As e-commerce, or doing business over the Internet, becomes a way of life rather than being characterized as novel commercial activity, protecting computer systems against malicious attacks or alleged pranks becomes vital to both businesses and individuals because of potential economic disasters. In other words, because businesses and individuals are becoming more and more dependent upon computer networks that are integrated with the Internet, any interruptions in service or attacks on such computer systems could have devastating financial repercussions.
Security threats come in a variety of forms and almost always result in a serious disruption to a network. Hackers can gain unauthorized access by using a variety of readily available tools to break into the network. The hacker no longer needs to be an expert or understand the vulnerabilities of the network—they only need to select a target and attack, and once in, the hacker has control of the network. Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks aim to disable a device or network so users no longer have access to network resources. Using Trojan horses, worms, or other malicious attachments, hackers can plant these tools on countless computers. Worms are programs designed to infect networks, such as the Internet. A worm travels from network to network replicating itself along the way. Trojan horses pretend to be a program that the user wishes to launch. A Trojan horse can be a program or file that disguises itself as normal, helpful programs or files, but in fact are viruses.
In addition, viruses can attach to email and other applications and damage data and cause computer crashes. A computer virus is a broad term for a program that replicates itself. A virus can cause many different types of damage, such as deleting data files, erasing programs, or destroying everything found on a computer hard drive. Not every virus can cause damage; some viruses simply flash annoying messages on a computer screen. A virus can be received by downloading files from the Internet to a personal computer or through electronic mail. Users increase the damage by unknowingly downloading and launching viruses. Viruses are also used as delivery mechanisms for hacking tools, putting the security of the organization in doubt, even if a firewall is installed. Hackers can deploy sniffers to capture private data over networks without the users of this information being aware that their confidential information has been tapped or compromised.
As noted above, the nature of a distributed network makes it vulnerable to attack. The Internet was designed to allow for the freest possible exchange of information, data, and files. However, this free exchange of information carries a price: Some users will try to attack the Internet and computers connected to the Internet; while others will try to invade other users' privacy and attempt to crack databases of sensitive information or snoop around for information as it travels across a network.
The field of managed security grew out of a need by companies with distributed networks to protect and monitor their devices on their network from attacks. Through a thorough understanding of the devices and network topology security providers attempt to monitor the network, and the data flowing through it, to recognize a potential attack or security event before the network is adversely affected. Security providers typically monitor a customer's network by obtaining information from intrusion detection sensors and other network devices. One conventional method of analyzing this data is through the use of security engineers manually looking at one or more screens of data representing customers' networks to determine if an attack is occurring. However, even in a relatively small network, the network traffic can generate an excessive amount of data, such that, it is unlikely that the security engineer could spot all or even most of the attacks.
In addition, the conventional method is not an efficient and effective use of engineering resources. Instead of searching to determine where a problem might be, it would be more efficient to signal the security engineers when network usage is outside a predetermined norm so that the engineer's time is spent solving, not searching for, the problem. Furthermore, under the conventional method, security providers have a difficulty retaining qualified security personnel because the monotonous time spent looking for problems is mentally and physically stressful, leading to a high burnout rate.
Accordingly, there is a need in the art for an automated system for receiving categorized event data representing a type or severity of an attack on the network and comparing the count of each category of event data to a normal count of potential attacks on the device to determine if an alert should be generated, the alert representing a significant increase in one or more types of attacks on the device. Furthermore, there is a need in the art for generating a normalized profile of event count data for each device in the network and updating this normalized profile as the network matures so that a determination can be made if activity rises to the level such that alerts should be triggered and action should be taken by the security engineers.