Asynchronous Intrusion Detection and Remediation: System and Method for Asynchronous Intrusion Detection and Remediation of Zero-Day Attacks
Publication Date: 2014-Sep-03
The IP.com Prior Art Database
A system and method for asynchronous intrusion detection and remediation of zero-day attacks is disclosed.
Page 01 of 4
Asynchronous Intrusion Detection and Remediation : System and Method for Asynchronous Intrusion Detection and Remediation of Zero -Day Attacks
Disclosed is a system and method for asynchronous intrusion detection and remediation of zero-day attacks.
Current solutions provide coverage for well-known attack vectors, but generally do not detect covert network channels leaving compromised systems. Virus scanners can, for example, alert the user that an application want's to connect to the network, but when the user selects 'allow', the covert channel is allowed and the scanner ignores the traffic patterns because they are unknown.
Historically, Intrusion Detection Systems (host, network, and malware detection systems) have not been able to rapidly respond to these carefully crafted threats. It is only at a much later date, well past the initial attack and infection, that Intrusion Detection Systems can be configured to respond to these threats.
Complicating matters further, some entities cannot accept a reduction in accessibility by permitting network outages or latencies which might otherwise be introduced by aggressive Intrusion Detection Systems. Therefore, these institutions, as a result of their Risk Management Analysis, implement a "respond and eliminate" security strategy: when threat or intrusion is discovered, the entity responds to the threat and remediates the affect systems. The inherent problem in this strategy is the latency between the breach and the remediation and the exploitation of confidential or high-value information.
In order for an attack to be successful, the threat agent installed on a given system must communicate with attacker's handler. Therefore, the complicated part of detecting these threats is the lack of knowledge regarding the communication channels employed by these threats. Thus, if the IPS does not recognize a protocol, then it cannot decode the stream for an attack. Furthermore, if the stream is unknown, it cannot decipher the information contained in the stream. As such, the attacker's communication becomes background noise that is regularly ignored.
An additional solution is required because zero-day threats as a result of drive-by and phishing attacks are generally un-checked by existing security applications and the mistaken cooperation of users.
The system and method comprises a two-part application (server and client agents) that monitors network activity as it leaves the client system, as generated by known and/or unknown applications. Network activity generated by known (safe) applications is ignored. Network activity generated by unknown applications is not ignored. The end-user does not have the opportunity to determine known vs. unknown applications. Covert communication channels, such as SSH, FTP, or SSL/TLS are detected and logged or decrypted and inspected when possible. The data of the communication channels are inspected for known exploit traffic and data-leakage, such as company...