WO2003021402A2 - Securite de reseau - Google Patents

Securite de reseau Download PDF

Info

Publication number
WO2003021402A2
WO2003021402A2 PCT/GB2002/004059 GB0204059W WO03021402A2 WO 2003021402 A2 WO2003021402 A2 WO 2003021402A2 GB 0204059 W GB0204059 W GB 0204059W WO 03021402 A2 WO03021402 A2 WO 03021402A2
Authority
WO
WIPO (PCT)
Prior art keywords
computer
files
file
memory means
engine program
Prior art date
Application number
PCT/GB2002/004059
Other languages
English (en)
Other versions
WO2003021402A3 (fr
Inventor
David John Duke
Original Assignee
Cryptic Software Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cryptic Software Limited filed Critical Cryptic Software Limited
Publication of WO2003021402A2 publication Critical patent/WO2003021402A2/fr
Publication of WO2003021402A3 publication Critical patent/WO2003021402A3/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting

Definitions

  • the present invention relates to an arrangement for monitoring the security of a computer especially computers on a network and particularly individual devices and information contained therein.
  • the present invention is based on a concept whereby a main memory holds a record of all files used by a local computer, is provided with update information on all existing files as well as all new files and determines whether the updated files or new files represent a security threat.
  • events are monitored and collected by an engine program and forwarded to the main memory.
  • the engine program itself consists of a single file which is arranged to run a program in parallel with the normal operating system of the local computer thus making the file easier to hide so that the presence of the engine program will not be noticed either by the user or by a hacker.
  • the engine program has no noticeable effect on the system.
  • the main memory is provided by a central computer (hereafter referred to as the console) and the local computer communicates with the console over a network or in some other convenient manner.
  • the engine program monitors each and every file and by inspecting preselected parts of each file can create a highly compressed accurate image of the file which can then be transmitted to the central database. It will be appreciated that all files can be handled in this way. Consequently, when the term "file” is used we mean all files associated with the operating system, data, registries, directories, hardware, software and such like. In this way, a complete virtual image of a local computer can be stored within the central database and the console can have management software for monitoring changes in the data files, programs or hardware of the local computer and thus warn of tampering with such files, programs and/or hardware.
  • the present invention provides a method of monitoring the security of a computer system comprising monitoring a file as it is created or updated by inspecting preselected portions of the file selected from the whole file, storing information derived from the preselected portions and transmitting the stored information to a main memory location.
  • the main memory location is preferably a central database of a network.
  • the present invention provides a method of improving the security of computer apparatus by providing two copies of a security program and interconnecting them such that as one is switched off, either deliberately or inadvertently, the other is automatically switched on and vice versa. It is to be understood that this aspect is not limited to any particular type of security program and is of general application. However, it has particular application with the present invention where the security program is relatively small and easy to hide.
  • Fig 1 shows a block diagram of a network according to the present invention
  • Fig 2 shows a block diagram representing the main functions of an engine program arranged to be installed on each computer to be protected;
  • Fig 3 is a flow chart for explaining the operation of the engine program of Fig 1.
  • a central server 1 communicates via transmit/receive ports 2 with a number of local computers 3, each of which is provided with a monitoring engine program 4.
  • the central server is provided with a plurality of databases, namely an archive of threats database 5, a virtual image of each computer database 6 and an audit database 7.
  • the basis of the present embodiment is that a virtual copy of a local computer and all its files will be kept in memory at the database to the central server computer with each file having its own individual characteristics stored at the central computer.
  • the virtual copies are created by the small engine programs 4 loaded on the local computers 3 which monitor all files by inspecting preselected portions of the files in order to create a so-called "finge rint" of each file which is in fact a highly compressed version of the file.
  • the fingerprint can then be very speedily forwarded to the central location where the current finge ⁇ rint can be compared with a previous fingerprint and any changes detected.
  • the changes are then evaluated by the central computer 1 in order to determine the level of threat, if any, to the security of the local computer system and an appropriate signal sent back from the central server to the local computer 3 in the event that a particular file should not be opened or a particular program should not be run. Simultaneously, an event is displayed at the central computer and/or forwarded to other programs.
  • the central server can then monitor and log all changes to files, programs and/or hardware in order to provide evidence of breaches of security at the local computer.
  • a virtual copy of the local computer and all its files the central server can then monitor and log all changes to files, programs and/or hardware in order to provide evidence of breaches of security at the local computer.
  • biometric information can be gathered in real time and forwarded to the central database. For example, if an event is detected, a screen shot of the local computer is gathered for evidence and at the same time the engine program can gather biometric information such as a photograph of the user of the local computer.
  • the engine program is shown diagrammatically in Fig 2 where all file data is monitored at monitoring section 11 under the control of a program section 12 which determines which parts of the data will be sampled. The selected parts of the data are then stored as indicated at 14 in order to create a virtual compressed copy of the file data for transmission as indicated at 16.
  • the engine program is arranged to commence running as soon as the computer on which it is loaded is powered up.
  • the program then monitors all files as they are opened and in particular it monitors all changes to a file as indicated by the flow chart shown in Fig 3.
  • Each and every change is inspected in order to determine whether the change is the creation of a new file. It also determines whether the change is a valid change.
  • Each file is also checked by inspecting the file from a plurality of points of view by sampling predetermined portions of the file. This in turn creates a finge ⁇ rint or virtual copy of the file which is then assembled for transmission to a central database either over the network or via some other communications link.
  • the predetermined portions of the file which the engine program inspects is the tag indicating whether or not the file is an executable. It also determines whether the file is a manipulated file, eg a zipped or encrypted file. It looks for the presence of capabilities such as keystroke logging, FTP server capability, IP notification, joystick controls, game libraries, etc
  • the engine program has a memory capability 12 so that it can store instructions received from the central processor as described below and then carry out those instructions in the event that the finge ⁇ rint it has assembled of a file indicates that action is necessary.
  • the engine program can immediately kill the threat in view of the fact that it has the necessary instruction previously received from the central server. In certain circumstances, the file in question can be automatically dealt with.
  • a particular feature of the engine program is that it does not wait to be polled by a central computer. Rather, it itself generates a message for transmission to the central computer.
  • the engine program is immune to attack from a hacker because there is no "listening" port waiting for an incoming transmission. It is not until the engine program has communicated with the central server that a two way communication is possible and only after the engine program's communication with the central server can the central server transmit modified information to the engine program: However, the monitoring and modification of the files on the local computer occur in real time while the local computer is in operation either by being started up or while the local computer is running programs. Further, the engine program can itself run other software in order to transmit and/or record data as a result of the detection of a particular event or change to a file. As an example of this, if the local computer is fitted with a web cam, should particular files be modified, the engine program can take a picture of the user of the machine at the appropriate time and correlate the event with the actual user as evidence for subsequent use.
  • the central server 1 contains a reception port 2 for receiving data transmitted from the local computer.
  • the central computer builds up a virtual picture of each local computer, its hardware, programs and files generally in its database 6.
  • the central server maintains a database 5 of all known security threats and viruses.
  • the central computer can monitor changes to hardware and software using the information in the database 7 and consequently know when a security breach might have taken place.
  • the central computer can log the event in question or signal the local computer to take the necessary action to provide evidence of the possible security breach, eg by taking a web cam pictur as well as recording the user name and password.
  • Another sophisticated ability of the server is to construct a dynamic accurate focused detection formula which can be custom built to detect dynamic changing threats which avoid typical security finge ⁇ rinting techniques.
  • the central server can communicate back to the local computer in the event of a security breach or potential security breach or it can communicate with some other communications device such as a mobile telephone or personal digital assistant by sending an e-mail SMS or fax to indicate the existence of the security breach or potential security breach. In this way, users of portable computers could be warned of security breaches relating to their machine without the need to actually switch it on and establish communications with the central server.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Multi Processors (AREA)
  • Computer And Data Communications (AREA)

Abstract

Cette invention se rapporte à un réseau informatique qui comprend un ordinateur serveur et plusieurs ordinateurs locaux. Chaque ordinateur local est pourvu d'un programme moteur qui surveille tous les fichiers et les périphériques et qui détecte tout changement se produisant dans les fichiers ou dans la configuration. Les résultats de cette surveillance sont utilisés pour créer des informations compressées relatives aux fichiers et aux périphériques, qui sont communiquées à l'ordinateur serveur qui mémorise les informations préalables relatives aux fichiers et aux périphériques des ordinateurs locaux. L'ordinateur serveur compare les informations ainsi reçues avec les informations mémorisées, afin de détecter la présence de fichiers modifiés ou non désirés ou les changements se produisant dans la configuration. Ainsi, les virus connus et inconnus peuvent être détectés, comme peut l'être toute utilisation non autorisée des ordinateurs locaux.
PCT/GB2002/004059 2001-09-05 2002-09-05 Securite de reseau WO2003021402A2 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB0121497.2 2001-09-05
GB0121497A GB0121497D0 (en) 2001-09-05 2001-09-05 Network security

Publications (2)

Publication Number Publication Date
WO2003021402A2 true WO2003021402A2 (fr) 2003-03-13
WO2003021402A3 WO2003021402A3 (fr) 2004-08-19

Family

ID=9921565

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2002/004059 WO2003021402A2 (fr) 2001-09-05 2002-09-05 Securite de reseau

Country Status (2)

Country Link
GB (1) GB0121497D0 (fr)
WO (1) WO2003021402A2 (fr)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005008457A1 (fr) * 2003-07-08 2005-01-27 Seventh Knight Regeneration automatique de fichiers informatiques
WO2008071620A1 (fr) * 2006-12-11 2008-06-19 International Business Machines Corporation Détection heuristique de programmes malveillants
US7603715B2 (en) 2004-07-21 2009-10-13 Microsoft Corporation Containment of worms
US7634812B2 (en) 2004-07-21 2009-12-15 Microsoft Corporation Filter generation
US7634813B2 (en) 2004-07-21 2009-12-15 Microsoft Corporation Self-certifying alert
US8418250B2 (en) 2005-06-30 2013-04-09 Prevx Limited Methods and apparatus for dealing with malware
US8479174B2 (en) 2006-04-05 2013-07-02 Prevx Limited Method, computer program and computer for analyzing an executable computer file
US8874579B2 (en) 2011-08-18 2014-10-28 Verisign, Inc. Systems and methods for identifying associations between malware samples
US9754117B2 (en) 2014-02-24 2017-09-05 Northcross Group Security management system
US9917811B2 (en) 2015-10-09 2018-03-13 International Business Machines Corporation Security threat identification, isolation, and repairing in a network
US10574630B2 (en) 2011-02-15 2020-02-25 Webroot Inc. Methods and apparatus for malware threat research

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5475625A (en) * 1991-01-16 1995-12-12 Siemens Nixdorf Informationssysteme Aktiengesellschaft Method and arrangement for monitoring computer manipulations
EP0899662A1 (fr) * 1997-08-29 1999-03-03 Hewlett-Packard Company Système de sauvegarde et de restauration de données pour réseau informatique
EP0952521A2 (fr) * 1998-04-23 1999-10-27 Hewlett-Packard Company Méthode pour le suivi des changements de configuration dans des réseaux de systèmes d'ordinateur par la surveillance historique d'état de configuration de dispositifs sur le réseau
US6094731A (en) * 1997-11-24 2000-07-25 Symantec Corporation Antivirus accelerator for computer networks
GB2350704A (en) * 1999-06-02 2000-12-06 Nicholas Peter Carter Security system
WO2002033525A2 (fr) * 2000-10-17 2002-04-25 Chuang Shyne Song Procede et systeme de detection de logiciels suspects

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5475625A (en) * 1991-01-16 1995-12-12 Siemens Nixdorf Informationssysteme Aktiengesellschaft Method and arrangement for monitoring computer manipulations
EP0899662A1 (fr) * 1997-08-29 1999-03-03 Hewlett-Packard Company Système de sauvegarde et de restauration de données pour réseau informatique
US6094731A (en) * 1997-11-24 2000-07-25 Symantec Corporation Antivirus accelerator for computer networks
EP0952521A2 (fr) * 1998-04-23 1999-10-27 Hewlett-Packard Company Méthode pour le suivi des changements de configuration dans des réseaux de systèmes d'ordinateur par la surveillance historique d'état de configuration de dispositifs sur le réseau
GB2350704A (en) * 1999-06-02 2000-12-06 Nicholas Peter Carter Security system
WO2002033525A2 (fr) * 2000-10-17 2002-04-25 Chuang Shyne Song Procede et systeme de detection de logiciels suspects

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
MCKOSKY R A ET AL: "A FILE INTEGRITY CHECKING SYSTEM TO DETECT AND RECOVER FROM PROGRAMMODIFICATION ATTACKS IN MULTI-USER COMPUTER SYSTEMS" COMPUTERS & SECURITY. INTERNATIONAL JOURNAL DEVOTED TO THE STUDY OF TECHNICAL AND FINANCIAL ASPECTS OF COMPUTER SECURITY, ELSEVIER SCIENCE PUBLISHERS. AMSTERDAM, NL, vol. 9, no. 5, 1 August 1990 (1990-08-01), pages 431-446, XP000147838 ISSN: 0167-4048 *
WILLIAMS R N: "DATA INTEGRITY WITH VERACITY" INTERNET, 12 September 1994 (1994-09-12), XP002096828 Retrieved from the Internet: <URL:ftp://ftp.rocksoft.com/clients/rockso ft/papers/vercty10.ps> [retrieved on 1999-03-16] *

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7685174B2 (en) 2003-07-08 2010-03-23 Seventh Knight Inc. Automatic regeneration of computer files
WO2005008457A1 (fr) * 2003-07-08 2005-01-27 Seventh Knight Regeneration automatique de fichiers informatiques
US7603715B2 (en) 2004-07-21 2009-10-13 Microsoft Corporation Containment of worms
US7634812B2 (en) 2004-07-21 2009-12-15 Microsoft Corporation Filter generation
US7634813B2 (en) 2004-07-21 2009-12-15 Microsoft Corporation Self-certifying alert
EP2629232A2 (fr) 2005-06-30 2013-08-21 Prevx Limited Procédés et appareil de gestion de logiciels malveillants
US8418250B2 (en) 2005-06-30 2013-04-09 Prevx Limited Methods and apparatus for dealing with malware
EP2629231A2 (fr) 2005-06-30 2013-08-21 Prevx Limited Procédés et appareil de gestion de logiciels malveillants
US8726389B2 (en) 2005-06-30 2014-05-13 Prevx Limited Methods and apparatus for dealing with malware
US8763123B2 (en) 2005-06-30 2014-06-24 Prevx Limited Methods and apparatus for dealing with malware
US11379582B2 (en) 2005-06-30 2022-07-05 Webroot Inc. Methods and apparatus for malware threat research
US10803170B2 (en) 2005-06-30 2020-10-13 Webroot Inc. Methods and apparatus for dealing with malware
US8479174B2 (en) 2006-04-05 2013-07-02 Prevx Limited Method, computer program and computer for analyzing an executable computer file
WO2008071620A1 (fr) * 2006-12-11 2008-06-19 International Business Machines Corporation Détection heuristique de programmes malveillants
US8091127B2 (en) 2006-12-11 2012-01-03 International Business Machines Corporation Heuristic malware detection
US10574630B2 (en) 2011-02-15 2020-02-25 Webroot Inc. Methods and apparatus for malware threat research
US9405905B2 (en) 2011-08-18 2016-08-02 Verisign, Inc. Systems and methods for identifying associations between malware samples
US9721099B2 (en) 2011-08-18 2017-08-01 Verisign, Inc. Systems and methods for identifying associations between malware samples
US8874579B2 (en) 2011-08-18 2014-10-28 Verisign, Inc. Systems and methods for identifying associations between malware samples
US9754117B2 (en) 2014-02-24 2017-09-05 Northcross Group Security management system
US9917811B2 (en) 2015-10-09 2018-03-13 International Business Machines Corporation Security threat identification, isolation, and repairing in a network
US9923867B2 (en) 2015-10-09 2018-03-20 International Business Machines Corporation Security threat identification, isolation, and repairing in a network

Also Published As

Publication number Publication date
WO2003021402A3 (fr) 2004-08-19
GB0121497D0 (en) 2001-10-24

Similar Documents

Publication Publication Date Title
CA2391701C (fr) Procede et dispositif de configuration et de surveillance a distance d&#39;un dispositif de communication
US6775657B1 (en) Multilayered intrusion detection system and method
CN106411562B (zh) 一种电力信息网络安全联动防御方法及系统
US8291498B1 (en) Computer virus detection and response in a wide area network
US20030188190A1 (en) System and method of intrusion detection employing broad-scope monitoring
WO2001084270A2 (fr) Procede et systeme de detection d&#39;intrusion dans un reseau d&#39;ordinateurs
CA2545916A1 (fr) Dispositif, procede et support de detection d&#39;anomalies de la charge utile a l&#39;aide de la distribution n-gramme de donnees normales
KR101089154B1 (ko) 가상환경을 이용한 네트워크 기반 망분리 장치, 시스템 및 방법
WO2001016664A1 (fr) Systeme et procede servant a analyser des systemes de fichiers afin de detecter des intrusions
KR20120090574A (ko) Arp록킹 기능을 이용한 arp스푸핑 공격 탐지 방법과 그 방법을 실행하기 위한 프로그램이 기록된 기록매체
CN111651754A (zh) 入侵的检测方法和装置、存储介质、电子装置
WO2003021402A2 (fr) Securite de reseau
CN100568876C (zh) 用于操作数据处理系统的方法和用于处理无线通信的设备
JP4462849B2 (ja) データの保護装置、方法およびプログラム
US20050086512A1 (en) Worm blocking system and method using hardware-based pattern matching
KR20000063357A (ko) 무선 바이러스 방역 시스템 및 방역 방법
CN113660222A (zh) 基于强制访问控制的态势感知防御方法及系统
JP2006330926A (ja) ウィルス感染検知装置
US20220083646A1 (en) Context Based Authorized External Device Copy Detection
KR100503772B1 (ko) 유틸리티 방식으로 데이터베이스 서버에 접속하여 수행되는작업을 감시하는 모니터링 시스템 및 방법
CA3122328A1 (fr) Systeme et methode de sensibilisation a la situation de la cybersecurite, de detection des menaces et de detection des risques dans l&#39;espace de l&#39;internet des objets
RU186198U1 (ru) Средство обнаружения вторжений уровня узла сети
Abimbola et al. NetHost-Sensor: Investigating the capture of end-to-end encrypted intrusive data
Gheorghe et al. Attack evaluation and mitigation framework
JP2002259149A (ja) ネットワークを通した遠隔コンピュータウイルス防疫システム及びその方法

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BY BZ CA CH CN CO CR CU CZ DE DM DZ EE ES FI GB GD GE GH GM HU ID IL IN IS JP KE KG KP KR KZ LK LR LS LT LU LV MA MD MG MK MW MX MZ NO NZ PL PT RO RU SD SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ UG ZM ZW AM AZ BY KG KZ RU TJ TM AT BE BG CH CY CZ DK EE ES FI FR GB GR IE IT LU MC PT SE SK TR BF BJ CF CG CI GA GN GQ GW ML MR NE SN TD TG

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR IE IT LU MC NL PT SE SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: COMMUNICATION PURSUANT TO RULE 69(1) EPC (EPO FORM 1205A DATED 21-06-2004)

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase in:

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP