Computer viruses, worms, trojans, hackers, key recovery attacks, malicious executables, probes, etc. are a menace to users of computers connected to public computer networks (such as the Internet) and/or private networks (such as corporate computer networks). In response to these threats, many computers are protected by antivirus software and firewalls. However, these preventative measures are not always adequate. For example, there have been many instances where worms and other attacks have taken advantage of a known vulnerability in computer software (e.g., in firewall technology) the day after the public became aware of the vulnerability. Because of such a rapid launch, the patch necessary to correct the vulnerability could not be deployed in time to prevent the attack. Similar, most antivirus software relies on updates to that software so that signatures of known viruses can be utilized to recognize threats. In the case of a “zero-day” worm or virus (e.g., a worm or virus that has just been launched), most computer systems are completely vulnerable to attack because no known patch or signature update has yet been made available.
Due to the level of malicious activity on the Internet, organizations are deploying mechanisms for detecting and responding to new attacks or suspicious activity, sometimes referred to as intrusion prevention systems. However, a problem with these defense mechanisms is their inability to mount a reliable, targeted, and adaptive response to attacks. This problem is magnified when exploits are delivered by previously unseen inputs, such as zero-day attacks. A typical network defense system often includes a network-based intrusion detection system and a packet filtering firewall. Such a system has shortcomings that make it difficult for the defense system to identify, characterize, and effectively respond to new attacks.
Because intrusion detection systems passively classify information, intrusion detection systems can detect attacks but cannot respond to these attacks. Both signature-based and anomaly-based approaches that are used by intrusion detection systems to classify information merely warn that an attack may have occurred. Attack prevention is a task that is often left to a firewall, and it is usually accomplished by string matching the signatures of known malicious content or dropping packets according to site policy. Furthermore, signature matching large amounts of network traffic often requires specialized hardware and presumes the existence of accurate signatures, which often are not available. In addition, encrypted and tunneled network traffic poses a number of problems for both firewalls and intrusion detection systems as this type of traffic may inherently avoid some of their detection mechanisms. Even further, since neither intrusion detection systems nor firewalls know for sure how a packet is processed at an end host, they can make an incorrect decision.
In general, detection systems that rely solely on signatures cannot enable a defense against previously unseen attacks. On the other hand, anomaly-based classifiers can recognize new behavior, but are often unable to distinguish between previously unseen good behavior and previously unseen bad behavior. This blind spot results in a high false positive rate, even with extensively trained classifiers.
Accordingly, it is desirable to provide systems and methods that overcome these and other deficiencies of the prior art.