As e-commerce, or doing business over the Internet, becomes a way of life rather than being characterized as novel commercial activity, protecting computer systems against malicious attacks or alleged pranks becomes vital to both businesses and individuals because of potential economic disasters. In other words, because businesses and individuals are becoming more and more dependent upon computer systems that are integrated with the Internet, any interruptions in service or attacks on such computer systems could have devastating financial repercussions.
Attacks on computer systems that are integrated with the Internet typically include computer viruses, worms or Trojan horses. A computer virus is a broad term for a program that replicates itself. A virus can cause many different types of damage, such as deleting data files, erasing programs, or destroying everything found on a computer hard drive. Not every virus can cause damage; some viruses simply flash annoying messages on a computer screen. A virus can be received by downloading files from the Internet to a personal computer or through electronic mail.
Worms are programs designed to infect networks, such as the Internet. A worm travels from network to network replicating itself along the way. Trojan horses pretend to be a program that the user wishes to launch. A Trojan horse can be a program or file that disguises itself as normal, helpful programs or files, but in fact are viruses.
In addition to the above types of attacks, other computer incidents can include attacks against an Internet service provider (“ISP”) or any computer connected to the Internet. One of the most common attacks against an ISP or any computer connected to the Internet is called a Smurf attack. In a Smurf attack, a target, such as an ISP or a computer connected to the Internet, is flooded with many “garbage” packets so that all of the target's available bandwidth is used up and the target or customers of the target or both cannot send or receive data by using e-mail, browsing the web, or any other Internet service.
As noted above, the nature of a distributed network, such as the Internet, makes it vulnerable to attack. The Internet was designed to allow for the freest possible exchange of information, data, and files. However, this free exchange of information carries a price: some users will try to attack the Internet and computers connected to the Internet; others will try to invade other users' privacy and attempt to crack databases of sensitive information or snoop around for information as it travels across Internet routes.
Two conventional methods exist for protecting computer systems from attack. One is a static method, which forces customers to upgrade or add new software to the system as time passes. These upgrades are called patches and they repair flaws in the software which previously allowed attacks to enter the system. The second method is intercept call hooking, which provides localized protection from some attacks that are not known about in advance by looking for abnormal procedure calls at a computer in the system. However, both methods can stop functional software from functioning due to false positive determinations of an attack on the system. While prior intrusion detection systems (“IDS”) can detect attacks or make changes to security configurations of network computers and systems, these conventional systems do not have the capability to rapidly update the protection systems.
Accordingly, there is a need in the art for dynamically protecting a computer system from attacks via the Internet. That is, there is a need for a method and system for blocking attacks only against the components and hosts in the system which are vulnerable to such an attack. Furthermore, there is a need for correlating suspicious data packets received by a computer system against hosts or workstations that may be vulnerable to a particular type of attack to support the blocking of data packets for only the vulnerable hosts. A need also exists for a method and system capable of being updated with new attack nomenclature without having to modify files currently located on the system. Finally, a need exists for a method to quickly update a dynamic protection system to address attacks having catastrophic effects on the computer system.