Initially, relatively powerful computers were constructed as unique mainframes operated by larger corporations on isolated networks. Then, computers with modest amounts of computing power were made available to individuals as stand-alone personal computers. The computing power of personal computers and the applications for which they could be used were increased by networking them with other computers throughout the world using ancillary devices (e.g., servers, routers, links, switches, hubs, etc.). An arrangement into which computer and ancillary devices are configured is called a topology. There are many different types of topologies (e.g., bus, ring, star, tree, mesh, etc.).
Computers and networking devices were initially designed using mostly unique hardware, where software was mainly used to program applications that could operate, or “run,” on the hardware. With the creation of virtual machines (i.e., software that emulates an operating system) and software-defined networking (i.e., software that emulates a network element such as a router), the control of a computer network may now be achieved mostly in software that runs on generic hardware. The benefits of such a network is ease of modification and improvement while avoiding a large investment in new unique hardware. However, with advantages often comes disadvantages.
Networking over a public network is less secure than an isolated network due to the accessibility of a network by a hacker (i.e., a person who improperly gains access to a computer network or information to cause some type of harm such as acquiring proprietary information, revealing proprietary information, erasing valuable information, modifying valuable information, etc.). Typically, a hacker inserts software (“malicious code” or “malware”) into a computer network to not only provide incorrect data but to influence, or take control of, the command and control structure of the network.
Prior art intrusion detection systems monitor computer networks or systems for attempts to load malware onto a computer or violations of network security policies. Examples of malware include computer viruses, ransomware, worms, Trojan horses, rootkits, keyloggers, dialers, spyware, adware, malicious browser helper objects, and rogue security software. Three types of malware detection methods are currently being used: signature-based methods, anomaly-based methods, and protocol analysis methods.
Signature-based detection methods search for a bit pattern, or signature, that is known to be associated with malware. A shortcoming of such a method is that it is backward-looking. That is, a signature cannot be used to detect malware until after the malware has been used against a computer, the malware is manually identified as such, the malware is analyzed to determine a signature that may be used to electronically identify the malware, and an intrusion detection system is updated to be able to search for the signature. Until these activities are completed, the malware cannot be identified by a signature-based intrusion detection system. An intrusion attempt made before a signature is identified for it is commonly referred to as a “zero-day attack.” It may take much time, if ever, to complete these tasks. Another shortcoming is that these activities must be done for each instance of malware. So, the amount of signature that should be searched approaches the amount of malware ever created.
Anomaly-based detection methods determine the average condition of malware-free computer traffic and search for sufficient deviations from the average. A shortcoming of such a method is that an average of computer traffic is a fiction that may not represent malware-free, or benign, computer traffic. Another shortcoming is that once the average is known, malware may be designed to avoid detection by use of the average.
Protocol-analysis-based detection methods determine profiles of perceived benign computer activity and search for sufficient deviations from the profiles. A shortcoming of such a method is that a profile of perceived benign computer activity is a fiction that may not represent benign computer traffic. Another shortcoming is that once the profiles are known, malware may be designed to avoid detection by use of the protocols.
Prior art intrusion detection systems have a very narrow view into intrusion attempts and are either backward-looking or use a fiction about average computer network traffic or benign computer activity. Therefore, there is a need for a computer security device and method that not only takes a wider view of intrusion detection but also addresses the issue of malware that has successfully avoided detection and is operating on a computer.
U.S. Pat. No. 7,665,097, entitled “ASSOCIATING NOTIFICATIONS OF THE STATUS OF A DATA NETWORK BY USE OF A TOPOLOGY EDITOR,” discloses a user-controlled interface (i.e., a topology editor) to establish functional relationships (i.e. a topology) between devices on a data network. U.S. Pat. No. 7,665,097 is incorporated by reference into the specification of the present invention. U.S. Pat. No. 7,697,420, entitled “SYSTEM AND METHOD FOR LEVERAGING NETWORK TOPOLOGY FOR ENHANCED SECURITY,” discloses a device for and method of establishing a variable communication path between a source node and a destination node, where the path is selected randomly to prevent any single node from participating in a sufficient number of transmission path so that a complete data packet or a series of data packets may not be intercepted from the node by an unintended recipient. U.S. Pat. No. 7,697,420 is incorporated by reference into the specification of the present invention.
U.S. Pat. No. 8,261,355, entitled “TOPOLOGY-AWARE ATTACK MITIGATION,” discloses a device for and method of determining the topology of a network and deploying an intrusion prevention system in one or more of the devices in the network. U.S. Pat. No. 8,261,355 is incorporated by reference into the specification of the present invention.
U.S. Pat. Appl. Pub. No. 20110103394, entitled “NETWORK TOPOLOGY CONCEALMENT USING ADDRESS PERMUTAION,” discloses a method of obfuscating a source IP address of a packet to be transmitted to conceal the location of the device that transmitted the packet. U.S. Pat. Appl. Pub. No. 20110103394 is incorporated by reference into the specification of the present invention.
U.S. Pat. Appl. Pub. No. 20110119390, entitled “SELECTIVELY RE-MAPPING A NETWORK TOPOLOGY,” discloses a device for and method of selectively re-mapping a network topology based on information in a user profile. U.S. Pat. Appl. Pub. No. 20110119390 is incorporated by reference into the specification of the present invention.
U.S. Pat. Appl. Pub. No. 20110270972, entitled “VIRTUAL TOPOLOGY ADAPTATIONFOR RESOURCE OPTIMIZATION IN TELECOMMUNICATION NETWORKS,” discloses a device for and a method of virtual topology adaptation for resource optimization. U.S. Pat. Appl. Pub. No. 20110270972 is incorporated by reference into the specification of the present invention.