WO2000070464A1 - Object oriented security analysis tool - Google Patents

Object oriented security analysis tool Download PDF

Info

Publication number
WO2000070464A1
WO2000070464A1 PCT/US2000/012725 US0012725W WO0070464A1 WO 2000070464 A1 WO2000070464 A1 WO 2000070464A1 US 0012725 W US0012725 W US 0012725W WO 0070464 A1 WO0070464 A1 WO 0070464A1
Authority
WO
WIPO (PCT)
Prior art keywords
computer
agent
network
computers
security
Prior art date
Application number
PCT/US2000/012725
Other languages
French (fr)
Inventor
Bruce G. Barnett
Michael J. Hartman
Stephen F. Bush
V. Paul Staudinger
Original Assignee
L-3 Communications Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by L-3 Communications Corporation filed Critical L-3 Communications Corporation
Priority to AU48334/00A priority Critical patent/AU4833400A/en
Publication of WO2000070464A1 publication Critical patent/WO2000070464A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Definitions

  • This invention relates to computer data networks More particularly, the invention relates to systems and methods for recognizing and reporting security threats on a computer data network
  • the present invention satisfies these needs in the art by providing systems and methods for recognizing security threats on a data network comprising a plurality of computers.
  • the present invention is implemented in hardware and/or software as an object oriented security analysis tool installed in each of the plurality of computers.
  • the systems and methods of the present invention comprise: designating one of the plurality of computers as a control computer; installing and running a controller on the control computer; and installing and running an agent on each of the plurality of computers.
  • Each agent continuously monitors data on the computer on which it is installed to determine whether a security threat exists on the network. If the agent determines that a security threat exists, the agent communicates to the controller that a security threat exists, and the controller notifies a network administrator.
  • Figure 1 depicts a system according to the present invention for recognizing security threats on a data network.
  • Figure 2 provides an object model of a preferred embodiment of a system according to the present invention.
  • object oriented computing environments have been the subject of much investigation and interest in state of the art data processing environments. Object oriented programming has experienced growing popularity with application developers primarily due to the ability of this type of programming to reuse code.
  • object oriented computing environments are made up of a large number of "objects.”
  • An object in an object oriented environment consists of related pieces of code and data. More specifically, an object comprises a data structure, also referred to as a "frame,” and a set of operations or functions, also referred to as “methods,” that can access the data structure.
  • the frame has a plurality of "slots,” each of which contains an "attribute” of the data in the slot.
  • the attribute can be a primitive (e.g., an integer or string), or an object reference (i.e., a pointer to another object).
  • the object generally has a library of methods that are unique to the object and give the object its specific characteristics.
  • the "class" of an object defines a grouping based on one or more properties, and an "instance” is a single item in a class.
  • a class could be considered as analogous to professions, e.g., engineers, lawyers, doctors, etc., with an instance being analogous to a particular individual in a class.
  • An object will usually be manifested in a plurality of instances. Each instance contains the particular data structure for a particular example of the object.
  • a class defines methods for constructing new instances.
  • “Instance variables” define the particular features of an instance, such as an individual's salary might be a feature of one of the instances in the example discussed above. These instance variables may be defined or may be empty, i.e., awaiting definition.
  • An instance's data structure is described by its collection of instance variables. Pointers are used to point to a structure in object form.
  • data is processed by requesting an object to perform one of its methods by sending the object a "message.”
  • the receiving object responds to the message by choosing the method that implements the message name, executing this method on the named instance, and returning control to the calhng high level routine along with the lesults of the method
  • a class defines instance methods which define how an instance behaves and reacts to incoming messages
  • the external computing environment can be a conventional, functionally programmed, computing environment, or it may be another object oriented computing environment Typical interfaces between an object oriented env ⁇ onment and an external environment may include an interactive host user interface, a batch interface, a remote work station user interface, or other well known interfaces between computing environments
  • an interface is typically defined and generated between the object o ⁇ ented computing environment and the external computing environment
  • the interface typically includes mechanisms for validating the imported and exported data, and for converting the imported and exported data to a form that is usable by the importing or exporting system
  • Figure 1 depicts a system 10 according to the present invention foi recognizing secu ⁇ ty threats on a data network
  • a distributed computer data network comprises a plurality of computers 20, 22, 24 interconnected to one another via a communications network 30
  • Communications network 30 can be. foi example, a local area network (LAN), a wide area network (WAN), an intranet, oi the Internet Computers 20,
  • an object o ⁇ ented secu ⁇ ty tool is installed on the network for the purpose of monito ⁇ ng the computers on the network to recognize whether a security violation has occurred oi could occur, / c , whether a security threat exists on the network
  • An agent 12 is installed on each monitored computer 20, 24 and is continuously active thereon
  • a "centralized system,” or controllei 14, is installed on a control computer 20 (which is selected from among the computeis on the network)
  • the controller 14 communicates with each of the agents 12, and, in a preferred embodiment, transfers softwaie updates to the agents 12 to keep them current In this w ay, the controllei 14 prevents the agents 12 from becoming obsolete
  • the controllei 14 also maintains a database of information about the monitored computeis 20, 24 based on an object model Figme 2 provides an object model of a preferred embodiment of a system according to the present invention
  • the object model includes classes of objects and the relationships between objects It should be understood that the object model shown m Figure 2 is but one embodiment of the piesent invention, and that va ⁇ ations and modifications can be made theieto without departing from the spi ⁇ t and scope of the piesent invention
  • An object class desc ⁇ bes one oi moie objects which correspond to hardware and software i elated information
  • the class of "Host" describes certain characte ⁇ stics of the monitored computeis, oi hosts, as well as routines used to query and change those characteristics
  • theie are one or moie sets of information, where each set of information corresponds to one object, oi instance of that object In this case, there is a set of information that desc ⁇ bes one monitoied computer on the netwoik with
  • an object o ⁇ ented secu ⁇ ty tool comprises the following plurality of object classes Not all classes are required for every algorithm
  • Object class "Host" 40 includes instances of monitored computers on the netwoik Object class "Account” 42 includes a desc ⁇ ption of a user on a monitored computei Object class
  • File 44 includes a computer file on a monitored computei Object class
  • Directory 46 includes a file directory on a monitored computei
  • Object class "OS” 48 includes a particular operating system from a vendoi, including revisions number
  • Object class "Patch” 50 includes a package from the vendor to upgrade the operating system
  • Object class "Signature” 52 includes a unique representation for a file, to verify that the file is the one expected It uses cryptographic techniques to identify each file, i c , a one-way hash of the contents of the file
  • Object class 'Nulnerabihty" 54 includes a desc ⁇ ption of a mechanism where the p ⁇ vileges of one account can access anothei Object class "Service” 56 includes a desc ⁇ ption of a particulai function on a monitoied computei that can be controlled b> modifying the configuration of the monitored computer.
  • Object class "Policy” 58 includes a description of a policy that protects monitored computers from threats, and is enforced by enabling, disabling, or modifying particular services on a monitored computer.
  • Object class "Function" 60 includes a description of the function that a service has that is used to find alternate services that can provide the same function. Object class
  • Three Threat" 62 includes a particular attack mechanism that can be used to break into a monitored computer. By enforcing particular policies, threats can be neutralized.
  • a system includes a mechanism to "browse" the data by traversing the relationships between individual objects. That is, given one object (e.g., a host), the system provides a way to find all related objects of another class. If the class is Accounts, for example, the system can find all accounts “belonging" to a particular host.
  • the traversal from one object to another can be two-directional. Assume that one host has a relationship to many accounts, i.e., there is a one-to-many relationship between object class Host and object class Account. Given an account, it is possible to find the host on which the account resides (in this case, for example, each account resides on only one host).
  • the host-to-many-accounts relationship is the only relationship between these two particular objects; therefore, there is no need to name it.
  • the vulnerability object however, has two relationships between the object Vulnerability and the object Account. A mechanism is needed, therefore, to distinguish between these two relationships. In this case, the two relationships are called Attacker and Victim.
  • a fixed number of object classes is used, such as the list described above.
  • a meta-model is used so that any object class, as well as any set of relationships, can be specified. This alternate embodiment allows the classes to be defined and modified at run time.
  • the agents continuously monitor, and gather information from, the plurality of monitored computers, and consolidate all of the information into a centralized database maintained by the controller.
  • Multiple databases can be organized in a hierarchal fashion, allowing for systems to be responsible for sub-groups.
  • the database contains information about each individual instance of an object (e.g., each account on each system), and also includes information that links individual objects to other objects.
  • each vulnerability object can be associated with three other objects. The first indicates the account that is attacked. The second indicates the account that can attack the first account. The third is a file that is used for this attack, called a vector.
  • each vulnerability object has two references to account objects, and one to a file object. Standard algorithms to gather information are known; however, the output is typically a list form, and the data is not integrated.
  • the system of the present invention integrates the information by using instances of objects. Once the database is constructed (which can be done by using several algorithms, in any order), and information is gathered and merged, other algorithms can be used to browse the database.
  • class 1 — > class2 — > class3 will be used in the discussion below to indicate that information about a particular instance of an object of type "class 1” is used to get a set of references to related objects of type "class2”. These in turn are used to retrieve a set of objects of type "class3".
  • a preferred embodiment of the present invention can use cached data when retrieving information from remote sites. Conversely, if information is needed, and missing, the system can retrieve it, and the algorithm does not need to know this is happening.
  • the softwaie can be used to monitor the mteg ⁇ ty of each file on the system, so tampe ⁇ ng can be detected This is done as follows
  • the host type (Host) is ret ⁇ eved, and the operating system type (OS) is learned From this a list of suitable patches (Patches) is ret ⁇ eved, and from this, a list of files (Files) is obtained
  • Each file has a signature that gives the hash of the file
  • the agent calculates the hash of the file, and returns information indicating whether the hash is corcect If so, the co ⁇ ect version is present Otherwise, the file is incorrect, and the system can determine that a patch as been applied
  • the relationships traversed du ⁇ ng this algorithm are Host — > OS — > Patches — > Files — > Signatures Remote Patch Maintenance
  • the system can report all of the accounts that a particular account can access It can be used, therefore, to determine whether a particular account is a secu ⁇ ty ⁇ sk By working backward, it is easy to learn which accounts can access a particular account This can be used in threat analysis
  • Another algo ⁇ thm can analyze a large number of chains, and determine the vulnerabilities that permit the largest number of attacks
  • a fourth can identify the fewest number of cuts necessary to break a chain into two pieces, protecting a particular account This can be considered a way to verify that an "air gap" exists between sections
  • An "air gap” is a separation between two systems In this case, an air gap between two machines indicates that if one machine has been compromised, the other one is not necessarily compromised If a vulnerability connected two machines, no air gap is present, and it is possible for an mt ⁇ der to ga access to the other machine through the vulnei ability Policy Ve ⁇ fication
  • Intrusion Detection An intrusion detection system can report which systems seem to be infected, by noticing unusual behavior. By querying the database, a system can identify which services a set of machines have in common, and therefore identify the vector used to spread a viral attack on a network of computers. The relationship traversal would be Host — > Service — > Policy — > Threat.
  • the system can identify other systems that are vulnerable to the same attack, by searching for systems with the same services and the same architecture.
  • a security manager can then disable the vulnerable services, and only the vulnerable services, to keep the systems up and running while under attack.
  • the traversal could be Threat — > Policy — > Service — > Host.
  • the network administrator of a system under attack either ignores the attack, or shuts down the entire system.
  • the attack mechanism is known to be the mail service
  • this system can ask each system running the mail service to disable it, allowing the systems to remain functional, without allowing the attack to spread.
  • a similar algorithm can be used to disable only those systems with a particular version of a service. For example, a particular version of the mail service might have a vulnerability. All systems with this version can be identified, and then the services can be disabled.
  • the object traversal might be: Signature — > OS — > Host — > Service — > File. Once the file is identified, it can be disabled, removed, fixed, etc. Dynamic Repair
  • a system under attack can be asked to disable all services, using the following traversal: Host — > Service, and asking each service to shut down.
  • the system can then kill all of the running processes except for the critical subset needed to complete the task.
  • the system can examine each file and directory for improper modification. If the file is the wrong version, it can be replaced. Then the system can enable some or all of the services, by reversing the first procedure This will bring a system under attack back to being operational

Abstract

Apparatus and methods for recognizing security threats on a data network (30) are disclosed. The invention can be implemented in hardware or software as an object oriented security analysis tool installed in each of the plurality of computers (20, 22, 24). The apparatus and methods of the present invention include designating one of the plurality of computers as a control computer (20), and installing and running an agent (12) on each of the plurality of computers (20, 22, 24). Each agent (12) monitors the computer on which it is installed to determine whether a security threat exists. If the agent (12) detects that a security threat exists, the agent (12) communicates to the controller (14) that a security threat exists.

Description

OBJECT ORIENTED SECURITY ANALYSIS TOOL
Field of the Invention
This invention relates to computer data networks More particularly, the invention relates to systems and methods for recognizing and reporting security threats on a computer data network
Background of the Invention
Computer network security is a growing source of concern for businesses, especially foi businesses that provide netwoik services as a primary product Current commercial secuπty packages and services are costly and their effectiveness is not clearly understood More precisely, secuπty is implemented by policies, which often conflict with certain conveniences and functionality Managers that set policies often do not understand the impact on functionality and potential threats Secuπty tools are known in the art, but these tools aie often unsuitable for certain applications Typically, these secuπty tools do not allow the integration of information from multiple sources Some tools aie not suitable foi use with distributed networks Others are hard to install Still others cannot be upgraded lemotely and, therefore, can be hard to maintain As more computers are added to a computer data network, secuπty software that is capable of recognizing secuπty threats on the network becomes more difficult to implement. In general, network security is not well understood. A primary reason for this is that few security checking programs actually measure security, i.e., recognize and grade security threats on the computers or systems being monitored. The tools merely provide a list of security threats, but fail to provide a way to determine whether security is getting better or worse.
Thus, there is a need in the art for the ability to easily and precisely understand the security vulnerabilities of a computer data network and the manner in which security safeguards strengthen those weaknesses.
Summary of the Invention
The present invention satisfies these needs in the art by providing systems and methods for recognizing security threats on a data network comprising a plurality of computers. Preferably, the present invention is implemented in hardware and/or software as an object oriented security analysis tool installed in each of the plurality of computers. The systems and methods of the present invention comprise: designating one of the plurality of computers as a control computer; installing and running a controller on the control computer; and installing and running an agent on each of the plurality of computers. Each agent continuously monitors data on the computer on which it is installed to determine whether a security threat exists on the network. If the agent determines that a security threat exists, the agent communicates to the controller that a security threat exists, and the controller notifies a network administrator.
Brief Description of the Drawings
The foregoing summary, as well as the following detailed description of the preferred embodiments, is better understood when read in conjunction with the appended drawings. For the purpose of illustrating the invention, there is shown in the drawings an embodiment that is presently preferred, it being understood, however, that the invention is not limited to the specific methods and instrumentalities disclosed.
Figure 1 depicts a system according to the present invention for recognizing security threats on a data network.
Figure 2 provides an object model of a preferred embodiment of a system according to the present invention.
Detailed Description of Preferred Embodiments
Object oriented programming systems and processes, also referred to as
"object oriented computing environments," have been the subject of much investigation and interest in state of the art data processing environments. Object oriented programming has experienced growing popularity with application developers primarily due to the ability of this type of programming to reuse code.
As is well known to those having skill in the art, object oriented computing environments are made up of a large number of "objects." An object in an object oriented environment consists of related pieces of code and data. More specifically, an object comprises a data structure, also referred to as a "frame," and a set of operations or functions, also referred to as "methods," that can access the data structure. The frame has a plurality of "slots," each of which contains an "attribute" of the data in the slot. The attribute can be a primitive (e.g., an integer or string), or an object reference (i.e., a pointer to another object). The object generally has a library of methods that are unique to the object and give the object its specific characteristics.
The "class" of an object defines a grouping based on one or more properties, and an "instance" is a single item in a class. For purposes of illustration, a class could be considered as analogous to professions, e.g., engineers, lawyers, doctors, etc., with an instance being analogous to a particular individual in a class. An object will usually be manifested in a plurality of instances. Each instance contains the particular data structure for a particular example of the object. A class defines methods for constructing new instances. "Instance variables" define the particular features of an instance, such as an individual's salary might be a feature of one of the instances in the example discussed above. These instance variables may be defined or may be empty, i.e., awaiting definition. An instance's data structure is described by its collection of instance variables. Pointers are used to point to a structure in object form.
In an object oriented computing environment, data is processed by requesting an object to perform one of its methods by sending the object a "message." The receiving object responds to the message by choosing the method that implements the message name, executing this method on the named instance, and returning control to the calhng high level routine along with the lesults of the method A class defines instance methods which define how an instance behaves and reacts to incoming messages
In some computer systems, it is important to allow import and export of data between the object oπented computing environment and an external computing environment The external computing environment can be a conventional, functionally programmed, computing environment, or it may be another object oriented computing environment Typical interfaces between an object oriented envπonment and an external environment may include an interactive host user interface, a batch interface, a remote work station user interface, or other well known interfaces between computing environments In importing and exporting data between an object oπented computing environment and an external computing environment, an interface is typically defined and generated between the object oπented computing environment and the external computing environment The interface typically includes mechanisms for validating the imported and exported data, and for converting the imported and exported data to a form that is usable by the importing or exporting system
Object Onented Secunty Analysis Tool
Figure 1 depicts a system 10 according to the present invention foi recognizing secuπty threats on a data network A distributed computer data network comprises a plurality of computers 20, 22, 24 interconnected to one another via a communications network 30 Communications network 30 can be. foi example, a local area network (LAN), a wide area network (WAN), an intranet, oi the Internet Computers 20,
22, 24 are capable of communicating with one another using agreed-upon protocols In a preferred embodiment of the present invention, an object oπented secuπty tool is installed on the network for the purpose of monitoπng the computers on the network to recognize whether a security violation has occurred oi could occur, / c , whether a security threat exists on the network
An agent 12 is installed on each monitored computer 20, 24 and is continuously active thereon A "centralized system," or controllei 14, is installed on a control computer 20 (which is selected from among the computeis on the network) The controller 14 communicates with each of the agents 12, and, in a preferred embodiment, transfers softwaie updates to the agents 12 to keep them current In this w ay, the controllei 14 prevents the agents 12 from becoming obsolete
The controllei 14 also maintains a database of information about the monitored computeis 20, 24 based on an object model Figme 2 provides an object model of a preferred embodiment of a system according to the present invention The object model includes classes of objects and the relationships between objects It should be understood that the object model shown m Figure 2 is but one embodiment of the piesent invention, and that vaπations and modifications can be made theieto without departing from the spiπt and scope of the piesent invention An object class descπbes one oi moie objects which correspond to hardware and software i elated information Foi example, the class of "Host" describes certain characteπstics of the monitored computeis, oi hosts, as well as routines used to query and change those characteristics In the Host class, theie are one or moie sets of information, where each set of information corresponds to one object, oi instance of that object In this case, there is a set of information that descπbes one monitoied computer on the netwoik with a particulai host name
In a pi ef erred embodiment, an object oπented secuπty tool according to the present invention comprises the following plurality of object classes Not all classes are required for every algorithm Object class "Host" 40 includes instances of monitored computers on the netwoik Object class "Account" 42 includes a descπption of a user on a monitored computei Object class "File" 44 includes a computer file on a monitored computei Object class "Directory" 46 includes a file directory on a monitored computei
Object class "OS" 48 includes a particular operating system from a vendoi, including revisions number Object class "Patch" 50 includes a package from the vendor to upgrade the operating system Object class "Signature" 52 includes a unique representation for a file, to verify that the file is the one expected It uses cryptographic techniques to identify each file, i c , a one-way hash of the contents of the file
Object class 'Nulnerabihty" 54 includes a descπption of a mechanism where the pπvileges of one account can access anothei Object class "Service" 56 includes a descπption of a particulai function on a monitoied computei that can be controlled b> modifying the configuration of the monitored computer. Object class "Policy" 58 includes a description of a policy that protects monitored computers from threats, and is enforced by enabling, disabling, or modifying particular services on a monitored computer.
Object class "Function" 60 includes a description of the function that a service has that is used to find alternate services that can provide the same function. Object class
"Threat" 62 includes a particular attack mechanism that can be used to break into a monitored computer. By enforcing particular policies, threats can be neutralized.
In a preferred embodiment, a system according to the present invention includes a mechanism to "browse" the data by traversing the relationships between individual objects. That is, given one object (e.g., a host), the system provides a way to find all related objects of another class. If the class is Accounts, for example, the system can find all accounts "belonging" to a particular host. The traversal from one object to another can be two-directional. Assume that one host has a relationship to many accounts, i.e., there is a one-to-many relationship between object class Host and object class Account. Given an account, it is possible to find the host on which the account resides (in this case, for example, each account resides on only one host). Conversely, it is possible to find all of the accounts that reside on a host (there are many accounts on the host). This relationship may or may not be named. The host-to-many-accounts relationship is the only relationship between these two particular objects; therefore, there is no need to name it. The vulnerability object, however, has two relationships between the object Vulnerability and the object Account. A mechanism is needed, therefore, to distinguish between these two relationships. In this case, the two relationships are called Attacker and Victim.
There are two currently preferred embodiments of the present invention. In one embodiment a fixed number of object classes is used, such as the list described above. In an alternate embodiment, a meta-model is used so that any object class, as well as any set of relationships, can be specified. This alternate embodiment allows the classes to be defined and modified at run time.
The agents continuously monitor, and gather information from, the plurality of monitored computers, and consolidate all of the information into a centralized database maintained by the controller. Multiple databases can be organized in a hierarchal fashion, allowing for systems to be responsible for sub-groups.
The database contains information about each individual instance of an object (e.g., each account on each system), and also includes information that links individual objects to other objects. For example, each vulnerability object can be associated with three other objects. The first indicates the account that is attacked. The second indicates the account that can attack the first account. The third is a file that is used for this attack, called a vector. In this example, each vulnerability object has two references to account objects, and one to a file object. Standard algorithms to gather information are known; however, the output is typically a list form, and the data is not integrated. The system of the present invention integrates the information by using instances of objects. Once the database is constructed (which can be done by using several algorithms, in any order), and information is gathered and merged, other algorithms can be used to browse the database. The following notation, "class 1 — > class2 — > class3," will be used in the discussion below to indicate that information about a particular instance of an object of type "class 1" is used to get a set of references to related objects of type "class2". These in turn are used to retrieve a set of objects of type "class3".
For performance reasons, a preferred embodiment of the present invention can use cached data when retrieving information from remote sites. Conversely, if information is needed, and missing, the system can retrieve it, and the algorithm does not need to know this is happening.
The following discussion includes the descriptions of several algorithms that traverse the objects in the database by using the relationships between objects. Each algorithm provides a unique function, and the inventors do not know of any other system which can implement any of these functions. In a preferred embodiment of the present invention, however, only one such function is implemented. Many of the potential algorithms are discussed for the sake of completeness, although the algorithms that can be used with the present invention are not limited to those discussed. Using object model based technology allows more algorithms to be easily implemented. Therefore it is important to protect the core system. Modification Detection
The softwaie can be used to monitor the mtegπty of each file on the system, so tampeπng can be detected This is done as follows The host type (Host) is retπeved, and the operating system type (OS) is learned From this a list of suitable patches (Patches) is retπeved, and from this, a list of files (Files) is obtained Each file has a signature that gives the hash of the file The agent then calculates the hash of the file, and returns information indicating whether the hash is corcect If so, the coπect version is present Otherwise, the file is incorrect, and the system can determine that a patch as been applied The relationships traversed duπng this algorithm are Host — > OS — > Patches — > Files — > Signatures Remote Patch Maintenance
This is similar to the previous example, m that the following chain of objects can be traversed Host — > OS — > Patches — > Files — > Signatures From this, a system can be tested to see if all of the patches have been applied If not, the patch can be identified In a prefeπ-ed embodiment, the patch is optionally transferred to the remote system and installed Vulnerability Chains
By following a chain of vulnerabilities, it is possible to determine which accounts are vulnerable to attack The data traversal might be Account 1 — > Vulnerability 1 — > Account2 — > Vulnerabιlity2 — > Account3, although the chain can be much longer
Once the chains have been identified, and examined, the system can report all of the accounts that a particular account can access It can be used, therefore, to determine whether a particular account is a secuπty πsk By working backward, it is easy to learn which accounts can access a particular account This can be used in threat analysis Another algoπthm can analyze a large number of chains, and determine the vulnerabilities that permit the largest number of attacks A fourth can identify the fewest number of cuts necessary to break a chain into two pieces, protecting a particular account This can be considered a way to verify that an "air gap" exists between sections An "air gap" is a separation between two systems In this case, an air gap between two machines indicates that if one machine has been compromised, the other one is not necessarily compromised If a vulnerability connected two machines, no air gap is present, and it is possible for an mtπ der to ga access to the other machine through the vulnei ability Policy Veπfication
By traversing the data in this direction File — > Service — > Policy — > Threat, it is possible to determine the threats to which particular systems are vulnerable This can be used m an attack scenaπo, where potential weaknesses are analyzed, and coordinated attacks are planned Policy Evaluation
This is a variation of the above algorithm wherein the current policy can be learned to enable a manager to modify the policy to protect against threats This will identify services that are in conflict with the policy This algoπthm can be used, therefore, to determine the effects of changing the secunty policy Policy Enforcement
By traversing the data m this direction Policy — > Service — > File, it is possible to determine which policies aie being followed, and which are not If files are configured the wrong way, they can be modified to enfoi ce the policy This allows a site to set a policy, and then automatically to enfoi ce the policy It also allows someone who sets policy to see what functionality is lost by that policy Therefore, this algoπthm allows someone who is non-technical to understand the trade-offs between secuπty, functionality, and convenience Genetic Vaπation
It is useful for a large site to be resilient to attacks One way to do this is to permit vaπation among the different systems m a network Some services may be optional, or have equivalent services This is determined by understanding the relationship between services and functions A function might be "remote access," for example, and multiple services can provide this function A system can make sure that variations exist across a seπes of machines using this information A policy managei can permit this vaπation, and make sure it is enforced If an attack does occur, this algoπthm will make sure that not every system is vulnerable in the same manner, because not every system runs exactly the same set of services Redundant systems can be managed using this algoπthm
Intrusion Detection An intrusion detection system can report which systems seem to be infected, by noticing unusual behavior. By querying the database, a system can identify which services a set of machines have in common, and therefore identify the vector used to spread a viral attack on a network of computers. The relationship traversal would be Host — > Service — > Policy — > Threat.
If all infected systems (i.e., those systems identified because of anomalous action) have the same services, the vector can be identified as that service. If a set of services are involved, then the system can look for a common threat to which all services are vulnerable. Therefore the mechanism used to spread the virus can be identified, or eliminated by negative evidence. Intrusion Detection Reaction
Once the vector has been identified by an intrusion detection system, the system can identify other systems that are vulnerable to the same attack, by searching for systems with the same services and the same architecture. A security manager can then disable the vulnerable services, and only the vulnerable services, to keep the systems up and running while under attack. The traversal could be Threat — > Policy — > Service — > Host.
Currently, the network administrator of a system under attack either ignores the attack, or shuts down the entire system. If the attack mechanism is known to be the mail service, this system can ask each system running the mail service to disable it, allowing the systems to remain functional, without allowing the attack to spread. A similar algorithm can be used to disable only those systems with a particular version of a service. For example, a particular version of the mail service might have a vulnerability. All systems with this version can be identified, and then the services can be disabled. The object traversal might be: Signature — > OS — > Host — > Service — > File. Once the file is identified, it can be disabled, removed, fixed, etc. Dynamic Repair
A system under attack can be asked to disable all services, using the following traversal: Host — > Service, and asking each service to shut down. The system can then kill all of the running processes except for the critical subset needed to complete the task. Then the system can examine each file and directory for improper modification. If the file is the wrong version, it can be replaced. Then the system can enable some or all of the services, by reversing the first procedure This will bring a system under attack back to being operational
Those skilled in the art will appreciate that numerous changes and modifications may be made to the preferred embodiments of the invention and that such changes and modifications may be made without departing from the spirit of the invention It is therefore intended that the appended claims cover all such equivalent variations as fall within the true spirit and scope of the invention

Claims

WE CLAIM:
1 A method for recognizing security threats on a network comprising a plurality of computers, comprising designating a computer from the plurality of computers as a control computer, executing a controller on the control computer, and executing an agent on each of the plurality of computers, wherein each agent monitors the computer on which it is installed to determine whether a security threat exists on the network, and if a security threat exists, communicates to the controller that the security threat exists
2. The method of claim 1, wherein the controller notifies a network administrator that the security threat exists
3. The method of claim 1 , wherein the agent determines whether the security threat exists on the network by determining whether a file has been modified on the computer on which the agent is installed
4. The method of claim 1 , wherein the agent determines whether the security threat exists on the network by determining whether a patch has been applied to a file on the computer on which the agent is installed
5. The method of claim 1 , wherein the agent determines whether the security threat exists on the network by determining whether an account on the computer is vulnerable to attack
6. The method of claim 1 , wherein each agent monitors the computer on which it is installed to determine threats to which the computer is vulnerable
7 The method of claim 1 , wherein each agent monitors the computer on which lt is installed to determine a current secuπty policy
8 The method of claim 7, wherein each agent monitors the computer on which it is installed to determine effects of changing the current security policy
9 The method of claim 7, wherein each agent monitors the computer on which it is installed to determine whether the current secuπty policy is being enforced
10 The method of claim 1 , wherein each agent monitors the computer on which it is installed to identify a vector that can be used to spread a vnal attack on the computers
1 1 Apparatus for l ecognizmg secuπty threats on a network comprising a plurality of computers, comprising a controller, and a plurality of agents in communication with the controller, wherein each agent is installed on a respective computer of the plurality of computers, and monitors the computer on which it is installed to determine whether a security threat exists on the network, and if the agent detects that the secuπty threat exists, the agent communicates to the controller that the secuπty threat exists
PCT/US2000/012725 1999-05-14 2000-05-09 Object oriented security analysis tool WO2000070464A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU48334/00A AU4833400A (en) 1999-05-14 2000-05-09 Object oriented security analysis tool

Applications Claiming Priority (6)

Application Number Priority Date Filing Date Title
US13409099P 1999-05-14 1999-05-14
US60/134,090 1999-05-14
US14431999P 1999-07-16 1999-07-16
US60/144,319 1999-07-16
US50602200A 2000-02-17 2000-02-17
US09/506,022 2000-02-17

Publications (1)

Publication Number Publication Date
WO2000070464A1 true WO2000070464A1 (en) 2000-11-23

Family

ID=27384520

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2000/012725 WO2000070464A1 (en) 1999-05-14 2000-05-09 Object oriented security analysis tool

Country Status (2)

Country Link
AU (1) AU4833400A (en)
WO (1) WO2000070464A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003098413A1 (en) * 2002-05-14 2003-11-27 Cisco Technology, Inc. Method and system for analyzing and addressing alarms from network intrusion detection systems
US7805762B2 (en) 2003-10-15 2010-09-28 Cisco Technology, Inc. Method and system for reducing the false alarm rate of network intrusion detection systems
US7886357B2 (en) 2002-03-29 2011-02-08 Cisco Technology, Inc. Method and system for reducing the false alarm rate of network intrusion detection systems

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"INTERNET SCANNER USER GUIDE", INTERNET SCANNER USER GUIDE, XX, XX, 1 January 1997 (1997-01-01), XX, pages 01A - 01F + 01, XP002928589 *
FARMER D, SPAFFORD E H: "THE COPS SECURITY CHECKER SYSTEM", PURDUE UNIVERSITY TECHNICAL REPORT CSD-TR-993, XX, XX, 1 September 1991 (1991-09-01), XX, pages 01 - 14, XP002928590 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7886357B2 (en) 2002-03-29 2011-02-08 Cisco Technology, Inc. Method and system for reducing the false alarm rate of network intrusion detection systems
WO2003098413A1 (en) * 2002-05-14 2003-11-27 Cisco Technology, Inc. Method and system for analyzing and addressing alarms from network intrusion detection systems
CN100424609C (en) * 2002-05-14 2008-10-08 思科技术公司 Method and system for analyzing and addressing alarms from network intrusion detection systems
US7805762B2 (en) 2003-10-15 2010-09-28 Cisco Technology, Inc. Method and system for reducing the false alarm rate of network intrusion detection systems

Also Published As

Publication number Publication date
AU4833400A (en) 2000-12-05

Similar Documents

Publication Publication Date Title
Jones et al. Computer system intrusion detection: A survey
US9602550B2 (en) Policy-based selection of remediation
JP6224173B2 (en) Method and apparatus for dealing with malware
US8336103B2 (en) Data structure for policy-based remediation selection
US6785821B1 (en) Intrusion detection system and method having dynamically loaded signatures
US8612398B2 (en) Clean store for operating system and software recovery
US8402546B2 (en) Estimating and visualizing security risk in information technology systems
US10614219B2 (en) Apparatus and method for locking and unlocking removable media for use inside and outside protected systems
Lunt Real-time intrusion detection.
WO2000070463A1 (en) Apparatus and methods for analyzing multiple network security vulnerabilities
EP3531324B1 (en) Identification process for suspicious activity patterns based on ancestry relationship
EP3531328B1 (en) Cardinality based activity pattern detection
US10990671B2 (en) System and method for implementing secure media exchange on a single board computer
WO2000070464A1 (en) Object oriented security analysis tool
Fonseca et al. Integrated intrusion detection in databases
Dong et al. An improved intrusion detection system based on Agent
Tomášek et al. Cloud-centric application tracing and user monitoring intrusion prevention system
Morris et al. PCPP: on remote host assessment via naive Bayesian classification
McLain et al. BATTLEFIELD INTRUSION DETECTION SYSTEM, VERSION 2=
KrЭgel et al. A mobile agent based intrusion detection system
CN113992337A (en) Information security management system of multi-information security software
Mwakalinga et al. Framework for Securing Mobile Software Agents

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP