The present invention relates to network security techniques.
Network security techniques aim to prevent unauthorized access of a computer network and/or network-accessible resources (such as network-connected equipment or services). A Network Intrusion Detection System (NIDS), for example, attempts to detect an unauthorized access to a computer network by analyzing traffic on the network for signs of malicious activity. Antivirus software is used to prevent, detect, and remove malware, including computer viruses, computer worms, and other malicious software from computers.
Existing network security techniques, however, typically identify a particular problem on a given infected computer, such as a particular computer or a particular user account on a network service that has been attacked, without any further knowledge of additional computers or user accounts that may have been attacked. Known techniques generally rely on manual forensic analysis or on having each computer on the network run audit software that collects local activity data to be used in case an intrusion is detected. Such existing techniques, however, are not scalable and are open to attack.
A need therefore exists for improved methods and apparatus for automatically identifying the network resources (such as servers, services, and client machines) that are affected by a computer intrusion.
Generally, methods and apparatus are provided for automatic identification of affected network resources after a computer intrusion. According to one aspect of the invention, one or more network resources affected by a computer intrusion are identified by collecting information about an external system from an external source; deriving a list of one or more affected internal systems on an internal network by correlating the information with internal information about internal systems that interacted with the external system; and identifying one or more user accounts associated with the one or more affected internal systems. Data residing on systems accessible by the one or more user accounts can also optionally be identified. A list can optionally be presented of the network resources that may be affected by the computer intrusion.
The network resources can be, for example, servers, services and/or client machines. The external source can be, for example, a provider of an antivirus product or a law enforcement agency. The external system can be, for example, an infected system or a malicious system. The internal information comprises, for example, internal network activity, internal e-mail content and/or authentication logs. The user accounts associated with the one or more affected internal systems can be, for example, accounts of a user who has access to at least one of the affected internal systems.
The list of one or more affected internal systems can be derived by marking an identified internal system as infected and marking any additional internal systems that communicated with an identified external host as infected. In addition, any internal system that communicated with an infected internal system can optionally be marked as infected. Any internal system with a communication profile similar to an infected system can also optionally be marked as infected.
A more complete understanding of the present invention, as well as further features and advantages of the present invention, will be obtained by reference to the following detailed description and drawings.
The present invention provides improved methods and apparatus for automatically identifying the network resources (such as servers, services, and client machines) that are affected by a computer intrusion. According to one aspect of the invention, summary information of network events (collected and computed, for example, continuously) is used to determine the extent of an intrusion. Initially, a particular computer or a particular account on a network service that has been attacked is identified. The events triggered by the intruder is constructed using information about the other computers, services, and network resources that were accessed and accessible from the attacked computer account. A report is optionally generated that describes the computers and services whose integrity should be checked.
According to one aspect of the present invention, a computer intrusion management system 700 connected to the enterprise network 170 automatically identifies the resources (such as servers, services, and client machines) on the enterprise network 170 that are affected by a computer intrusion. The processes associated with the computer intrusion management system 700 are discussed further below in conjunction with
Thereafter, a list is derived during step 220 of infected systems on the internal (enterprise) network by correlating data from step 210 with internal network captures, internal e-mail content captures, and authentication logs, as discussed further below in conjunction with
A list of user accounts is determined during step 230 that are affected by the list derived in step 220, as discussed further below in conjunction with
The data that resides on the systems that were accessed by the affected accounts of step 230 is determined during step 240. For example, for each system in the list constructed during step 220, the computer intrusion management process 200 retrieves information about the data stored on that system. This information can be obtained, for example, from an information-management system or more specifically from an enterprise information-security management (EISM) system. This information about the data can include, for example, the type of data stored, its sensitivity, the amount of data, and other security-relevant metrics.
The data that resides on the systems that could be accessed by the affected accounts of step 230 is determined during step 250, as discussed further below in conjunction with
Finally, the potential damage from the data of steps 240 and 250 is summarized during step 260 and optionally presented to an analyst for implementation of prevention/recovery measures. For example, the computer intrusion management process 200 can collate the information obtained in steps 240 and 250 to display to a system or security analyst an actionable summary of the intrusion. This display optionally includes information about the data residing on affected systems (from step 240), representing data that is very likely to have been impacted by the intrusion. The display optionally also includes information about the data residing on potentially affected systems, representing data that might have been impacted by the intrusion. Since the amount of data can be quite large for an enterprise network, the exemplary computer intrusion management process 200 can optionally group data items based on risk factors that take into account the sensitivity of the data and the probability of actual intrusion on the internal system storing the data.
One exemplary computer intrusion management process 200 uses a display component that provides the analyst with drill-down capabilities, such that the analyst can start with a brief summary of the data affected by the intrusion, and then has the option to repeatedly ask for more information about each affected data item and each affected (or potentially affected) internal system. Based on this information, the analyst can take prevention and/or recovery measures using tools, techniques, and procedures not covered by this invention.
The processing performed during steps 220 and 230 generates lists of infected systems and the corresponding user accounts that used the infected systems. The processing performed during steps 240 and 250 generates lists of the data residing on affected systems that were or could have been accessed by affected accounts.
Finally, a summary of the potential damage is optionally presented to an analyst during step 260.
As previously indicated, a list is derived during step 220 of infected systems on the internal (enterprise) network by correlating data from step 210 with internal network captures, internal e-mail content captures, and authentication logs.
The internal system from step 210 is marked as infected during step 410. Any internal system that communicated with an external host specified in step 210 is marked as infected during step 420.
In addition, any internal system that communicated with an infected internal system is optionally marked as infected during step 430. Any internal system with a communication profile similar to that of an infected system is optionally marked as infected during step 440.
The rules of
As previously indicated, a list is derived during step 230 of user accounts that are affected by the list derived in step 220.
As previously indicated, the data that resides on the systems that could be accessed by the affected accounts of step 230 is determined during step 250.
As shown in
Finally, the list of potentially affected systems is used during step 620 as a starting point for the procedure of step 240.
While
While exemplary embodiments of the present invention have been described with respect to processing steps in a software program, as would be apparent to one skilled in the art, various functions may be implemented in the digital domain as processing steps in a software program, in hardware by a programmed general-purpose computer, circuit elements or state machines, or in combination of both software and hardware. Such software may be employed in, for example, a hardware device, such as a digital signal processor, application specific integrated circuit, micro-controller, or general-purpose computer. Such hardware and software may be embodied within circuits implemented within an integrated circuit.
As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method or computer program product. Accordingly, aspects of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a “circuit,” “module” or “system.” Furthermore, aspects of the present invention may take the form of a computer program product embodied in one or more computer readable medium(s) having computer readable program code embodied thereon.
Any combination of one or more computer readable medium(s) may be utilized. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C++ or the like and conventional procedural programming languages, such as the “C” programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
Aspects of the present invention are described below with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer readable medium that can direct a computer, other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions stored in the computer readable medium produce an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.
The computer program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
The flowcharts and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowcharts or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
It is to be understood that the embodiments and variations shown and described herein are merely illustrative of the principles of this invention and that various modifications may be implemented by those skilled in the art without departing from the scope and spirit of the invention.