Unified Threat Management (UTM) at a gateway level is a network security practice, which has gained widespread currency as a primary network gateway defense solution for enterprises and other organizations. UTM can be thought of as the evolution of the traditional firewall into an inclusive, gateway level security product able to perform multiple security functions within a single network appliance located at the gateway between the enterprise level (private) network and the Internet (or other public wide area network). These security functions can include network firewalling, network intrusion prevention and anti-malware scanning, anti-spam processing, virtual private network (VPN), content filtering, load balancing, data leak prevention and on-appliance reporting.
Anti-malware and intrusion prevention scanning functionality is typically included in a UTM system on a gateway level device. These systems detect and block network threats and malware such as viruses, worms and Trojans before they enter the enterprise network, by scanning incoming files in the data flow, and detecting known malware signatures in the files. As the term is used herein, a malware signature means a string of bits or binary pattern that identifies a known virus or other malware. It can be in the form of a hash (a number derived from a string of text), which in its simplest form, is a static calculated numerical value of a snippet of code unique to the malware. Malware signatures are sometimes also referred to as definitions or DAT files. Signature-based detection involves scanning files to detect malware signatures from a “dictionary” of known signatures. This can be effective, but cannot defend against malware unless samples have already been obtained and signatures created. Malware authors have tried to stay a step ahead of such scanning by writing viruses which encrypt parts of themselves or otherwise modify themselves as a method of disguise, so as to not match malware signatures in the dictionary.
In some cases, generic malware signatures can be created that identify variants by accounting for slight variations of known malicious code in files. For example, virus researchers can identify common areas that all versions of malware in a given family share, and create a single generic signature for that family of malware. Such generic signatures often contain non-contiguous code, using wildcard characters where differences are present between variations, thereby allowing the scanner to detect viruses even if they are padded with extra, meaningless code.
Signature based scanning by the UTM system can detect and block known viruses and other threats, which have already been identified, and for which a signature has already been created and supplied to the UTM system. This is effective against known threats for which a signature has already been created, but it is possible for computers to be attacked by new malware which has not yet been identified or analyzed, and is not similar enough to known malware to be identified by a generic signature. A zero-day threat (sometimes called zero-hour or day zero) is an attack that exploits a previously unknown vulnerability in a computer application, or is otherwise not known prior to the attack, such that developers and computer security professionals have not had time to create a signature of the malware, or otherwise address and patch the vulnerability. It is called a “zero-day threat” because there have been zero days to fix the flaw, and thus a signature or patch is not yet available.
Although zero day threats cannot be detected by scanning files for known malware signatures, the behavior of a program can be monitored with behavior based techniques to detect when the program executes activities or engages in behavior indicative of its being malware. However, because files do not run at the gateway level, but instead only once they have reached the target endpoint device (e.g., the client or server within the private network), UTM systems cannot analyze the behavior of the files, and thus cannot detect malicious or suspicious behavior to identify zero day threats such as a new malicious binary or shellcode. Instead, only an endpoint based anti-malware product can detect a virus or network threat by its behavior, because the programs only run on the endpoints.
For this reason, conventional security networking topology using UTM requires both the UTM system at the gateway level, to keep known threats out of the enterprise network altogether, and a separate, endpoint based anti-malware software program residing on each computer in the network, to perform behavior based detection so as to protect against zero day threats. In order to infect a computer, the malware or network threat payload must pass through the UTM system at the gateway level, which is the first battle line of the enterprise. However, because the UTM system is relying on existing signatures as explained above, it cannot detect zero day threats for which no signature is yet known. These threats therefore arrive at the target endpoint computer, where, it is hoped, they will be detected by endpoint behavior based anti-malware software, which is the second battle line. However, under this two battle line scenario, a zero day attacker could attempt to target multiple machines in the same network, hoping that at least one of the computer users neglected to install or maintain their local endpoint software. Even if the endpoint security software is installed on every targeted end point, each targeted machine still needs to detect the threat separately, based on the behavior of the file, and separately take protective action to neutralize the detected threat. Even if this is successful, it uses an abundance of computing resources at each separate computer on the network.
It would be desirable to address these issues.