Computer-based activities are now subject to electronic vandalism. A vandal, who is sometimes called a hacker in this context, may attempt to intrude upon a computer in order to steal information in an act of industrial espionage, or to impede the operation of the computer by implanting a virus or by flooding the computer with bogus information, or to alter records to the detriment or the benefit of another party's interests or reputation.
Computers are often protected against hackers' intrusions by intrusion detection systems. An intrusion detection system observes characteristics of messages that flow from a network into a protected network attachment such as a computer, or that originate locally to the computer. These characteristics may be thought of as a fingerprint or a signature of an event, whether the event is benevolent, malicious, or inconsequential.
More specifically, a signature may include a particular pattern of bits, for example the pattern of bits that identifies logon-password failure. Associated with the signature there may be a threshold that differentiates between attempted intrusions and uneventful occurrences of the signature. For example, the signature may be required to occur J times in K minutes before an intrusion is suspected. Thus the signature “logon-password failure” may be judged to be suggestive of an intrusion attempt when the signature occurs more than five times in twenty minutes.
When the intrusion detection system observes activity that is suggestive of an intrusion, it attempts to minimize the damage done by the intruder. For example, the occurrence of more than five logon-password failures for a given computer account over a twenty-minute interval of time may be a sign that an unauthorized party is attempting to gain access to that account by guessing passwords. To block this unauthorized access, the account under attack may be locked.
Although today's intrusion detection systems provide a useful degree of protection, their effectiveness is limited by the static nature of the signatures and thresholds at their disposal. Once a signature associated with an intrusion has been defined and a threshold set, broader circumstances surrounding any attempted intrusion are not taken into account. This is unfortunate, because hackers' intrusions may have serious commercial or social consequences.
Thus there is a need to improve intrusion detection systems so that they may use the best available information, taking into account circumstances that surround evidence of attempted intrusions, in order to provide the best attainable protection against intruding vandals.