The present invention relates generally to the useful art of computer software programming and more specifically to software relating to computer networks.
Intrusion Prevention Systems (IPS) are used to protect computer networks against malicious incoming traffic. However, the effectiveness of an IPS is limited due to the fact that an IPS only blocks traffic for which it has a “signature.” A signature is a specific rule used by a content filtering system to detect electronic threats. Accordingly, an IPS may not block an exploit for a vulnerability the vendor is not aware of, or for which there is no patch available. A zero-day exploit is one that takes advantage of a security vulnerability before the vulnerability becomes generally known, or before a signature has been developed, thus leaving the exploit in circulation.
Zero-day protection is the ability to provide protection against zero-day exploits. Because zero-day attacks are generally unknown to the public, it is often difficult to defend against them. Zero-day attacks are often effective against networks considered “secure” and can remain undetected even after they are launched.
Several techniques exist to limit the effectiveness of zero-day memory corruption-type vulnerabilities, such as buffer overflows. These protection mechanisms exist in contemporary operating systems such as SUN MICROSYSTEMS SOLARIS, LINUX, UNIX, and UNIX-like environments. Versions of MICROSOFT WINDOWS XP Service Pack 2 and later include limited protection against generic memory corruption-type vulnerabilities. Desktop and server protection software also exists to mitigate zero-day buffer overflow vulnerabilities. Typically, these technologies involve heuristic determination analysis, stopping the attacks before they cause any harm. However, this type of analysis is prone to a high incidence of false positive results.
Another approach to limiting effectiveness of zero-day exploits is the use of a honeypot. A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of network or information systems. Honeypots are generally designed to give an administrator the ability to track malicious activity for investigation purposes. However, honeypots have a major disadvantage in that they require heavy user interaction and administration. The investigation consists of manually capturing a packet entering the honeypot and either making a custom signature within an IPS, or waiting for the IPS vendor to create one.
The standard IPS approaches have the significant flaw of missing signatures for zero-day attacks. Second generation IPS devices attempted to fill this void by performing heuristic behavior analysis on the inspected traffic. While this analysis assists in building an improved signature-based system, such approaches are under heavy scrutiny due to the number of false positives generated and the general lack of reliability in catching zero-day attacks.