Behavior-based host-based intrusion prevention system

Abstract

A method of protecting a system from attack that includes monitoring processes running on a system, identifying behavior of the processes and attributes of the processes, grouping the processes into process sets based on commonality of attributes, and generating behavior control descriptions for each process set.

Description

[0001] 1. Field of the Invention[0002] The present invention relates to host-based protection, and more particularly, to host-based protection that prevents attacks based on application behavior.[0003] 2. Related Art[0004] There is a growing awareness that existing security infrastructure that guards the perimeter (e.g., firewalls) or uses signatures (e.g., anti-virus and intrusion detection) is no longer adequate protection against new and unknown attacks or hostile insiders. With the advent of the Internet and organizational mandates to open internal systems to customers, suppliers and partners, the concept of a perimeter has changed forever. Because of these mandates and the inability of perimeter security to protect applications and servers, critical computing resources are exposed to severe and frequent damage.[0005] When a new attack appears (and all attacks are new and unknown at first) it slips past existing defenses (firewall, intrusion detection, and anti-virus software) a...

AI Technical Summary

Benefits of technology

0025] FIG. 1 shows conventional perimeter security approaches.

0026] FIG. 2 show

Problems solved by technology

There is a growing awareness that existing security infrastructure that guards the perimeter (e.g., firewalls) or uses signatures (e.g., anti-virus and intrusion detection) is no longer adequate protection against new and unknown attacks or hostile insiders.

Because of these mandates and the inability of perimeter security to protect applications and servers, critical computing resources are exposed to severe and frequent damage.

When a new attack appears (and all attacks are new and unknown at first) it slips past existing defenses (firewall, intrusion detection, and anti-virus software) and exploits some vulnerability in an application or operating system (e.g., buffer overflow) and then causes damage to critical computing resources.

In the case of a worm or virus, if a new attack propagates quickly, as many do (e.g., NIMDA, Melissa, I Love You), it damages thousands of servers before the defenses can be updated.

In addition to automated attacks, such as viruses and worms, there is a significant risk from malicious insiders.

Existing security products provide little defense against a malicious insider with legitimate privileges doing damage to servers.

Viruses, worms and hostile insiders cause substantial damage and loss of productivity and proprietary information and require each of the damaged servers to be repaired by reformatting, reconfiguring, recovering data or even replacing the server.

This type of defense does not account for damage caused from inside the network.

Many studies have shown that internal attacks account for a large percentage of damage.

Security, however, is not a top priority for application software vendors in today's market.

Market pressures force the vendors to deliver new features so rapidly that it is impossible to build software without inherent security flaws.

The requirements for today's applications are so complex that simply delivering a working product within deadlines is difficult.

The additional effort required to create a secure design and perform security testing is not practical.

Even if application vendors decided to make security a top priority for their products, there are significant barriers to developing secure applications.

Most software developers do not have the expertise to design and build secure software.

Additionally, secure applications are pointless without a secure foundation

Images