Networks, regardless of their complexity, can be susceptible to a variety of malicious attacks. Unfortunately, even with a dedicated team of qualified network administrators, a network can become compromised, especially in cases in which a network device's boot software is replaced without an administrator noticing. In such cases, malicious software, often containing backdoors, can be left to run on the network device perpetually, leaving the system open to future attacks at any time.
The current network device security and management systems on the market only verify the integrity of the system software once, on boot-up. While this can ensure the system is in a known good state at boot-up, the device is vulnerable to an attack that happens once the system has completed start-up.
Some devices try to provide a way to verify data after the system has been booted. For example, some manufacturers allow an administrator to copy a memory dump from the device to a remote system for analysis. However, if malicious software is installed, the mechanism that copies the memory dump to a remote system can be modified to provide a copy of what the memory should look like, as opposed to what it really does look like. Command-line tools that report common areas of interest such as memory usage or a process list can be easily modified so that malicious processes and memory usage are hidden.
Thus, there is a need for a software-based system, embodied as an agent, which scans the network device continuously, so that even if it is compromised, the agent can detect changes made to the network device and alert the administrator through a management console. Such a system preferably compares the present state of the agent and device against a known-good backup. The backup may also preferably be used to restore the system in the event of an attack. The management console is preferably configured to alert the administrator(s) remotely in the event of an attack, and may employ email, text, audio, page, or other means to alert the administrator.