§1.1 Field of the Invention
The present invention concerns detecting an infection in a host. In particular, the present invention concerns detecting malware infections in a host by passively observing and measuring host slowdown in responses to known network events.
§1.2 Background Information
Today, PCs and computer networks are vulnerable to attacks from a variety of globally-distributed sources, who range in size and scope from large-scale international criminal organizations to individual hackers, and whose tactics continually evolve. The increasing prevalence of rootkit type attacks confirms fears that attackers are using sophisticated techniques to hide malicious programs. The focus of malware infections has typically been to hide so-called trojans, spyware, or mass circulation viruses and worms, and infect as many systems as possible. This emerging breed of sophisticated malware seeks to ensure that it goes unnoticed on the host system, and infect or re-infect other areas of the host system when needed.
These types of infections can later be used to install any malicious code to perform functions using the benefit of total concealment. For example, infected systems are often used as a SPAM platform.
Rootkits may find their way onto end user devices through known security holes in an operating system, by being downloaded with other programs, or any other common infection technique. Rootkits infect a host system by either replacing or attaching themselves to system components, thereby making their detection by the operating system extremely difficult.
Given the capability of rootkits to mask their activity, conventional scanning engines based on known bad file signatures are often completely ineffective. In other words, often, a malware infection will be totally stealth and can remain for great lengths of time without being detected.
Unfortunately, to date, there are no established mechanisms that can reliably detect the presence of such malware once a computer is infected with them. Therefore, it would be extremely useful to detect if and when a host computer is compromised (i.e., when the host computer is infected with malware).