1. Technical Field of the Invention
The present invention relates to the detection and suppression of network intrusions.
2. Description of Related Art
As enterprises increasingly use the Internet to conduct business, the amount of confidential and sensitive information that is delivered over, and is accessible through, the Internet is also increasing. Unlike the private, dedicated communications networks that enterprises have used for business for the last several decades, which were relatively secure from outside intruders, the Internet and networks connected to an enterprise are susceptible to security threats and malicious eavesdropping due to their openness and ease of access. Recently, there has been an increase in the frequency of attempted breaches of network security, or hacker attacks, intended to access this confidential information or to otherwise interfere with network communications.
Network attacks are becoming not only more prevalent but also more sophisticated and severe, resulting in part from the availability of tools and information on how to conduct these attacks, an increase in hacker sophistication, an increase in the number of network access points that are vulnerable to attack and an increase in the overall amount of confidential information accessible through or delivered over the Internet. These attacks include distributed denial of service attacks, in which an attacker floods a Web site with large numbers of packets or connection requests that overwhelm the Web site and prevent legitimate users from accessing it. Other types of attacks are designed not just to prevent access to a Web site, but also to penetrate its security and allow a hacker to take control of a server and deface the Web site or steal sensitive information. Still other attacks include malicious eavesdropping, which allows a hacker to misappropriate confidential communication transmitted over the Internet. If confidential communications get into the wrong hands, damage to the business of the enterprise or, at the very least, damage its reputation may arise. There is also a significant cost and negative publicity resulting from denial of service attacks. In an attempt to combat all of these types of attacks, enterprises have been increasing their security budgets to address heightened network vulnerability concerns.
Intrusion detection systems are commonly used as one measure of network defense. Such systems are commonly passive systems which operate to monitor traffic, identify portions of the traffic which are suspicious, and then issue alerts or alarms when such traffic is detected. No matter how intelligent or accurate such intrusion detection systems are, they are not typically equipped to take any active efforts in response to a suspected attack. Alerts can be generated about each instance of suspicious activity, but this may be of little comfort to the network security administrator. The reason for this is that in many instances by the time the alert is generated and recognized, it is too late to provide any meaningful response. The damage has already been done. Simply put, knowing about a security breach or potential breach is not the same as stopping damage due to the breach from occurring.
It is accordingly recognized in the art that intrusion detection systems, while providing some beneficial services, are insufficient defense mechanisms against network attacks. Designers have further recognized the need to provide some measure of automatic response to suspected intrusions. Such response mechanisms are intended to extend the intrusion detection system functionality from its conventional passive detection mode to an advanced attack suppression mode. For example, two known active response mechanisms implemented by intrusion detection systems are: (a) session sniping (sending a TCP reset request to the TCP session end-points); and (b) firewall updating (sending a policy configuration request to a firewall or a router). These active mechanisms, however, are generally ineffective and easily bypassed by any attacker having a basic knowledge of how TCP/IP works. In fact, these response mechanisms can be turned against the victim network by launching denial of service response attacks against innocent servers whose addresses are spoofed in the attack, or by incorrectly denying access to legitimate machines.
The current state of the prior art with respect to providing such network protection utilizes a software-based intrusion detection system which is implemented on a general purpose processor. A difficulty with such an implementation is that the software cannot be executed quickly enough to make the packet inspections, comparisons and analyses that are required to adequately protect the network. Additionally, because the software-based solution is too slow, these implementations cannot act in a manner to effectively block dangerous traffic from entering the protected network.
It is accordingly recognized that conventional intrusion detection systems, even when equipped with response mechanisms, no longer present an adequate network defense strategy due to their passive listening configuration. It is further recognized that enhanced, active response, intrusion detection systems do not provide a sufficient measure of active defense capability. An improved performance active network defense system and method are thus needed to protect networks against increasingly sophisticated and more dangerous network attacks.