Many systems in the modern world rely upon networks in order to operate. Accordingly maintaining the security of such networks in the face of security attacks is ever more crucial. As global networks scale up, in terms of traffic, volume and speed, effective attribution of attacks is increasingly difficult. The problem is due to a combination of several factors. A number of these factors are directly related to network scale in particular: the volume of data processed or network traffic monitored; the size of networks or systems generating such data or traffic; and the speed of at which data or traffic is generated. These factors are further confounded by the presence upon many networks of increasing volumes of non-productive traffic, which serves as noise.
In addition to the above factors, there is the continually growing scale of attack activity. Typically forms of attack on public networks include worms, large scale botnets, and probing. Accordingly, much attention is given to identifying the source of such attacks. This can potentially allow attacks to be attributed and actions taken to block either the attack in progress or future attack from the attributed source.
To help evade attribution, most modern attacks are multi-stage attacks, wherein an attacker manages to use a different machine to launch an attack on the final target. Typically, an attacker would first compromise an intermediary machine and set it up to attack the final target. In many instances there may be several such machines, with each being used to compromise another. Once a complex web of anonymous mechanisms is set up, the attacker can then use these machines for the final attack. Such is the appeal of this approach that several compromised machines are already controlled, commonly known as botnets, by botnet operators who lease out these machines in what has become an established trade in the cybercrime.
The use of multiple stages between attacker and target make it at least very difficult to conduct any reliable attribution. Traditional intrusion detection and prevention systems designed to detect and prevent malicious activity at source can struggle against multi-stage attacks of this type. Where the multi-stage attack is relatively stealthy using low level activity from multiple compromised machines, the attack activity can carry over an extended period of time.
It is therefore an object of the present invention to provide for improved warning of security threats which at least partly overcomes or alleviates some of the above issues.