The invention relates generally to systems and methods for threat detection and response in networked environments.
There are many different types of attacks that hackers employ to gain unlawful entry to networked systems these days. For example, a denial of service (DoS) attack is an assault on a network that floods the network with a large number of requests such that regular traffic is either slowed or completely interrupted. Unlike a virus or worm, which can cause severe damage to databases, a DoS attack interrupts network service for some period. A distributed denial of service (DDOS) attack uses multiple computers throughout a network to slow or interrupt traffic on a network. The attacker infects a number of computers on the network, known as “zombies,” which when called upon by the hacker work together to send out bogus messages to the network, thereby increasing the amount of phony traffic.
Another type of attack is a port scan attack. This type of attack involves sending queries to Internet servers (hosts) in order to obtain information about their services and level of security. On Internet hosts, there are standard port numbers for each type of service. Port scanning is sometimes done to find out if a network can be compromised. A SYN flood attack is an assault on a network that prevents a TCP/IP server from servicing other users. It is accomplished by not sending the final acknowledgment to the server's SYN-ACK response (SYNchronize-ACKnowledge) in the handshaking sequence, which causes the server to keep signaling until it eventually times out. The source address from the client is, of course, counterfeit. SYN flood attacks can either overload the server or cause it to crash.
Accordingly, the invention provides systems and methods for detecting and responding to network threats, that overcome the disadvantages of known systems and methods while offering features not present in known systems and methods. Although certain deficiencies in the related art are described in this background discussion and elsewhere, it will be understood that these deficiencies were not necessarily heretofore recognized or known as deficiencies. Furthermore, it will be understood that, to the extent that one or more of the deficiencies described herein may be found in an embodiment of the claimed invention, the presence of such deficiencies does not detract from the novelty or non-obviousness of the invention or remove the embodiment from the scope of the claimed invention.