The invention relates generally to the detection and remediation of software attacks. More specifically, and without limitation, the invention is related to a software based system that is transparent to a host device and which detects attacks directed to that device.
Researchers have long been concerned about software based attacks to computer systems and devices. These attacks, in the form of what is called “malware” can serve various purposes such as surreptitiously collecting information from an attacked device, monitoring or interrupting communication flows via the attacked device, hijacking device or system resources and even disabling the device and/or network. Examples of these types of security threats which can be network borne include traditional threats such a virus, a trojan, and a worm. Traditional detection and remediation techniques ultimately rely on the ability to determine the “signature” of such malware and construct a remediation response that detects an attack by looking for that signature and then undertaking some responsive action. The techniques in which the system first has to determine a signature of a particular form of malware means that at least one, if not multiple, attacks were successful before the attack could be analyzed to determine the signature.
In addition to the shortcomings of existing malware remediation techniques, the evolving complexity of these device and network security threats has created significant concerns. Specifically, network borne security threats are becoming more sophisticated and potentially more damaging. For example, some security researchers have begun to warn about the threat of malware referred to as rootkits. These malware attacks install themselves into the kernel of the operating system. In so doing they can bypass all of the current anti-virus, host and network intrusion detection sensors.
For example, in relationship to one of the operating systems available from Microsoft, the rootkit malware is installed so as to bypass the IP protocol. Communications from this rootkit flow without being blocked by normal firewalls. Also, since the rootkit executes within the kernel of the operating system, that there is no process or executable to be blocked with known or anti-virus and anti-spyware software.
A need therefore exists for a software security arrangement and process that is capable of adapting to the changing malware landscape and which can address rootkit type malware. It would also be useful if a software security arrangement could detect and remedy new trojan viruses which are attempting to exploit the device or network, without having to rely on the traditional signature-based detection and remediation approaches.