1. Technical Field of the Invention
This invention relates generally to computer networks and more particularly to security of the network and/or components thereof.
2. Description of Related Art
FIG. 1 illustrates a computer network that includes servers, user devices, a local area network (LAN), a modem, one or more networks, trusted hosts, untrusted hosts, and unknown hosts. The LAN and/or the modem include a firewall. Each server and user device includes a network interface, network security module, memory, a central processing unit (CPU), a controller, a user security module, a user interface, an admin security module, and an admin interface. The controller controls user, administrator, and/or peripheral component input and output requests to access the memory, the CPU, and/or the network interface.
Each of the firewall, the network security module, the user security module, and the admin security module functions to protect the server or user device from malicious software attacks. Malicious software may come in the form of a virus, a worm, a backdoor, a root kit, and/or a Trojan horse; each of which has different versions with somewhat different purposes. In general, the purpose of malicious software is one or more of deleting files (user and/or system), changing files, changing disk formatting, damaging disks, slowing down the system, disabling computers, disabling network connections, installing backdoors and/or spyware to extract sensitive data, and/or spreading to other computers and servers.
Today, most malicious software detection techniques (e.g., antivirus software) are capable of detecting and preventing low to moderate sophistication attacks. Highly sophisticated attacks, however, are much more difficult to detect and prevent, which use techniques to blur technical distinctions between viruses, worms, and Trojan horses. Such highly sophisticated attacks are expense to develop and deploy; as such, they are typically funded by organizations that have unscrupulous intentions for large-scale computer network service disruption, extraction of a large amount of sensitive data, and/or extraction of highly sensitive data. Due to the intentions of highly sophisticated attacks, the targets of such attacks are typically banks, research organizations, security agencies and/or firms, etc.
FIGS. 2-8 illustrate an example of highly sophisticated malicious software attacking a prior art computer, which is representative of attacking a multitude of computers concurrently, sequentially, or exponentially. As shown in FIG. 2, the malicious software (SW) circumvents the malicious software detection techniques of the firewall, the network security module, the user security module, and the admin security module. This may occur as a result of a breach in network security, a breach in user security, unknowingly downloading a file, opening an email attachment, tricking antivirus software into passing the malicious software as a valid file, tricking network access security into believe the malicious software is a valid access, etc.
FIG. 3 illustrates the malicious SW establishing a beachhead with the computer (i.e., is stored in memory). Once the beachhead is established, the goal of the malicious software is to learn the hardware and software structures of the computer and vulnerabilities between the hardware and software interaction. The hardware structure includes memory (main memory and external memory), a central processing unit (CPU), network connections & devices, user input and output connections & devices, peripheral connections & devices, memory controller, input/output (IO) controller, etc. The software structure includes user applications, system applications, user data (e.g., files, address books, email, etc.), system data (e.g., buffers, stack pointers, physical memory mapping of data and program storage, virtual to physical memory mapping, routing tables, etc.), operating system (OS), BIOS (basic input output system), user security data (e.g., credit card information, banking information, passwords, user names, login information, etc.), system security data (e.g., encryption keys, key chains, etc.), etc.
At this stage of the malicious software attack, the hardware and software structures each appear as white space to the malicious software, which is shown in both of FIGS. 3 and 4. As such, the malicious software, from its beachhead position, monitors data flow between the hardware components to begin to map out the hardware and software structures, to learn the hardware software interaction vulnerabilities, to learn the security measures in place, and to increase its security level within the computer or server.
FIGS. 5 and 6 illustrate the malicious software learning the hardware structure, the software structure, learning the hardware software interaction vulnerabilities, the security measures, and increasing its security access within the computer or server. During the learning phase, the malicious software may use a backdoor to communicate its findings to the architect of the malicious software, which may further process the extracted data to determine the structures and/or to increase security access. The learning process typically takes weeks to months to learn enough about the structure and to increase security access before the malicious software can exploit the computer or server.
FIGS. 7 and 8 illustrate the malicious software exploiting the computer or server. At this stage, the malicious software has learned the hardware and software structures, their vulnerabilities, and has established itself as a high priority application of the computer or server; while being invisible to the user, system admin, and/or antivirus software. With this level of knowledge and security, the malicious software can extract whatever data it wants (e.g., bank accounts, credit card account information, prototype designs, secret data, confidential information, etc.); can alter or destroy any data and/or applications it wants; corrupt and data and/or applications it wants; and disrupt or shutdown operation of the computer or server.