The present invention relates generally to intrusion detection, and more particularly to communicating intrusion-related information between Internet service providers.
The Internet has grown tremendously over its lifetime. The Internet has changed the way people interact, both professionally and personally. People rapidly communicate across enormous distances via email. Businesses attract new customers from around the globe via Web pages. Further, people can now shop on-line, purchasing an item from a Web page and having the item delivered to their front door without them ever leaving their home.
In addition to its many benefits, the Internet's growth and popularity has unfortunately also resulted in an increase in the number of attacks directed at a computer or network. Attacks can come in a variety of forms, such as worms, viruses, scans, Denial of Service attacks, and malware. These attacks are the result of someone trying to break into, shut down, or misuse (e.g., by sending unsolicited email from) a victim's computer system or network. These attacks can have a detrimental effect on the system or network. A denial of service attack (DoS) can lead to problems in the targeted computer and/or problems in the network branches around the targeted computer. For example, the bandwidth of a router between the Internet and a local area network (LAN) may be consumed by a DoS. The attack therefore may not only compromise the intended computer but may disrupt the entire network.
To detect these intrusions, computer system owners often employ an Intrusion Detection System (IDS): A network IDS, or NIDS, monitors packets on the network and typically attempts to discover an intruder by matching the monitored packets to a database of known attack packet patterns. For example, a NIDS can search for a large number of (TCP) connection requests to many different ports on a target machine, thus discovering if someone is attempting a TCP port scan on the target machine.
The detection and classification of attacks can, however, be inaccurate. As the volume and speed of packets traversing a network increases, the job of detecting attacks becomes more and more difficult. Further, in addition to detecting intrusions, NIDS can sometimes classify non-intrusive actions as intrusions. Because of the small number of attack classifications relative to the vast number of packets traversing the Internet, the recognition of a false positive from the relatively few positives becomes extremely burdensome and challenging. If the false positive is not recognized as such, resources may, as a result, be wasted trying to counter the supposed “attack”. Further, NIDS may mistakenly drop packets associated with a false positive, thereby affecting the application waiting for those packets. Thus, there remains a need to facilitate more accurate intrusion detection.