money and orders. Web application attacks are expected to increase in the near future; targeted attacks on firewalls, routers, and other security devices protecting users' systems will be a growing security concern; sophisticated methods of control and attack synchronization that are difficult to detect and locate will be used, and finally, more attempts to exploit mobile end-user devices will be documented.
Needless to say, enormous efforts are being made to provide defenses against all of these types of known threats as well as presently unknown threats which will no doubt appear in the future. All large and medium organizations, and even small ones in critical fields of endeavor, employ computer security experts to protect their networks from electronic threats (eThreats).
If the security expert must depend only upon receiving feedback from the individual users who report what appears to them to be abnormal operation of their computers, then in most cases the damage to the organization's network will be extensive before any protective or corrective action can be taken. It is therefore of critical importance that tools are provided that assist the security expert to monitor the network and alert him of the presence of eThreats at a very early stage.
It is a purpose of this invention to provide comprehensive architecture designed to enable early detection of electronic threat by manual inspection and automatic monitoring of continuously accumulated time-oriented raw security data and temporal abstractions of it; thereby identifying eThreat patterns and creating alerts.
It is another purpose of this invention to provide the architecture with elements that allow data collected from various sources, such as end-user devices, network element, network links etc., to be analyzed in order to identify potentially infected devices, files, sub-streams or network segments.
It is another purpose of this invention to provide as part of the architecture a visualization interface for exploration of multiple security-oriented records and their correlations over time, thus supporting also an interactive mode that enables identifying new eThreats.
It is another purpose of this invention to provide as part of the architecture a graphical knowledge-acquisition and maintenance tool that enables the security expert to easily add new patterns to the knowledge base, or modify existing ones.
Further purposes and advantages of this invention will appear as the description proceeds.