This invention relates in general to the field of computer networks, and more particularly to an intrusion detection system and method having dynamically loaded signatures.
Computer networks have become increasingly important means for communicating public and private information between and within distributed locations. The Internet is one example of a public network commonly used for communicating public and private information. Internet web servers provide access to public information, such as news, business information and government information, which the Internet makes readily available around the world. The Internet is also becoming a popular forum for business transactions, including securities transactions and sales of goods and services. A large number of people have come to depend upon reliable Internet access and secure communications on a day by day and even second by second basis. Like the Internet, private networks also have become common means for communicating important information. Private networks, such as company intranets, local area networks (LANs), and wide area networks (WANs) generally limit access on a user by user basis and communicate data over dedicated lines or by controlling access through passwords, encryption or other security measures.
One danger to reliable and secure network communications is posed by hackers or other unauthorized users disrupting or interfering with network resources. The danger posed by unauthorized access to computer network resources can vary from simple embarrassment to substantial financial losses. For instance, hackers recently attacked a prominent newspaper web site, disabling the web site and causing the newspaper substantial embarrassment. More serious financial disruptions occur when hackers obtain financial account information or credit card information and use that information to misappropriate funds.
Typically, network administrators use various levels of security measures to protect the network against unauthorized use. Hackers, on the other hand, attempt to find and attack vulnerabilities of the security measures and network devices in order to obtain unauthorized entry to the computer network. Although sophisticated security measures can provide significant barriers to hackers, virtually any security measure can be breached through a vulnerability with enough effort.
Intrusion detection systems are commonly used in networks to detect and identify unauthorized use of the computer network before the network resources and information are substantially disrupted or violated. In general, intrusion detection systems look for specific patterns in network traffic, audit trails, and other data sources to detect malicious activity. Conventional intrusion detection systems often identify patterns, also known as signatures, by analyzing network data with various implementations for identifying the patterns, such as finite state machines, simple pattern matching, or specialized algorithms. Typically, implementations for identifying malicious activity patterns are hard coded as part of the binary code that executes to monitor network data for predetermined patterns and reports detected patterns to network administration.
Conventional intrusion detection systems have a number of difficulties. One significant difficulty is that when a new vulnerability, or type of attack on the network, is discovered, a new signature generally must be incorporated into the software, compiled and redistributed to the intrusion detection systems. Thus, upgrading an intrusion detection system to address a new vulnerability generally requires an entire new compiled binary code. Replacing or modifying the binary code is expensive and time consuming. Further, as binary code becomes longer and more complex, performance of the intrusion detection system may suffer.
Another difficulty with conventional intrusion detection systems is that, when new code is introduced, the intrusion detection system generally must be shut down. However, networks, especially in the corporate environment, usually remain available on a continuous basis. Thus, if an attacker launches an attack against a defended network when the intrusion detection system is turned off for a maintenance upgrade, significant damage can occur.
Another difficulty with conventional intrusion detection systems is the difficulty in modifying the systems to support individualized network needs. For instance, many networks use home-grown application level protocols for specific client server applications, such as user authentication. In order for conventional intrusion detection systems to support such individualized network systems, system-specific binary code must be written and implemented. This process is expensive and time consuming, and typically requires testing of a complete system even when only minor changes are made for adapting the system to a user specific network application. Further, in order to modify an intrusion detection system""s binary code, programmers need access to the entire source code, which can result in unnecessary disclosure of proprietary elements of an intrusion detection system to outside programmers.
Therefore, a need has arisen for a method and system which simplifies the modification of intrusion detection systems to adapt to new network vulnerabilities.
A further need exists for a method and system which supports upgrades to an intrusion detection system in a dynamic manner without shutting down the intrusion detection system.
A further need exists for a method and system which supports upgrades to intrusion detection systems to protect network-specific applications.
In accordance with the present invention, an intrusion detection system and method having dynamically loaded signatures are provided that substantially eliminate or reduce disadvantages and problems associated with previously developed intrusion detection system and methods. An intrusion detection analysis engine instanciates an analysis object using network data. An attack on the network is detected with the instance of the analysis object.
More specifically, network vulnerabilities are identified that could allow an attack on a network. Signatures associated with each network vulnerability are determined by investigating specific patterns of network data associated with an attack on the vulnerability. An analysis object is created for analyzing network data to detect the signature associated with the network vulnerability.
An intrusion detection analysis engine accepts network data from a data collector converter. The intrusion detection analysis engine interfaces with the analysis object through an application programming interface to instanciate the analysis object with the network data. The instance of the analysis object enables the intrusion detection analysis engine to determine whether a signature associated with the network vulnerability exists. If the instance of the analysis object determines that the signature exists, then the intrusion detection system alerts the network of a potential attack.
In one embodiment, the analysis object is dynamically provided to interface with the intrusion detection analysis engine by using the application programming interface. For instance, the analysis object is precompiled into machine language and interfaced with the intrusion detection analysis engine during operation of the intrusion detection analysis engine. In this manner, when a new vulnerability of a network is determined, a new analysis object is created to support detection of a signature associated with the new vulnerability. The new analysis object is interfaced with the intrusion detection analysis engine using the application programming interface on a runtime basis, allowing the intrusion detection analysis engine to detect attacks on the new vulnerability without shutting down the intrusion detection analysis engine.
The present invention provides a number of important technical advantages. One important technical advantage is that the intrusion detection system remains running while new signatures are loaded. This allows continuous monitoring of the network and enhanced reliability for preventing attacks on the network.
Another important technical advantage of the present invention is that each network vulnerability may have an analysis object specifically directed towards detecting attacks for that particular vulnerability. Thus, analysis objects can be loaded as plug-ins as needed for particular networks. Thus, for instance, an intrusion detection system can have specific analysis objects for protecting home-grown application level protocols for specific client server applications such as user authentication. Also, advantageously, performance impacts are minimized as new analysis objects are added. Further, by dynamically loading and unloading specific analysis objects, the present invention reduces the need for modifying entire intrusion detection system binary code as new vulnerabilities are determined.