OBJECT ORIENTED SECURITY ANALYSIS TOOL
Field of the Invention
This invention relates to computer data networks More particularly, the invention relates to systems and methods for recognizing and reporting security threats on a computer data network
Background of the Invention
Computer network security is a growing source of concern for businesses, especially foi businesses that provide netwoik services as a primary product Current commercial secuπty packages and services are costly and their effectiveness is not clearly understood More precisely, secuπty is implemented by policies, which often conflict with certain conveniences and functionality Managers that set policies often do not understand the impact on functionality and potential threats Secuπty tools are known in the art, but these tools aie often unsuitable for certain applications Typically, these secuπty tools do not allow the integration of information from multiple sources Some tools aie not suitable foi use with distributed networks Others are hard to install Still others cannot be upgraded lemotely and, therefore, can be hard to maintain As more computers are added to a computer data network, secuπty software that is capable of recognizing secuπty threats on the network becomes more difficult to
implement. In general, network security is not well understood. A primary reason for this is that few security checking programs actually measure security, i.e., recognize and grade security threats on the computers or systems being monitored. The tools merely provide a list of security threats, but fail to provide a way to determine whether security is getting better or worse.
Thus, there is a need in the art for the ability to easily and precisely understand the security vulnerabilities of a computer data network and the manner in which security safeguards strengthen those weaknesses.
Summary of the Invention
The present invention satisfies these needs in the art by providing systems and methods for recognizing security threats on a data network comprising a plurality of computers. Preferably, the present invention is implemented in hardware and/or software as an object oriented security analysis tool installed in each of the plurality of computers. The systems and methods of the present invention comprise: designating one of the plurality of computers as a control computer; installing and running a controller on the control computer; and installing and running an agent on each of the plurality of computers. Each agent continuously monitors data on the computer on which it is installed to determine whether a security threat exists on the network. If the agent determines that a security threat exists, the agent communicates to the controller that a security threat exists, and the controller notifies a network administrator.
Brief Description of the Drawings
The foregoing summary, as well as the following detailed description of the preferred embodiments, is better understood when read in conjunction with the appended drawings. For the purpose of illustrating the invention, there is shown in the drawings an embodiment that is presently preferred, it being understood, however, that the invention is not limited to the specific methods and instrumentalities disclosed.
Figure 1 depicts a system according to the present invention for recognizing security threats on a data network.
Figure 2 provides an object model of a preferred embodiment of a system
according to the present invention.
Detailed Description of Preferred Embodiments
Object oriented programming systems and processes, also referred to as
"object oriented computing environments," have been the subject of much investigation and interest in state of the art data processing environments. Object oriented programming has experienced growing popularity with application developers primarily due to the ability of this type of programming to reuse code.
As is well known to those having skill in the art, object oriented computing environments are made up of a large number of "objects." An object in an object oriented environment consists of related pieces of code and data. More specifically, an object comprises a data structure, also referred to as a "frame," and a set of operations or functions, also referred to as "methods," that can access the data structure. The frame has a plurality of "slots," each of which contains an "attribute" of the data in the slot. The attribute can be a primitive (e.g., an integer or string), or an object reference (i.e., a pointer to another object). The object generally has a library of methods that are unique to the object and give the object its specific characteristics.
The "class" of an object defines a grouping based on one or more properties, and an "instance" is a single item in a class. For purposes of illustration, a class could be considered as analogous to professions, e.g., engineers, lawyers, doctors, etc., with an instance being analogous to a particular individual in a class. An object will usually be manifested in a plurality of instances. Each instance contains the particular data structure for a particular example of the object. A class defines methods for constructing new instances. "Instance variables" define the particular features of an instance, such as an individual's salary might be a feature of one of the instances in the example discussed above. These instance variables may be defined or may be empty, i.e., awaiting definition. An instance's data structure is described by its collection of instance variables. Pointers are used to point to a structure in object form.
In an object oriented computing environment, data is processed by requesting an object to perform one of its methods by sending the object a "message." The receiving object responds to the message by choosing the method that implements the message name, executing this method on the named instance, and returning control to the
calhng high level routine along with the lesults of the method A class defines instance methods which define how an instance behaves and reacts to incoming messages
In some computer systems, it is important to allow import and export of data between the object oπented computing environment and an external computing environment The external computing environment can be a conventional, functionally programmed, computing environment, or it may be another object oriented computing environment Typical interfaces between an object oriented envπonment and an external environment may include an interactive host user interface, a batch interface, a remote work station user interface, or other well known interfaces between computing environments In importing and exporting data between an object oπented computing environment and an external computing environment, an interface is typically defined and generated between the object oπented computing environment and the external computing environment The interface typically includes mechanisms for validating the imported and exported data, and for converting the imported and exported data to a form that is usable by the importing or exporting system
Object Onented Secunty Analysis Tool
Figure 1 depicts a system 10 according to the present invention foi recognizing secuπty threats on a data network A distributed computer data network comprises a plurality of computers 20, 22, 24 interconnected to one another via a communications network 30 Communications network 30 can be. foi example, a local area network (LAN), a wide area network (WAN), an intranet, oi the Internet Computers 20,
22, 24 are capable of communicating with one another using agreed-upon protocols In a preferred embodiment of the present invention, an object oπented secuπty tool is installed on the network for the purpose of monitoπng the computers on the network to recognize whether a security violation has occurred oi could occur, / c , whether a security threat exists on the network
An agent 12 is installed on each monitored computer 20, 24 and is continuously active thereon A "centralized system," or controllei 14, is installed on a control computer 20 (which is selected from among the computeis on the network) The controller 14 communicates with each of the agents 12, and, in a preferred embodiment,
transfers softwaie updates to the agents 12 to keep them current In this w ay, the controllei 14 prevents the agents 12 from becoming obsolete
The controllei 14 also maintains a database of information about the monitored computeis 20, 24 based on an object model Figme 2 provides an object model of a preferred embodiment of a system according to the present invention The object model includes classes of objects and the relationships between objects It should be understood that the object model shown m Figure 2 is but one embodiment of the piesent invention, and that vaπations and modifications can be made theieto without departing from the spiπt and scope of the piesent invention An object class descπbes one oi moie objects which correspond to hardware and software i elated information Foi example, the class of "Host" describes certain characteπstics of the monitored computeis, oi hosts, as well as routines used to query and change those characteristics In the Host class, theie are one or moie sets of information, where each set of information corresponds to one object, oi instance of that object In this case, there is a set of information that descπbes one monitoied computer on the netwoik with a particulai host name
In a pi ef erred embodiment, an object oπented secuπty tool according to the present invention comprises the following plurality of object classes Not all classes are required for every algorithm Object class "Host" 40 includes instances of monitored computers on the netwoik Object class "Account" 42 includes a descπption of a user on a monitored computei Object class "File" 44 includes a computer file on a monitored computei Object class "Directory" 46 includes a file directory on a monitored computei
Object class "OS" 48 includes a particular operating system from a vendoi, including revisions number Object class "Patch" 50 includes a package from the vendor to upgrade the operating system Object class "Signature" 52 includes a unique representation for a file, to verify that the file is the one expected It uses cryptographic techniques to identify each file, i c , a one-way hash of the contents of the file
Object class 'Nulnerabihty" 54 includes a descπption of a mechanism where the pπvileges of one account can access anothei Object class "Service" 56 includes a descπption of a particulai function on a monitoied computei that can be controlled b>
modifying the configuration of the monitored computer. Object class "Policy" 58 includes a description of a policy that protects monitored computers from threats, and is enforced by enabling, disabling, or modifying particular services on a monitored computer.
Object class "Function" 60 includes a description of the function that a service has that is used to find alternate services that can provide the same function. Object class
"Threat" 62 includes a particular attack mechanism that can be used to break into a monitored computer. By enforcing particular policies, threats can be neutralized.
In a preferred embodiment, a system according to the present invention includes a mechanism to "browse" the data by traversing the relationships between individual objects. That is, given one object (e.g., a host), the system provides a way to find all related objects of another class. If the class is Accounts, for example, the system can find all accounts "belonging" to a particular host. The traversal from one object to another can be two-directional. Assume that one host has a relationship to many accounts, i.e., there is a one-to-many relationship between object class Host and object class Account. Given an account, it is possible to find the host on which the account resides (in this case, for example, each account resides on only one host). Conversely, it is possible to find all of the accounts that reside on a host (there are many accounts on the host). This relationship may or may not be named. The host-to-many-accounts relationship is the only relationship between these two particular objects; therefore, there is no need to name it. The vulnerability object, however, has two relationships between the object Vulnerability and the object Account. A mechanism is needed, therefore, to distinguish between these two relationships. In this case, the two relationships are called Attacker and Victim.
There are two currently preferred embodiments of the present invention. In one embodiment a fixed number of object classes is used, such as the list described above. In an alternate embodiment, a meta-model is used so that any object class, as well as any set of relationships, can be specified. This alternate embodiment allows the classes to be defined and modified at run time.
The agents continuously monitor, and gather information from, the plurality of monitored computers, and consolidate all of the information into a centralized database maintained by the controller. Multiple databases can be organized in a hierarchal fashion,
allowing for systems to be responsible for sub-groups.
The database contains information about each individual instance of an object (e.g., each account on each system), and also includes information that links individual objects to other objects. For example, each vulnerability object can be associated with three other objects. The first indicates the account that is attacked. The second indicates the account that can attack the first account. The third is a file that is used for this attack, called a vector. In this example, each vulnerability object has two references to account objects, and one to a file object. Standard algorithms to gather information are known; however, the output is typically a list form, and the data is not integrated. The system of the present invention integrates the information by using instances of objects. Once the database is constructed (which can be done by using several algorithms, in any order), and information is gathered and merged, other algorithms can be used to browse the database. The following notation, "class 1 — > class2 — > class3," will be used in the discussion below to indicate that information about a particular instance of an object of type "class 1" is used to get a set of references to related objects of type "class2". These in turn are used to retrieve a set of objects of type "class3".
For performance reasons, a preferred embodiment of the present invention can use cached data when retrieving information from remote sites. Conversely, if information is needed, and missing, the system can retrieve it, and the algorithm does not need to know this is happening.
The following discussion includes the descriptions of several algorithms that traverse the objects in the database by using the relationships between objects. Each algorithm provides a unique function, and the inventors do not know of any other system which can implement any of these functions. In a preferred embodiment of the present invention, however, only one such function is implemented. Many of the potential algorithms are discussed for the sake of completeness, although the algorithms that can be used with the present invention are not limited to those discussed. Using object model based technology allows more algorithms to be easily implemented. Therefore it is important to protect the core system.
Modification Detection
The softwaie can be used to monitor the mtegπty of each file on the system, so tampeπng can be detected This is done as follows The host type (Host) is retπeved, and the operating system type (OS) is learned From this a list of suitable patches (Patches) is retπeved, and from this, a list of files (Files) is obtained Each file has a signature that gives the hash of the file The agent then calculates the hash of the file, and returns information indicating whether the hash is corcect If so, the coπect version is present Otherwise, the file is incorrect, and the system can determine that a patch as been applied The relationships traversed duπng this algorithm are Host — > OS — > Patches — > Files — > Signatures Remote Patch Maintenance
This is similar to the previous example, m that the following chain of objects can be traversed Host — > OS — > Patches — > Files — > Signatures From this, a system can be tested to see if all of the patches have been applied If not, the patch can be identified In a prefeπ-ed embodiment, the patch is optionally transferred to the remote system and installed Vulnerability Chains
By following a chain of vulnerabilities, it is possible to determine which accounts are vulnerable to attack The data traversal might be Account 1 — > Vulnerability 1 — > Account2 — > Vulnerabιlity2 — > Account3, although the chain can be much longer
Once the chains have been identified, and examined, the system can report all of the accounts that a particular account can access It can be used, therefore, to determine whether a particular account is a secuπty πsk By working backward, it is easy to learn which accounts can access a particular account This can be used in threat analysis Another algoπthm can analyze a large number of chains, and determine the vulnerabilities that permit the largest number of attacks A fourth can identify the fewest number of cuts necessary to break a chain into two pieces, protecting a particular account This can be considered a way to verify that an "air gap" exists between sections An "air gap" is a separation between two systems In this case, an air gap between two machines indicates that if one machine has been compromised, the other one is not necessarily compromised If a vulnerability connected two machines, no air gap is present, and it is possible for an
mtπ der to ga access to the other machine through the vulnei ability Policy Veπfication
By traversing the data in this direction File — > Service — > Policy — > Threat, it is possible to determine the threats to which particular systems are vulnerable This can be used m an attack scenaπo, where potential weaknesses are analyzed, and coordinated attacks are planned Policy Evaluation
This is a variation of the above algorithm wherein the current policy can be learned to enable a manager to modify the policy to protect against threats This will identify services that are in conflict with the policy This algoπthm can be used, therefore, to determine the effects of changing the secunty policy Policy Enforcement
By traversing the data m this direction Policy — > Service — > File, it is possible to determine which policies aie being followed, and which are not If files are configured the wrong way, they can be modified to enfoi ce the policy This allows a site to set a policy, and then automatically to enfoi ce the policy It also allows someone who sets policy to see what functionality is lost by that policy Therefore, this algoπthm allows someone who is non-technical to understand the trade-offs between secuπty, functionality, and convenience Genetic Vaπation
It is useful for a large site to be resilient to attacks One way to do this is to permit vaπation among the different systems m a network Some services may be optional, or have equivalent services This is determined by understanding the relationship between services and functions A function might be "remote access," for example, and multiple services can provide this function A system can make sure that variations exist across a seπes of machines using this information A policy managei can permit this vaπation, and make sure it is enforced If an attack does occur, this algoπthm will make sure that not every system is vulnerable in the same manner, because not every system runs exactly the same set of services Redundant systems can be managed using this algoπthm
Intrusion Detection
An intrusion detection system can report which systems seem to be infected, by noticing unusual behavior. By querying the database, a system can identify which services a set of machines have in common, and therefore identify the vector used to spread a viral attack on a network of computers. The relationship traversal would be Host — > Service — > Policy — > Threat.
If all infected systems (i.e., those systems identified because of anomalous action) have the same services, the vector can be identified as that service. If a set of services are involved, then the system can look for a common threat to which all services are vulnerable. Therefore the mechanism used to spread the virus can be identified, or eliminated by negative evidence. Intrusion Detection Reaction
Once the vector has been identified by an intrusion detection system, the system can identify other systems that are vulnerable to the same attack, by searching for systems with the same services and the same architecture. A security manager can then disable the vulnerable services, and only the vulnerable services, to keep the systems up and running while under attack. The traversal could be Threat — > Policy — > Service — > Host.
Currently, the network administrator of a system under attack either ignores the attack, or shuts down the entire system. If the attack mechanism is known to be the mail service, this system can ask each system running the mail service to disable it, allowing the systems to remain functional, without allowing the attack to spread. A similar algorithm can be used to disable only those systems with a particular version of a service. For example, a particular version of the mail service might have a vulnerability. All systems with this version can be identified, and then the services can be disabled. The object traversal might be: Signature — > OS — > Host — > Service — > File. Once the file is identified, it can be disabled, removed, fixed, etc. Dynamic Repair
A system under attack can be asked to disable all services, using the following traversal: Host — > Service, and asking each service to shut down. The system can then kill all of the running processes except for the critical subset needed to complete the task. Then the system can examine each file and directory for improper modification. If the file is the wrong version, it can be replaced. Then the system can enable some or all
of the services, by reversing the first procedure This will bring a system under attack back to being operational
Those skilled in the art will appreciate that numerous changes and modifications may be made to the preferred embodiments of the invention and that such changes and modifications may be made without departing from the spirit of the invention It is therefore intended that the appended claims cover all such equivalent variations as fall within the true spirit and scope of the invention