1. Field of the Invention
The present invention relates to systems and methods for responding to intrusion events detected in a network system. More particularly, the present invention relates to a distributed system of intrusion response by enabling network policy allocation through a plurality of network infrastructure devices.
2. Description of the Prior Art
Computing systems are useful tools for the exchange of information among individuals. The information may include, but is not limited to, data, voice, graphics, and video. The exchange is established through interconnections linking the computing systems together in a way that permits the transfer of electronic signals that represent the information. The interconnections may be either cable or wireless. Cable connections include, for example, metal and optical fiber elements. Wireless connections include, for example infrared, acoustic, and radio wave transmissions.
Interconnected computing systems having some sort of commonality are represented as a network. For example, individuals associated with a college campus may each have a computing device. In addition, there may be shared printers and remotely located application servers sprinkled throughout the campus. There is commonality among the individuals in that they all are associated with the college in some way. The same can be said for individuals and their computing arrangements in other environments including, for example, healthcare facilities, manufacturing sites and Internet access users. A network permits communication or signal exchange among the various computing systems of the common group in some selectable way. The interconnection of those computing systems, as well as the devices that regulate and facilitate the exchange among the systems, represent a network. Further, networks may be interconnected together to establish internetworks. For purposes of the description of the present invention, the devices and functions that establish the interconnection represent the network infrastructure. The users, computing devices and the like that use that network infrastructure to communicate are referred to herein as attached functions and will be further defined. The combination of the attached functions and the network infrastructure will be referred to as a network system.
The process by which the various computing systems of a network or internetwork communicate is generally regulated by agreed-upon signal exchange standards and protocols embodied in network interface cards or circuitry and software, firmware and microcoded algorithms. Such standards and protocols were borne out of the need and desire to provide interoperability among the array of computing systems available from a plurality of suppliers. Two organizations that have been responsible for signal exchange standardization are the Institute of Electrical and Electronic Engineers (IEEE) and the Internet Engineering Task Force (IETF). In particular, the IEEE standards for internetwork operability have been established, or are in the process of being established, under the purview of the IEEE 802 committee on Local Area Networks (LANS) and Metropolitan Area Networks (MANs).
The identified organizations generally focus on the mechanics of network and internetwork operation, less so on rules and restrictions on access to, and the provisioning of services associated with, the network. Presently, access to applications, files, databases, programs, and other capabilities associated with the entirety of a discrete network is restricted primarily based on the identity of the user and/or the network attached function. For the purpose of the description of the present invention, a “user” is a human being who interfaces via a computing device with the services associated with a network. For further purposes of clarity, a “network attached function” or an “attached function” may be a user connected to the network through a computing device and a network interface device, an attached device connected to the network, a function using the services of or providing services to the network, or an application associated with an attached device. Upon authentication of the offered attached function's identity, that attached function may access network services at the level permitted for that identification. For purposes of the present description, “network services” include, but are not limited to, access, Quality of Service (QoS), bandwidth, priority, computer programs, applications, databases, files, and network and server control systems that attached functions may use or manipulate for the purpose of employing the network as an asset. The basis upon which the network administrator grants particular permissions to particular attached functions in combination with the permissions is an established network usage policy. For example, one policy may be that any user (one type of attached function) with an employee identification number is granted access to the enterprise's electronic mail system at a specified bandwidth and QoS level.
Typically, the network administrator establishes policies. The policies may be defined in and regulated through a policy server controlled by the administrator. The established policies are transmitted to and enforced by the devices of the network infrastructure, typically at the entry connection points or ports. As part of the authentication process and access process, a particular set of policies are established by the administrator for an attached function. That is, the port at which that attached function is connected to the network infrastructure is configured to effect those policies. For example, QoS, bandwidth, and priority levels may be set at certain values for one identified attached function and at different levels for another attached function. Once that set of policies has been established for that attached function, there is typically no coordinated mechanism to revise the set of policies at any time during network connection based on a change of circumstances.
Unfortunately, events and activities do occur that may be harmful to the network system. For purposes of this description, harm to the network system includes, for example, access denial, intentionally tying up network computing resources, intentionally forcing bandwidth availability reduction, and restricting, denying, modifying, or gaining access to data or services. There are currently two generally available forms of network protection designed to minimize such types of network harm: firewalls and Intrusion Detection Systems (IDS). Firewalls are designed to prevent the passage of packets to the network based on certain limited specific conditions associated with the packets. Firewalls do not permit packet passage for the purpose of further analysis nor do they enable assigned policy modifications. IDS are designed to observe the packets, the state of the packets, and patterns of usage of the packets entering or within the network infrastructure for harmful behavior. However, the available IDS do not prevent packet entry to the network infrastructure. Further, for the most part, they only alert a network administrator to the existence of potentially harmful behavior but do not provide an automated response to the detected occurrence. There is some limited capability to respond automatically to a detected intrusion. However, that capability is static in nature in that the response capability is ordinarily restricted to limited devices of the network infrastructure and the response is pre-defined, there being no option to respond in a dynamic fashion to multiple network infrastructure devices.
For the most part, existing IDS, whether network-based (NIDS), host-based (HIDS) or a combination of the two (NIDS/HIDS), are centrally configured. That is, all detected potentially harmful occurrences are transferred to a central processing function for analysis and, if applicable, alarm reporting. The detection functionality may reside in one or more devices associated with one or more network infrastructure devices. Each device provides its own report to the central processing function with respect only to those packets passing to it. The central processing function then conducts the analysis and the alarm reporting.
Upon receipt of an alarm, the network administrator may do nothing or manually adjust the state of the entire network infrastructure or a particular network infrastructure device in response to the detected occurrence. That process takes a relatively significant amount of time, with the response delay potentially allowing increasingly greater harm to the network system as the occurrence continues. If a response is effected, it may result in a much more widespread restriction on network usage, due to the limited number of select entry ports, than is warranted by the actual occurrence. Further, the use of a centralized processing function is a potential problem in that a failure of the central function affects the entire network infrastructure.
Therefore, what is needed is an improved IDS that provides a rapid response to detected occurrences for which a response is required. Further, what is needed is such an improved IDS that employs a greater portion of the network infrastructure for detection and response. Further, what is needed is a system that enables response, preferably automated response, to detected occurrences in a more focused or granular manner than has heretofore been employed. Yet further, what is needed is such a response system that minimizes the impact on the network infrastructure as a whole when a failure occurs in any one portion of the system.