The approaches described in this section could be pursued, but are not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
Service providers are extremely concerned about the stability and security of Internet Protocol (IP) networks. In fact, several wireless network operators have stated that high-volume of malicious user traffic, especially when the network utilization and latency are high, is a source of concern. Such service providers fear that existing network operating systems and procedures are inadequate or traffic analysis is too cumbersome, for the purpose of malicious user detection. As a result, the network may crash before the analysis is completed and the results are understood.
In general, two types of security attacks occur in networks. The first type of attack is performed by an action that is deemed illegal by the network with the intention of contaminating some network information stored in a network element. An example of contaminating network information is contaminating the Address Resolution Protocol (ARP) table of a packet data switch by introducing an erroneous or false Media Access Control/IP (MAC/IP) association. IP address spoofing and MAC address spoofing are launched in this fashion.
The second type of attack is performed by a legal action that is carried out with an exceedingly high intensity, in order to cause a network entity to fail. This is commonly known as a Denial of Service (DoS) attack. A DoS attack is usually done by depleting some network resources. DHCP flooding and ARP table flooding are launched in this fashion. For example, a user may change the network identity (MAC address) and request for an IP address. In DHCP flooding, a malicious user may perform this change exceedingly often over a short period of time and deplete the IP pool so that no one else may obtain an IP address. In ARP table flooding, a malicious user may bombard a network element with bogus MAC and IP address associations. The network element treat each new association as a new device attaching to it and stores it in the ARP table. Eventually, the ARP table will be filled up and the network element will act as a simple bridge and start broadcasting all incoming packets, significantly reducing the performance.
With the advent of programmable networks, a considerable amount of information regarding the condition of network elements is available for making decisions about whether to modify or adjust the network elements to resist an attack. Based on all available information, a network administrator may decide to re-configure one or more network elements, or terminate service completely to individuals or machines that are identified as hackers or malicious users.
However, in prior approaches, information about the state of a network has not been used for making decision of actions against security attacks. In addition, such actions have not been performed with enough granularity, and many harmless users were needlessly affected by actions taken to protect against security threats. Events or actions that utilize the status or states of the network have been termed “adaptive state dependent.”
Based on the foregoing, there is a clear need in this field for an improved method for managing network security. It would be particularly desirable to have a method for managing network security that provides adaptive, state dependent, corrective actions having an appropriate amount of granularity in which the state dependency is reflective of the state of the network.