This invention relates generally to computer network security methods and apparatus, and more particularly to a heuristic computer firewall.
Conventional rule-based computer security firewalls are based upon varyingly complex sets of rules, or xe2x80x9crule basesxe2x80x9d. Data packets that enter such a firewall are compared to information in, and rules of; one or more rule bases to determine whether the data packets should be allowed to pass through the firewall. Rule bases are structured around concepts of logical comparisons (e.g., Boolean) and sequential rule flow (e.g.,. top to bottom) through a list of rules. As rule bases become more complex, they require more system and processor overhead. Consequently, organizations that use firewalls often compromise between rule base complexity and perceived required data throughput; sacrificing some amount of security in favor of performance.
Human intervention is often required to switch between simple and complex rule bases, and even the most complex rule bases process data in the same logical, linear fashion, as do the simpler rule bases. Moreover, due to data storage constraints, logical analysis limitations, and processor overhead requirements associated with large complex rule bases, conventional firewalls are static objects that are only as secure as the knowledge and ability of the firewall-administrator permits, and such firewalls do not learn from, nor adapt to, data flowing through them. Conventional firewalls thus cannot perform the pattern matching and analysis requirements associated with mitigating the security threats posed by the computer xe2x80x9ccrackersxe2x80x9d of today and tomorrow.
It would therefore be desirable to provide methods and apparatus for a heuristic firewall that can learn from and adapt to data flowing through them to better mitigate such security threats. It would also be desirable to provide methods and apparatus that combine multiple analysis methodologies to provide a higher level of functionality than that of conventional firewalls. It would further be desirable for such methods and apparatus to address multiple areas of computer network security. Additional desirable features include providing solutions to known computer security threats, dynamically adapting to new and future computer security exploit attempts, and analyzing and responding to undesirable out-of-band (OOB) and/or covert channel communications activity.
There is therefore provided, in one embodiment of the present invention, a method for processing packets in a computer communication network that includes steps of analyzing a packet stream using at least a first heuristic stage trained to recognize potentially harmful packets; assigning a confidence rating to packets in the analyzed stream in accordance with a level of confidence regarding the harmfulness of the analyzed packets; and selecting packets for further analysis in accordance with their assigned confidence rating.
This exemplary embodiment overcomes disadvantages of previous methods for providing firewall security and is able to learn from and adapt to data flowing through a network to provide additional network security.