1. Field of the Invention
The invention relates to a computer network security system. More specifically, the invention provides a system and method allowing network access and proactively detecting and preventing unauthorized intrusion of the network based upon real-time assessment of behavior and intent.
2. Discussion of the Related Art
The development of network computing has allowed widely dispersed users to interact, communicate, and share resources via a computer network. The interconnected nature of networks makes them susceptible to intrusion by unauthorized users. Network intruders may range from innocent users who inadvertently gain access to information intended for delivery to another party to sophisticated and highly skilled intruders intending to access a secured site to inflict damage or perpetrate theft.
Conventional network intrusion detection systems can be divided into two different approaches: i.) pattern matching systems; and ii.) anomaly detection systems. Pattern matching systems operate by observing an intruder and looking for a set pattern based upon previous activity. Over time, through the observation of different intruders, a collection of patterns is compiled and may be used for broad-based detection of previously observed attacks. While this approach can provide broad protection against known or observed intrusion techniques, it does not protect against new intrusion techniques.
More recently, anomaly detection systems have been developed that generate statistical profiles of normal activity for a specific network or subnet. These profiles are usually generated via standard statistical methods or by self-adjusting neural networks that learn statistically “normal” responding on a network. If a user appears outside of the “norm,” then a warning may be issued or the user may be blocked. Non-normal activity may include any activity not falling within previously identified activity that is deemed allowable. Unfortunately, authorized users, as well as others who present no threat of damage or theft, can exhibit “non-normal” activity and can have access blocked or terminated, as well as intended intruders. Furthermore, because these past activity profiles are developed for a specific network, they cannot be carried over and incorporated into other networks.
Both the conventional pattern matching and anomaly detection network security systems are based upon either capturing the past activity of intruders labeled as harmful or capturing the past activity of non-intrusion activity labeled as statistically normal. However, these systems are unable to proactively prevent intrusion damage created by first time attacks or even modifications of previous attacks. In general, the earlier an attack can be detected, the less overall damage it can cause to a victim.