1. Field of the Invention
This invention generally relates to security of data processing systems. More specifically this invention relates to a method and apparatus for immunizing one or more computer systems in a network against attacks, as by computer viruses and the like, while preserving useful access to data.
2. Description of Related Art
Computer systems interconnect through various internal networks and external networks such as the Internet. At a given location, individual computers may connect to the Internet directly. In other locations, one or more individual computers, or users, may interconnect by means of an internal network to a server that connects to the Internet. Both types of systems are susceptible to damage by so-called “viruses”. Generally a virus is received as a program or piece of code that typically is part of a “message”.
A “message” can take many forms. In browser applications, a “message” may include one or more HTTP (HyperText Transfer Protocol) packets. An e-mail message may contain one or more POP (Post Office Protocol) or SMTP (Simple Mail Transfer Protocol) packets. An IM message will contain one or more packets according to any of several instant messaging protocols. A VOIP message will contain at least one VOIP (Voice over Internet Telephone) packet.
A virus-infected message generally corrupts data by replicating itself in a receiving party's, or “recipient's” computer system or by transmitting itself across a network even bypassing firewalls and other security systems. In the following discussion the phrase “corrupting message” refers to any message that can corrupt the contents of one or more files or otherwise disrupt operations in a computer system.
Companies like Symantec Corporation and MacAfee, Inc. have developed virus detection programs. A virus detection program typically resides on the same hard disk as receives the messages. Such a program compares an incoming message with a set of conditions, often called “definitions” or “signatures,” that define known viruses. If an incoming message meets one of these conditions, it is presumed to be a corrupting message and is isolated by being deleted or by being placed in quarantine. As described above, the incoming message is processed in the same memory as other programs. As alternative, it is possible to use a sacrificial machine as a destination for each incoming message. For example, U.S. Pat. No. 5,842,002 (1998) to Schnurer et al. discloses a virus trapping device that is disclosed to detect and eliminate computer viruses before they enter a computer system. More specifically, a trapping device creates a virtual world that simulates a host computer system that is made to fool a computer virus into thinking it is present on a host or target system. Any disruptive behavior occurring within the simulated host computer system is detected and enables the system to remove the virus from the data stream before it is delivered to the host.
U.S. Pat. No. 6,901,519 (2005) to Stewart et al. discloses an e-mail virus immunization system and method that utilizes a sacrificial server. Incoming e-mail messages are forwarded to the sacrificial server where they are converted to non-executable format and sent to the recipient. The sacrificial server can then be checked for virus activity. If any attachments are found to be suspicious, they are also stripped and presented to the recipient.
U.S. Pat. No. 6,931,552 (2005) to Pritchard et al. discloses a host personal computer and a separate sacrificial VTS (Virus Trap computer System) machine. The VTS machine is a separate computer system that receives all communications that are directed to a host personal computer. The VTS machine detects intrusions and includes a virus detector. If a virus is detected, the entire VTS machine is sacrificed and then restored from a secure memory.
Drawbacks characterize each of these systems. First, certain of the foregoing and other approaches to the detection of viruses and prevention of corruption require a priori knowledge of a virus. Thus the system that receives a “yet to be defined” or “new” virus may process a corrupting message with adverse results notwithstanding having tested the message for a virus. This potential for processing of corrupting messages by a given system continues for an indefinite number of days until the virus has been identified and a definition has been transferred to the virus detection system in that given system. A corrupting message that fails to be detected is called a “false negative” message.
Second, virus detection systems are subject to identifying non-corrupted messages as being infected. Any such message is called a “false positive” message. A “false positive” message exists when a virus detection system detects a non-corrupting message as a corrupting message because the non-corrupting accidentally meets a virus detection condition. In many situations the “false positive” message is lost to the recipient even though the message in fact contains no virus.
What is needed is a method and apparatus that is easy to implement that: (1) allows known valid messages to pass to the recipient's computer system, (2) immunizes computer systems in a network from the adverse impacts of false positive and false negative messages, and (3) permits the recipient controlled, safe access to those messages that are not deemed to be valid, including false positive messages, for the purpose of viewing and/or manipulating such messages.