1. Field of the Invention
The present invention relates generally to computer processing of data, and in particular to computer evaluation of network activity data. Still more particularly, the present invention relates to a method and system for performing computer evaluation of network activity data to detect attacks.
2. Description of the Related Art
Next generation cyber threats are emerging in the form of powerful Internet services and tools that automate intelligence gathering, planning, testing, and surveillance. Among these tools are “Search-Engine Hacks” and queries that can retrieve lists of router/switch/server passwords. Vulnerable to these attacks are control panels, accessible cameras, software keys, virtual private network (VPN) connection files, and certain web applications, for example. Examples of these attacks include “Titan Rain” utilized against governmental facilities and the Santy worm, which identifies vulnerable sites by searching Google for URLs containing certain application-specific strings. This generation of increasingly sophisticated and automated intelligence-driven cyber attacks, which are often coordinated across multiple domains, are difficult to defeat or even understand with current technology.
Computer Network Defense (CND) and Information Security (InfoSec) are at a great disadvantage against adversaries that mount determined attacks using these new cyber techniques. The “adversary” (e.g., attackers and/or seekers of secure/private information) dictates the manner of response to the attacks by being able to (1) choose the time and place of attack, (2) control the pace of the attack, (3) use automated tools to execute attacks, (4) obfuscate known attacks so that they are not detected, (5) use tactical open source material to understand vulnerabilities of the “victim” (i.e., the entities being attacked), and (6) use strategic open source material to understand the entities that they are attacking.
The above problem is further exacerbated by a lack of situational awareness because the defender (i.e., the person or entity trying to prevent such attacks) is unable to complete a host of required functions to prevent against the attacks. For example, the defender is typically unable to: (1) deal with overload of real-time information from security devices, (2) accurately identify attacks (both past and ongoing), (3) aggregate reliable and complete information on the networks being defended, (4) understand the motive of attacks, (5) predict future attacks, (6) determine the impact of attacks, and (7) reliably identify the attackers (e.g., the attacker's nationality, location, or IP address).
One traditional method of implementing computer defenses against attacks relies on surveillance detection as an attack predictor. Unfortunately, surveillance detection is difficult because attackers are able to perform search engine-driven surveillance, such as with Google Hacks, and avoid touching the target (victim) site. Therefore, with this surveillance detection method, the attack observables represent only about 5% of the attacker's total attack time, and this small percentage of observables are inadequate to trigger a warning, given that even benign operations on the site would generate a similar or larger percentage of observables.
Also, although conventional capabilities help detect some potential attacks, the vast number of events occurring on the computer networks (such as the Internet) are proving to be overwhelming. Delay in updating signature sets as well as the vast number (perhaps millions) of daily events have given network attackers and intruders an increasing advantage. Because of the large number of potential attack signatures, most of which are still being defined/identified, or have evolved since they were initially identified, current CND capabilities fall dramatically short of identifying the wider range of attacks that confront networks and systems daily. Further, signature-based systems experience lag time as signature databases are updated and are ineffective once a threat mutates. Clearly, greater capability is required to offset current operational shortfalls.
Additionally, even experienced operators cannot process the vast amount of information presented on a given day to the level required in order to be able to predict many of the sophisticated and morphing emerging threats. The sheer volume of data collected, combined with the speed and sophistication of the real time events may eventually contribute to a catastrophic operational failure of a network and perhaps an industry or even a country.
Thus, as is becoming more evident, there is a need for a shift in thinking from the current reactive approach to CND technology where progress is driven only in response to the attackers' innovation.