1. Technical Field
The present invention relates generally to computer networks and in particular to security of computer networks. Still more particularly, the present invention relates to methods for detecting intrusion and/or intrusion activity on computer networks.
2. Description of the Related Art
In an age where commercial, governmental and military communications and transactions depend on the reliability and security of computer networks, protecting computer networks from attacks and/or ensuring the security of those networks presents significant challenges for network administrators. The damage potentially caused by such attacks may be detrimental to the organization and is often not easily repaired. Depending on the type of organization, whether private or government, a successful attack on a key network may compromise financial accounts, immigration controls, intelligence flows or a host of other sensitive information maintained on the particular network. Such attacks are often the result of a lack of adequate security on the networks or utilization of out-dated security measures, which the attacker(s) are able to breach.
Traditionally, network security was provided solely by human observation, performed by a network administrator or system/network analyst. With this method of security, the analyst expends a substantial amount of time sifting through very extensive and cumulative records of interactions that are mostly harmless. As computer networks continue to expand both in size (number of devices/nodes) and complexity, the sheer volume of traffic on any sizeable network renders ineffective such conventional systems for network security that depended wholly on human observation.
In response, computer-based mechanisms have evolved for detecting network intrusion. Currently, analysts utilize either event-based or rule-based intrusion detection systems (IDS). Rule-based systems are triggered by specific actions such as unauthorized access to a sensitive file. Event-based (or correlation) systems search for combination of actions that together constitute a possible threat. Both systems are designed to filter out harmless traffic while passing on potential threats for the analyst to examine. As with other conventional IDSes, both systems are static in nature, i.e., they do not adapt to changes in the types of attacks directed at the network.
These conventional IDSes look at events without any reference to context and generally produce a high number of false positives, which may potentially overwhelm the analyst. For example, event-based systems present an alarm whenever an event occurs. After looking at that event in the context of other available information, that alarm is often useless noise or even a calculated distraction to take the analyst's attention off of some other threat. Rule-based systems become unwieldy on attacks that involve multiple attackers (for example, coordinated insider-outsider attacks) because the set of rules that must be maintained to distinguish between threats and non-threats is too large. Further, these rule-based systems usually do not integrate data from multiple sources. Additionally, the provided rules are not dynamically adjusted, and thus must be manually updated to detect other (new) types of threats that are not specifically defined within the rules. That need for manual recoding translates into network vulnerability in the interval before new types of attacks are documented.
Thus, while conventional computer-based IDSes provide valuable assistance to the analyst, they do not completely address the problem inherent with modern security threats, which continually evolve as the intruder(s) become more intelligent and/or change their methods of attack to overcome these static mechanisms.
These conventional network-based intrusion detection systems analyze each event (or packet, or session) in isolation, without considering the context of the events or the communication structure of other activity that is also occurring on the network. That is, current intrusion detection systems either consider security events in isolation or utilize an aggregation approach that involves simply counting the numbers of events in a given category. While these mechanisms typically analyze a single user's activity or activity at a single network device in isolation, the methods utilized to breach the security protocols of the networks continually evolve and often involve multiple users and/or multiple network devices. As a result, these conventional systems are plagued by high false alarm rates and suboptimal true positive rates. They also have a general inability to detect either “insider” attacks or coordinated attacks that require a set of attackers working together.