+

WO2005114949A1 - Systemes et procedes de securite informatique - Google Patents

Systemes et procedes de securite informatique Download PDF

Info

Publication number
WO2005114949A1
WO2005114949A1 PCT/US2004/012112 US2004012112W WO2005114949A1 WO 2005114949 A1 WO2005114949 A1 WO 2005114949A1 US 2004012112 W US2004012112 W US 2004012112W WO 2005114949 A1 WO2005114949 A1 WO 2005114949A1
Authority
WO
WIPO (PCT)
Prior art keywords
signature file
incoming message
code
message
web server
Prior art date
Application number
PCT/US2004/012112
Other languages
English (en)
Inventor
Paul A. Gassoway
Original Assignee
Computer Associates Think, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Computer Associates Think, Inc. filed Critical Computer Associates Think, Inc.
Priority to PCT/US2004/012112 priority Critical patent/WO2005114949A1/fr
Publication of WO2005114949A1 publication Critical patent/WO2005114949A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/564Static detection by virus signature recognition
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Definitions

  • TECHNICAL FIELD 0 The present disclosure relates to security and, more particularly, to a method and system for computer security.
  • Computer security attempts to ensure the reliable operation of networking and computing resources and attempts to protect information on the computer or network from unauthorized access or disclosure.
  • Computer system(s) as referred to herein may include(s) individual computers, servers, computing resources, networks, etc. Among the various security
  • HTTP hypertext transfer protocol
  • Computer viruses are programs that can infect other programs by modifying them in such a way as to include a copy of themselves.
  • HTTP is a client/server request/response type protocol used by the web. HTTP specifies that a client open a connection to a server and send a request using a specified format. The server may then respond and then close the connection. Using HTTP, hackers can very easily attack a web site with nothing more than a web browser and basic knowledge of a scripting language (e.g., SQL).
  • a scripting language e.g., SQL
  • HTTP attacks can be devastating because they may allow hackers to obtain customer information, steal company assets, and falsify information; effectively destroying a web site.
  • Examples of HTTP attacks include, cookie positioning (allows for encrypted customer data to be altered), parameter modification (allows hackers to gain access to confidential data by modifying the parameters in the uniform resource locator (URL)), cross site scripting (allows hackers to re-direct customers to another web site), etc.
  • System administrators responsible for the efficient operation of computer networks may use many different techniques to protect the system from such attacks. Those techniques may include installing firewalls, utilizing virus checking software to detect viruses, and employing patching software to counteract contracted viruses.
  • a firewall is basically a separate computer system and/or software system composed of a set of related programs that is placed between a private computer system and a public network (i.e., Internet).
  • a firewall provides security protection to the system by screening incoming requests and preventing unauthorized access.
  • Firewalls operate by working with router programs to determine the next destination to send information packets, ultimately deciding whether or not to forward the packets to that location. Firewalls can also impose internal security measures on users in the system by preventing them from accessing certain materials, such as websites on the World Wide Web, that may have unknown and potentially dangerous security consequences.
  • Proxy servers often associated with firewalls, are programs that act as inte ⁇ nediaries between web servers and web browsers.
  • proxy servers forward requests from users in the private network through the firewalls to Internet services, retrieve the requested information, and return it to the web server.
  • Reverse proxy servers work like normal proxies; however, they operate in the reverse. That is, they forward requests from the Internet through the firewall to the private network's web server, retrieve the requested information, and return it to the Internet user.
  • currently available proxies may not successfully block out all attacks on the private network's web server.
  • Reverse proxy servers address non-HTTP attacks, attacks on other services running on the network, leaving the network's web server vulnerable to HTTP attacks.
  • a security plan for a web site may include a firewall between the public network (Internet) and the web server that locks down unused Internet ports.
  • Virus checking software operates to protect the network from the spread of viruses by detecting the virus and isolating or removing the viral code.
  • Virus checking software may be employed in each computer connected to the network (through the desktop) and/or at the server level (through the firewall).
  • Virus checking software may contain a list of previously defined virus signatures, containing the binary patterns of a virus, each associated with a virus and scan the various files of the system looking for a match to a particular virus signature.
  • a method for maintaining computer security includes providing a signature file, receiving an incoming message from at least one client computer, comparing the received incoming message with the signature file to determine whether the incoming message is malicious and blocking the incoming messages determined to be malicious from reaching a web server.
  • a system for maintaining computer security includes a signature file, a web server, and a proxy machine receiving an incoming message from al least one client computer, comparing the received incoming message with the signature file to dete ⁇ nine whether the incoming message is malicious and blocking incoming messages determined to be malicious from reaching the web server.
  • a computer storage medium including computer executable code for maintaining computer security includes code for accessing a signature file, code for receiving an incoming message from at least one client computer, code for comparing the received incoming message with the signature file to determine whether the incoming message is malicious, and code for blocking the incoming messages determined to be malicious from reaching a web server.
  • Figure 1 illustrates an example of a computer system capable of implementing the method and apparatus of the present disclosure:
  • Figure 2 is a block diagram illustrating a system of maintaining computer security according to an embodiment of the present disclosure;
  • Figure 3 is a block diagram illustrating the basic architecture of a proxy machine according to an embodiment of the present disclosure;
  • Figure 4 is a block diagram illustrating the relationship between a proxy machine and a signature file according to an embodiment of the present disclosure:
  • Figure 5 is a block diagram illustrating the relationship between a proxy machine and a signature file according to an alternate embodiment of the present disclosure;
  • Figure 6 is a block diagram illustrating the relationship between a proxy machine and a signature file according to an alternate embodiment of the present disclosure: and
  • Figure 7 is a flow chart for describing operation of the proxy machine.
  • FIG. 1 shows an example of a computer system which may implement the method and system of the present disclosure.
  • the system and method of the present disclosure may be implemented in the form of a software application running on a computer system, for example, a mainframe, personal computer (PC), handheld computer, server, etc.
  • the software application may be stored on a recording media locally accessible by the computer system, for example, floppy disk, compact disk, hard disk, etc., or may be remote from the computer system and accessible via a hard wired or wireless connection to a network, for example, a local area network, or the Internet.
  • the computer system referred to generally as system 100 may include a central processing unit (CPU) 102, for example, Random Access Memory (RAM), a printer interface 106, a display unit 108. a (LAN) local area network data transmission controller 110, a LAN interface 112, a network controller 114. an internal bus 1 16, and one or more input devices 1 18, for example, a keyboard, mouse etc.
  • the system 100 may be connected to a data storage device, for example, a hard disk, 120, via a link 122.
  • a system for maintaining computer security is described with reference to Figure 2.
  • a proxy machine 22 provides an interface between a client web server 21 and the Internet 24.
  • DNS domain name service
  • Web server 21 points to proxy machine 22.
  • Signature file 23 contains information about known vulnerabilities and exploits and makes this information available to proxy machine 22.
  • proxy machine 22 works to protect client web server 21 from malicious HTTP attacks.
  • a system such as one of client computers 25, attempts to access web server 21 via the Internet 24, the HTTP access request message first goes through proxy machine 22.
  • Proxy machine 22 determines, based on the signatures in signature file 23, whether the received message from client computer 25 is malicious. If proxy machine 22 determines that the message from client computer 25 is in fact malicious, proxy machine 22 blocks the message from ever going to web server 21, thereby preventing it from ever exploiting web server 21. On the other hand, if proxy machine 22 determines that the message from client computer 25 is not malicious, it will forward it to web server 21 To illustrate this concept further, a client computer 25 on Internet 24 may attempt a buffer overflow attack on web server 21. which is an example of the type of attack which can be detected by the present disclosure. A buffer overflow attack occurs when a program attempts to write more data onto a buffer area in web server 21 than it can hold.
  • a HTTP header contains the Universal Resource Locator (URL) of the resource to be retrieved from a web server.
  • URL Universal Resource Locator
  • client computer 25 tries to send a URL to web server 21 that is over 4,096 bytes long, the signature in signature file 23 will tell proxy machine 22 that because the URL in the HTTP header is longer than the defined length, it should be blocked from reaching the web server 21.
  • FIG. 3 illustrates the basic architecture of proxy machine 22 and Figure 7 is a flow chart for explaining the operation of proxy machine 22 according to embodiments of the present disclosure.
  • proxy server 22 is composed of an HTTP message parser module 31 , an HTTP message analyzer module 32 and an HTTP message reassembly module 33.
  • the HTTP message parser module 31 receives an incoming message (Step S2), parses the incoming message (Step S4) and converts it into an internal structure that HTTP message analyzer module 32 recognizes (Step S6).
  • the data in the internal structure is then compared with the information in signature file 23 by HTTP message analyzer module 32 (Step S8). If HTTP message analyzer module 32 finds a match in signature file 23 (YES, Step SI 0), the message is blocked from ever reaching web server 21 (Step SI 2).
  • proxy machine 22 may also update a log with information specifying the time and type of attack detected in the malicious message. According to another embodiment, proxy machine 22 may make noie of the machine that sent the malicious message and then automatically block any additional messages from that sending machine and/or prompt the user that this sending machine is again attempting access to the server.
  • Step SI 4 If there is no match in signature file 23 (NO, Step S 10), the message is reassembled into its original HTTP message format by HTTP message reassembly module 33 (Step SI 4) and is then sent to web server 21- (Step SI 6).
  • signature file 23 is periodically updated to protect against the most up to date attacks. To do so, signature file 23 periodically accesses FTP Server 41 via the Internet 24 and downloads the latest versions of signature files 42.
  • proxy machine 22 instead of proxy machine 22 getting information from signature file 23, proxy machine 22 queries a remote database 51 for matching signatures.
  • a service center 61 automatically sends updated signature files to signature file 23 periodically or whenever a new attack is discovered. 1
  • the present method and system thus provides an efficient and convenient way to protect a computer system from malicious attacks. Numerous additional modifications and variations of the present disclosure are possible in view of the above-teachings. It is therefore to be understood that within the scope of the appended claims, the present disclosure may be practiced other than as specifically described herein.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Virology (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Signal Processing (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

La présente invention concerne un procédé et un système pour maintenir une sécurité informatique. Ce procédé consiste à disposer d'un fichier signature, à recevoir un message entrant en provenance d'au moins un ordinateur client, à comparer le message entrant reçu au fichier signature, afin de déterminer si le message entrant est malveillant, puis à empêcher les messages entrants qui ont été déterminés comme malveillants d'accéder à un serveur Web.
PCT/US2004/012112 2004-04-19 2004-04-19 Systemes et procedes de securite informatique WO2005114949A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/US2004/012112 WO2005114949A1 (fr) 2004-04-19 2004-04-19 Systemes et procedes de securite informatique

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2004/012112 WO2005114949A1 (fr) 2004-04-19 2004-04-19 Systemes et procedes de securite informatique

Publications (1)

Publication Number Publication Date
WO2005114949A1 true WO2005114949A1 (fr) 2005-12-01

Family

ID=34957635

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2004/012112 WO2005114949A1 (fr) 2004-04-19 2004-04-19 Systemes et procedes de securite informatique

Country Status (1)

Country Link
WO (1) WO2005114949A1 (fr)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007078365A1 (fr) * 2005-12-30 2007-07-12 Honeywell International Inc. Système et procédé pour sécurité de réseau
US12131294B2 (en) 2012-06-21 2024-10-29 Open Text Corporation Activity stream based interaction
US12149623B2 (en) 2018-02-23 2024-11-19 Open Text Inc. Security privilege escalation exploit detection and mitigation
US12164466B2 (en) 2010-03-29 2024-12-10 Open Text Inc. Log file management
US12197383B2 (en) 2015-06-30 2025-01-14 Open Text Corporation Method and system for using dynamic content types
US12235960B2 (en) 2019-03-27 2025-02-25 Open Text Inc. Behavioral threat detection definition and compilation
US12261822B2 (en) 2014-06-22 2025-03-25 Open Text Inc. Network threat prediction and blocking
US12282549B2 (en) 2005-06-30 2025-04-22 Open Text Inc. Methods and apparatus for malware threat research
US12301539B2 (en) 2022-03-11 2025-05-13 Open Text Inc. Network threat prediction and blocking

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5623600A (en) * 1995-09-26 1997-04-22 Trend Micro, Incorporated Virus detection and removal apparatus for computer networks
EP1385303A2 (fr) * 2002-07-22 2004-01-28 Symantec Corporation Procédé et dispositif pour empêcher la propagation du logiciel malveillant

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5623600A (en) * 1995-09-26 1997-04-22 Trend Micro, Incorporated Virus detection and removal apparatus for computer networks
EP1385303A2 (fr) * 2002-07-22 2004-01-28 Symantec Corporation Procédé et dispositif pour empêcher la propagation du logiciel malveillant

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"Trend Micro Competitive Web Security: Performance Testing", VERITEST, August 2003 (2003-08-01), XP002291738, Retrieved from the Internet <URL:http://www.veritest.com/clients/reports/trendmicro/trend_interscan.pdf> [retrieved on 20040809] *
"Trend Micro InterScan Web Security Suite Getting Started Guide", September 2003, TREND MICRO INCORPORATED, CUPERTINO, CA., 95014 USA, XP002291739 *

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US12282549B2 (en) 2005-06-30 2025-04-22 Open Text Inc. Methods and apparatus for malware threat research
WO2007078365A1 (fr) * 2005-12-30 2007-07-12 Honeywell International Inc. Système et procédé pour sécurité de réseau
US12164466B2 (en) 2010-03-29 2024-12-10 Open Text Inc. Log file management
US12210479B2 (en) 2010-03-29 2025-01-28 Open Text Inc. Log file management
US12131294B2 (en) 2012-06-21 2024-10-29 Open Text Corporation Activity stream based interaction
US12261822B2 (en) 2014-06-22 2025-03-25 Open Text Inc. Network threat prediction and blocking
US12197383B2 (en) 2015-06-30 2025-01-14 Open Text Corporation Method and system for using dynamic content types
US12149623B2 (en) 2018-02-23 2024-11-19 Open Text Inc. Security privilege escalation exploit detection and mitigation
US12235960B2 (en) 2019-03-27 2025-02-25 Open Text Inc. Behavioral threat detection definition and compilation
US12301539B2 (en) 2022-03-11 2025-05-13 Open Text Inc. Network threat prediction and blocking

Similar Documents

Publication Publication Date Title
US10757120B1 (en) Malicious network content detection
US8539582B1 (en) Malware containment and security analysis on connection
US9027135B1 (en) Prospective client identification using malware attack detection
US10068091B1 (en) System and method for malware containment
US7788723B2 (en) Method and apparatus for identifying computer vulnerabilities using exploit probes and remote scanning
US8074277B2 (en) System and methodology for intrusion detection and prevention
US7509675B2 (en) Non-invasive monitoring of the effectiveness of electronic security services
JP5845258B2 (ja) 悪意のあるソフトウェアに対するローカル保護をするシステム及び方法
US10165000B1 (en) Systems and methods for malware attack prevention by intercepting flows of information
CN1612532B (zh) 基于主机的网络入侵检测系统
US8769687B2 (en) Network security architecture
US9628498B1 (en) System and method for bot detection
US7757287B2 (en) Systems and methods for computer security
US20070039053A1 (en) Security server in the cloud
Suroto A review of defense against slow HTTP attack
US8434149B1 (en) Method and apparatus for identifying web attacks
US7523501B2 (en) Adaptive computer worm filter and methods of use thereof
CN119232423A (zh) 区块链管理服务器用的防护系统
WO2005114949A1 (fr) Systemes et procedes de securite informatique
US8407792B2 (en) Systems and methods for computer security
Kumar Dos attacks on cloud platform: Their solutions and implications
Bux et al. Detection of malicious servers for preventing client-side attacks
TWI764618B (zh) 網路資安威脅防護系統及相關的前攝性可疑網域示警系統
Andrade et al. Dirt Jumper: A New and Fast Evolving Botnet-for-DDoS
Franklin Protecting the web server and applications

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

WWW Wipo information: withdrawn in national office

Country of ref document: DE

122 Ep: pct application non-entry in european phase
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载