WO2003021402A2 - Securite de reseau - Google Patents
Securite de reseau Download PDFInfo
- Publication number
- WO2003021402A2 WO2003021402A2 PCT/GB2002/004059 GB0204059W WO03021402A2 WO 2003021402 A2 WO2003021402 A2 WO 2003021402A2 GB 0204059 W GB0204059 W GB 0204059W WO 03021402 A2 WO03021402 A2 WO 03021402A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- computer
- files
- file
- memory means
- engine program
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
Definitions
- the present invention relates to an arrangement for monitoring the security of a computer especially computers on a network and particularly individual devices and information contained therein.
- the present invention is based on a concept whereby a main memory holds a record of all files used by a local computer, is provided with update information on all existing files as well as all new files and determines whether the updated files or new files represent a security threat.
- events are monitored and collected by an engine program and forwarded to the main memory.
- the engine program itself consists of a single file which is arranged to run a program in parallel with the normal operating system of the local computer thus making the file easier to hide so that the presence of the engine program will not be noticed either by the user or by a hacker.
- the engine program has no noticeable effect on the system.
- the main memory is provided by a central computer (hereafter referred to as the console) and the local computer communicates with the console over a network or in some other convenient manner.
- the engine program monitors each and every file and by inspecting preselected parts of each file can create a highly compressed accurate image of the file which can then be transmitted to the central database. It will be appreciated that all files can be handled in this way. Consequently, when the term "file” is used we mean all files associated with the operating system, data, registries, directories, hardware, software and such like. In this way, a complete virtual image of a local computer can be stored within the central database and the console can have management software for monitoring changes in the data files, programs or hardware of the local computer and thus warn of tampering with such files, programs and/or hardware.
- the present invention provides a method of monitoring the security of a computer system comprising monitoring a file as it is created or updated by inspecting preselected portions of the file selected from the whole file, storing information derived from the preselected portions and transmitting the stored information to a main memory location.
- the main memory location is preferably a central database of a network.
- the present invention provides a method of improving the security of computer apparatus by providing two copies of a security program and interconnecting them such that as one is switched off, either deliberately or inadvertently, the other is automatically switched on and vice versa. It is to be understood that this aspect is not limited to any particular type of security program and is of general application. However, it has particular application with the present invention where the security program is relatively small and easy to hide.
- Fig 1 shows a block diagram of a network according to the present invention
- Fig 2 shows a block diagram representing the main functions of an engine program arranged to be installed on each computer to be protected;
- Fig 3 is a flow chart for explaining the operation of the engine program of Fig 1.
- a central server 1 communicates via transmit/receive ports 2 with a number of local computers 3, each of which is provided with a monitoring engine program 4.
- the central server is provided with a plurality of databases, namely an archive of threats database 5, a virtual image of each computer database 6 and an audit database 7.
- the basis of the present embodiment is that a virtual copy of a local computer and all its files will be kept in memory at the database to the central server computer with each file having its own individual characteristics stored at the central computer.
- the virtual copies are created by the small engine programs 4 loaded on the local computers 3 which monitor all files by inspecting preselected portions of the files in order to create a so-called "finge rint" of each file which is in fact a highly compressed version of the file.
- the fingerprint can then be very speedily forwarded to the central location where the current finge ⁇ rint can be compared with a previous fingerprint and any changes detected.
- the changes are then evaluated by the central computer 1 in order to determine the level of threat, if any, to the security of the local computer system and an appropriate signal sent back from the central server to the local computer 3 in the event that a particular file should not be opened or a particular program should not be run. Simultaneously, an event is displayed at the central computer and/or forwarded to other programs.
- the central server can then monitor and log all changes to files, programs and/or hardware in order to provide evidence of breaches of security at the local computer.
- a virtual copy of the local computer and all its files the central server can then monitor and log all changes to files, programs and/or hardware in order to provide evidence of breaches of security at the local computer.
- biometric information can be gathered in real time and forwarded to the central database. For example, if an event is detected, a screen shot of the local computer is gathered for evidence and at the same time the engine program can gather biometric information such as a photograph of the user of the local computer.
- the engine program is shown diagrammatically in Fig 2 where all file data is monitored at monitoring section 11 under the control of a program section 12 which determines which parts of the data will be sampled. The selected parts of the data are then stored as indicated at 14 in order to create a virtual compressed copy of the file data for transmission as indicated at 16.
- the engine program is arranged to commence running as soon as the computer on which it is loaded is powered up.
- the program then monitors all files as they are opened and in particular it monitors all changes to a file as indicated by the flow chart shown in Fig 3.
- Each and every change is inspected in order to determine whether the change is the creation of a new file. It also determines whether the change is a valid change.
- Each file is also checked by inspecting the file from a plurality of points of view by sampling predetermined portions of the file. This in turn creates a finge ⁇ rint or virtual copy of the file which is then assembled for transmission to a central database either over the network or via some other communications link.
- the predetermined portions of the file which the engine program inspects is the tag indicating whether or not the file is an executable. It also determines whether the file is a manipulated file, eg a zipped or encrypted file. It looks for the presence of capabilities such as keystroke logging, FTP server capability, IP notification, joystick controls, game libraries, etc
- the engine program has a memory capability 12 so that it can store instructions received from the central processor as described below and then carry out those instructions in the event that the finge ⁇ rint it has assembled of a file indicates that action is necessary.
- the engine program can immediately kill the threat in view of the fact that it has the necessary instruction previously received from the central server. In certain circumstances, the file in question can be automatically dealt with.
- a particular feature of the engine program is that it does not wait to be polled by a central computer. Rather, it itself generates a message for transmission to the central computer.
- the engine program is immune to attack from a hacker because there is no "listening" port waiting for an incoming transmission. It is not until the engine program has communicated with the central server that a two way communication is possible and only after the engine program's communication with the central server can the central server transmit modified information to the engine program: However, the monitoring and modification of the files on the local computer occur in real time while the local computer is in operation either by being started up or while the local computer is running programs. Further, the engine program can itself run other software in order to transmit and/or record data as a result of the detection of a particular event or change to a file. As an example of this, if the local computer is fitted with a web cam, should particular files be modified, the engine program can take a picture of the user of the machine at the appropriate time and correlate the event with the actual user as evidence for subsequent use.
- the central server 1 contains a reception port 2 for receiving data transmitted from the local computer.
- the central computer builds up a virtual picture of each local computer, its hardware, programs and files generally in its database 6.
- the central server maintains a database 5 of all known security threats and viruses.
- the central computer can monitor changes to hardware and software using the information in the database 7 and consequently know when a security breach might have taken place.
- the central computer can log the event in question or signal the local computer to take the necessary action to provide evidence of the possible security breach, eg by taking a web cam pictur as well as recording the user name and password.
- Another sophisticated ability of the server is to construct a dynamic accurate focused detection formula which can be custom built to detect dynamic changing threats which avoid typical security finge ⁇ rinting techniques.
- the central server can communicate back to the local computer in the event of a security breach or potential security breach or it can communicate with some other communications device such as a mobile telephone or personal digital assistant by sending an e-mail SMS or fax to indicate the existence of the security breach or potential security breach. In this way, users of portable computers could be warned of security breaches relating to their machine without the need to actually switch it on and establish communications with the central server.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Multi Processors (AREA)
- Computer And Data Communications (AREA)
Abstract
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB0121497.2 | 2001-09-05 | ||
GB0121497A GB0121497D0 (en) | 2001-09-05 | 2001-09-05 | Network security |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2003021402A2 true WO2003021402A2 (fr) | 2003-03-13 |
WO2003021402A3 WO2003021402A3 (fr) | 2004-08-19 |
Family
ID=9921565
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/GB2002/004059 WO2003021402A2 (fr) | 2001-09-05 | 2002-09-05 | Securite de reseau |
Country Status (2)
Country | Link |
---|---|
GB (1) | GB0121497D0 (fr) |
WO (1) | WO2003021402A2 (fr) |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2005008457A1 (fr) * | 2003-07-08 | 2005-01-27 | Seventh Knight | Regeneration automatique de fichiers informatiques |
WO2008071620A1 (fr) * | 2006-12-11 | 2008-06-19 | International Business Machines Corporation | Détection heuristique de programmes malveillants |
US7603715B2 (en) | 2004-07-21 | 2009-10-13 | Microsoft Corporation | Containment of worms |
US7634812B2 (en) | 2004-07-21 | 2009-12-15 | Microsoft Corporation | Filter generation |
US7634813B2 (en) | 2004-07-21 | 2009-12-15 | Microsoft Corporation | Self-certifying alert |
US8418250B2 (en) | 2005-06-30 | 2013-04-09 | Prevx Limited | Methods and apparatus for dealing with malware |
US8479174B2 (en) | 2006-04-05 | 2013-07-02 | Prevx Limited | Method, computer program and computer for analyzing an executable computer file |
US8874579B2 (en) | 2011-08-18 | 2014-10-28 | Verisign, Inc. | Systems and methods for identifying associations between malware samples |
US9754117B2 (en) | 2014-02-24 | 2017-09-05 | Northcross Group | Security management system |
US9917811B2 (en) | 2015-10-09 | 2018-03-13 | International Business Machines Corporation | Security threat identification, isolation, and repairing in a network |
US10574630B2 (en) | 2011-02-15 | 2020-02-25 | Webroot Inc. | Methods and apparatus for malware threat research |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5475625A (en) * | 1991-01-16 | 1995-12-12 | Siemens Nixdorf Informationssysteme Aktiengesellschaft | Method and arrangement for monitoring computer manipulations |
EP0899662A1 (fr) * | 1997-08-29 | 1999-03-03 | Hewlett-Packard Company | Système de sauvegarde et de restauration de données pour réseau informatique |
EP0952521A2 (fr) * | 1998-04-23 | 1999-10-27 | Hewlett-Packard Company | Méthode pour le suivi des changements de configuration dans des réseaux de systèmes d'ordinateur par la surveillance historique d'état de configuration de dispositifs sur le réseau |
US6094731A (en) * | 1997-11-24 | 2000-07-25 | Symantec Corporation | Antivirus accelerator for computer networks |
GB2350704A (en) * | 1999-06-02 | 2000-12-06 | Nicholas Peter Carter | Security system |
WO2002033525A2 (fr) * | 2000-10-17 | 2002-04-25 | Chuang Shyne Song | Procede et systeme de detection de logiciels suspects |
-
2001
- 2001-09-05 GB GB0121497A patent/GB0121497D0/en not_active Ceased
-
2002
- 2002-09-05 WO PCT/GB2002/004059 patent/WO2003021402A2/fr not_active Application Discontinuation
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5475625A (en) * | 1991-01-16 | 1995-12-12 | Siemens Nixdorf Informationssysteme Aktiengesellschaft | Method and arrangement for monitoring computer manipulations |
EP0899662A1 (fr) * | 1997-08-29 | 1999-03-03 | Hewlett-Packard Company | Système de sauvegarde et de restauration de données pour réseau informatique |
US6094731A (en) * | 1997-11-24 | 2000-07-25 | Symantec Corporation | Antivirus accelerator for computer networks |
EP0952521A2 (fr) * | 1998-04-23 | 1999-10-27 | Hewlett-Packard Company | Méthode pour le suivi des changements de configuration dans des réseaux de systèmes d'ordinateur par la surveillance historique d'état de configuration de dispositifs sur le réseau |
GB2350704A (en) * | 1999-06-02 | 2000-12-06 | Nicholas Peter Carter | Security system |
WO2002033525A2 (fr) * | 2000-10-17 | 2002-04-25 | Chuang Shyne Song | Procede et systeme de detection de logiciels suspects |
Non-Patent Citations (2)
Title |
---|
MCKOSKY R A ET AL: "A FILE INTEGRITY CHECKING SYSTEM TO DETECT AND RECOVER FROM PROGRAMMODIFICATION ATTACKS IN MULTI-USER COMPUTER SYSTEMS" COMPUTERS & SECURITY. INTERNATIONAL JOURNAL DEVOTED TO THE STUDY OF TECHNICAL AND FINANCIAL ASPECTS OF COMPUTER SECURITY, ELSEVIER SCIENCE PUBLISHERS. AMSTERDAM, NL, vol. 9, no. 5, 1 August 1990 (1990-08-01), pages 431-446, XP000147838 ISSN: 0167-4048 * |
WILLIAMS R N: "DATA INTEGRITY WITH VERACITY" INTERNET, 12 September 1994 (1994-09-12), XP002096828 Retrieved from the Internet: <URL:ftp://ftp.rocksoft.com/clients/rockso ft/papers/vercty10.ps> [retrieved on 1999-03-16] * |
Cited By (22)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7685174B2 (en) | 2003-07-08 | 2010-03-23 | Seventh Knight Inc. | Automatic regeneration of computer files |
WO2005008457A1 (fr) * | 2003-07-08 | 2005-01-27 | Seventh Knight | Regeneration automatique de fichiers informatiques |
US7603715B2 (en) | 2004-07-21 | 2009-10-13 | Microsoft Corporation | Containment of worms |
US7634812B2 (en) | 2004-07-21 | 2009-12-15 | Microsoft Corporation | Filter generation |
US7634813B2 (en) | 2004-07-21 | 2009-12-15 | Microsoft Corporation | Self-certifying alert |
EP2629232A2 (fr) | 2005-06-30 | 2013-08-21 | Prevx Limited | Procédés et appareil de gestion de logiciels malveillants |
US8418250B2 (en) | 2005-06-30 | 2013-04-09 | Prevx Limited | Methods and apparatus for dealing with malware |
EP2629231A2 (fr) | 2005-06-30 | 2013-08-21 | Prevx Limited | Procédés et appareil de gestion de logiciels malveillants |
US8726389B2 (en) | 2005-06-30 | 2014-05-13 | Prevx Limited | Methods and apparatus for dealing with malware |
US8763123B2 (en) | 2005-06-30 | 2014-06-24 | Prevx Limited | Methods and apparatus for dealing with malware |
US11379582B2 (en) | 2005-06-30 | 2022-07-05 | Webroot Inc. | Methods and apparatus for malware threat research |
US10803170B2 (en) | 2005-06-30 | 2020-10-13 | Webroot Inc. | Methods and apparatus for dealing with malware |
US8479174B2 (en) | 2006-04-05 | 2013-07-02 | Prevx Limited | Method, computer program and computer for analyzing an executable computer file |
WO2008071620A1 (fr) * | 2006-12-11 | 2008-06-19 | International Business Machines Corporation | Détection heuristique de programmes malveillants |
US8091127B2 (en) | 2006-12-11 | 2012-01-03 | International Business Machines Corporation | Heuristic malware detection |
US10574630B2 (en) | 2011-02-15 | 2020-02-25 | Webroot Inc. | Methods and apparatus for malware threat research |
US9405905B2 (en) | 2011-08-18 | 2016-08-02 | Verisign, Inc. | Systems and methods for identifying associations between malware samples |
US9721099B2 (en) | 2011-08-18 | 2017-08-01 | Verisign, Inc. | Systems and methods for identifying associations between malware samples |
US8874579B2 (en) | 2011-08-18 | 2014-10-28 | Verisign, Inc. | Systems and methods for identifying associations between malware samples |
US9754117B2 (en) | 2014-02-24 | 2017-09-05 | Northcross Group | Security management system |
US9917811B2 (en) | 2015-10-09 | 2018-03-13 | International Business Machines Corporation | Security threat identification, isolation, and repairing in a network |
US9923867B2 (en) | 2015-10-09 | 2018-03-20 | International Business Machines Corporation | Security threat identification, isolation, and repairing in a network |
Also Published As
Publication number | Publication date |
---|---|
WO2003021402A3 (fr) | 2004-08-19 |
GB0121497D0 (en) | 2001-10-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CA2391701C (fr) | Procede et dispositif de configuration et de surveillance a distance d'un dispositif de communication | |
US6775657B1 (en) | Multilayered intrusion detection system and method | |
CN106411562B (zh) | 一种电力信息网络安全联动防御方法及系统 | |
US8291498B1 (en) | Computer virus detection and response in a wide area network | |
US20030188190A1 (en) | System and method of intrusion detection employing broad-scope monitoring | |
WO2001084270A2 (fr) | Procede et systeme de detection d'intrusion dans un reseau d'ordinateurs | |
CA2545916A1 (fr) | Dispositif, procede et support de detection d'anomalies de la charge utile a l'aide de la distribution n-gramme de donnees normales | |
KR101089154B1 (ko) | 가상환경을 이용한 네트워크 기반 망분리 장치, 시스템 및 방법 | |
WO2001016664A1 (fr) | Systeme et procede servant a analyser des systemes de fichiers afin de detecter des intrusions | |
KR20120090574A (ko) | Arp록킹 기능을 이용한 arp스푸핑 공격 탐지 방법과 그 방법을 실행하기 위한 프로그램이 기록된 기록매체 | |
CN111651754A (zh) | 入侵的检测方法和装置、存储介质、电子装置 | |
WO2003021402A2 (fr) | Securite de reseau | |
CN100568876C (zh) | 用于操作数据处理系统的方法和用于处理无线通信的设备 | |
JP4462849B2 (ja) | データの保護装置、方法およびプログラム | |
US20050086512A1 (en) | Worm blocking system and method using hardware-based pattern matching | |
KR20000063357A (ko) | 무선 바이러스 방역 시스템 및 방역 방법 | |
CN113660222A (zh) | 基于强制访问控制的态势感知防御方法及系统 | |
JP2006330926A (ja) | ウィルス感染検知装置 | |
US20220083646A1 (en) | Context Based Authorized External Device Copy Detection | |
KR100503772B1 (ko) | 유틸리티 방식으로 데이터베이스 서버에 접속하여 수행되는작업을 감시하는 모니터링 시스템 및 방법 | |
CA3122328A1 (fr) | Systeme et methode de sensibilisation a la situation de la cybersecurite, de detection des menaces et de detection des risques dans l'espace de l'internet des objets | |
RU186198U1 (ru) | Средство обнаружения вторжений уровня узла сети | |
Abimbola et al. | NetHost-Sensor: Investigating the capture of end-to-end encrypted intrusive data | |
Gheorghe et al. | Attack evaluation and mitigation framework | |
JP2002259149A (ja) | ネットワークを通した遠隔コンピュータウイルス防疫システム及びその方法 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A2 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BY BZ CA CH CN CO CR CU CZ DE DM DZ EE ES FI GB GD GE GH GM HU ID IL IN IS JP KE KG KP KR KZ LK LR LS LT LU LV MA MD MG MK MW MX MZ NO NZ PL PT RO RU SD SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA Kind code of ref document: A2 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A2 Designated state(s): GH GM KE LS MW MZ SD SL SZ UG ZM ZW AM AZ BY KG KZ RU TJ TM AT BE BG CH CY CZ DK EE ES FI FR GB GR IE IT LU MC PT SE SK TR BF BJ CF CG CI GA GN GQ GW ML MR NE SN TD TG Kind code of ref document: A2 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR IE IT LU MC NL PT SE SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: COMMUNICATION PURSUANT TO RULE 69(1) EPC (EPO FORM 1205A DATED 21-06-2004) |
|
122 | Ep: pct application non-entry in european phase | ||
NENP | Non-entry into the national phase in: |
Ref country code: JP |
|
WWW | Wipo information: withdrawn in national office |
Country of ref document: JP |