With the rising popularity of the Internet, there are now millions of users connecting to the Internet daily from their host computers to conduct e-commerce transactions, perform searches for information and/or download executable programs to enhance the capability and performance of their own host computers. The interaction between these users and the other host servers on the Internet generally involves the transfer of some amount of data, which may include both static displayable information and executable computer codes. Generally speaking, static displayable information refers to static information to be displayed at the host computer while executable code or “executable” refer to computer instructions configured to be executed at the host computer to perform some task.
In general, the vast majority of the downloadable data from the Internet represents useful or at least non-harmful content material. However, there exists a class of executable code that, if downloaded and executed at host computers, may wreak havoc with the operating system, the hardware, and/or other software of the host computers. These executables include what are commonly referred to as computer viruses and worms.
A computer virus is a piece of programming code usually disguised as something else that causes some unexpected and usually undesirable event (for the victim). Viruses are often designed so that they automatically spread to other computer users across network connections. For instance, viruses can be transmitted by sending them as attachments to an e-mail message, by downloading infected programming from other web sites, and/or by importing them into a computer from a diskette or CD-ROM. The source application that deals with the e-mail, downloaded file, or diskette is often unaware of the virus. Some viruses wreak their effect as soon as their code is executed; other viruses lie dormant until circumstances cause their code to be executed by the computer. Some viruses can be quite harmful, causing a hard disk to require reformatting or clogging networks with unnecessary traffic.
Computer worms are very similar to viruses in that a worm is a small piece of software that uses computer networks and security holes to replicate itself. A copy of the worm scans the network for another machine that has a specific security hole. Once the security hole has been found, the worm copies itself to the new machine using the security hole, and then uses the newly infected computer to start replicating itself in order to infect other computers connected thereto. Such a situation is shown in FIG. 1 where a computer 100 infected with a worm 102 infects a computer 104 by way of an Internet connection 106. The worm 102 now uses the computer 104 to infect other computers 108 each of which, in turn, are used to infect other computers coupled thereto. Given enough time and computing resources, the worm 102 can infect thousands or even millions of computers in a relatively short time. An example of a particularly virulent worm is the Code Red worm that, at one point, replicated itself over 250,000 times in approximately nine hours. The most common version of Code Red is a variation, typically referred to as a mutated strain, of the original Ida Code Red that replicated itself on Jul. 19, 2001. According to the National Infrastructure Protection Center:                The Ida Code Red Worm, which was first reported by eEye Digital Security, is taking advantage of known vulnerabilities in the Microsoft IIS Internet Server Application Program Interface (ISAPI) service. Unpatched systems are susceptible to a “buffer overflow” in the Idq.dll, which permits the attacker to run embedded code on the affected system. This memory resident worm, once active on a system, first attempts to spread itself by creating a sequence of random IP addresses to infect unprotected web servers. Each worm thread will then inspect the infected computer's time clock. The NIPC has determined that the trigger time for the DOS execution of the Ida Code Red Worm is at 0:00 hours, GMT on Jul. 20, 2001. This is 8:00 PM, EST.        
Upon successful infection, the Ida Code Red worm waits for the appointed hour, connects to the <www.whitehouse.gov> domain, and then each infected computer simultaneously sends 100 connections to port 80 of <www.whitehouse.gov> (198.137.240.91).
Although a worm does not alter files but resides in active memory and duplicates itself, the worm uses parts of an operating system that are automatic and usually invisible to the user. Therefore, it is common for worms to be noticed only when their uncontrolled replication consumes system resources, slowing or halting other tasks.
To combat worms, users and administrators of computer networks (such as corporate local area networks or wide area networks) have long employed a variety of tools designed to detect and block worms from infecting a computer system. In a corporate local area network (LAN), for example, network administrators may employ proxy servers (which are disposed between the host computers of the LAN and the Internet) as well as individual computers to perform any of a number of defense strategies designed to prevent infection by a worm. One such defense strategy relies upon behavioral monitoring of computer actions. In behavioral monitoring, a historical database of actions taken by every computer is maintained that is then used by a monitoring program (heuristic engine) to compare to current actions taken by a particular computer. In those cases where current actions are deemed by the behavior monitoring program to be substantially different from the historical norm, the behavioral monitoring program flags that particular computer as being possibly infected by a worm. Once so flagged, appropriate actions can be taken.
For example, if a particular computer has a historical record of ten port 80 accesses/per hour and if the behavioral monitoring program determines that the request level has risen to, for example, one thousand port 80 accesses/per hour, that particular computer is flagged as possibly being infected by a worm. Unfortunately, behavioral monitoring has a drawback in that a false positive may result when a legitimate user initiates actions by the computer being monitored that would cause the computer to be flagged by the behavioral monitor. Such situations include sending a relatively large number of e-mail postings which in and of itself is not an issue, but nonetheless causes a behavioral monitor to flag the computer, possibly resulting in unhappy results for the innocent computer user.
Another widely used defense mechanism is referred to as port blocking where a particular port known to be under attack is blocked from receiving any and all traffic. For example, in the case of the Code Red worm, the port 80 of the <www.whitehouse.gov> website is blocked thereby thwarting the Code Red worm attack. Unfortunately, however, even though blocking port 80 stops the Code Red attack, it also blocks any and all legitimate traffic to the port 80 of the <www.whitehouse.gov> site.
Yet another well known approach to defending computer systems from worm attacks is known as generic filtering that relies upon a firewall and/or proxy server to apply specific rule or rules to incoming traffic. To illustrate, FIG. 2 depicts, in a simplified schematic format, a corporate environment 202 within which multiple host computers 204, 206, and 208 are interconnected via a local area network (LAN) 210. LAN 210, in addition to allowing the host computers to exchange data among themselves and/or other I/O devices or storage devices connected thereto, also facilitates data transfer between the host computers and the distributed computer network 212 (such as the Internet). As shown in FIG. 2, a proxy server 214 is interposed between LAN 210 and distributed computer network 212 to monitor data transfers between distributed computer network 212 and the host computers connected to LAN 210.
In the current art, one of the more popular application protocols for data transfers via the world wide web (WWW) is the Hypertext Transfer Protocol (HTTP). Thus, for data transfers via the world wide web, proxy server 214 typically implements the HTTP protocol. There is also shown in proxy server 214 a scan engine 216, representing the software and/or hardware portion configured to detect computer worms that may be present in the HTTP data transfers. When a host computer, such as host computer 104, wishes to download data from one of the web servers connected to distributed computer network 212, e.g., one of web servers 220, 222, or 224, the data transfer there from traverses proxy server 214 and is scanned by scan engine 216 utilizing a particular generic filter(s) as part of the proxy server's rule set to ensure that the data transfer is free of worms.
One such generic filter checks every buffer and compares each to incoming packet(s)s and if the incoming packet(s) is greater than the available buffer space, then the firewall will truncate the packet or, more likely, will stop the packet altogether. Another specific rule determines if there have been a number of unsuccessful password attempts. Once that number exceeds a threshold, the firewall refuses any further incoming traffic from the originator. Although somewhat effective, generic filtering requires intricate knowledge of the system and/or program being protected. Such information is typically only readily available in open source systems that at the present time represents but a small percentage of available programs. For example, it would be extremely unlikely that an effective generic filter could be devised in a closed source system since it would be difficult to know a priori the size of the various buffers, the size at which a buffer would overflow would not be known and thwarting buffer overflow-type worm attacks would be unlikely.
In any case, once a computer has been infected, the infected computer must be detached from the Internet (or whichever connection used by the worm to infect the computer), the computer must then be rebooted in order to purge the worm from memory. Unfortunately, at this point the now clean computer must be re-connected to the Internet in order to obtain the patch used to “fix” the security hole. Once obtained, the patch must be applied in order to provide the appropriate protection. Unfortunately, once the computer is reconnected to the Internet, the worm can re-infect the computer at any time prior to the application of the patch without the knowledge of the computer user, thereby obviating the security patch in the first place.
In view of the foregoing, there are desired improved techniques for enabling distributed worm filtering on data transfers between a distributed computer network and the host computers.