Modern computerized systems all over the world are often threatened by intrusive attacks. Some attacks are targeted at a specific computer or network for a specific purpose, such as causing damage or collecting specific information. Other attacks, however, are more general and are targeted at a wide range of computers, networks and users.
Intrusion detection systems are constantly attempting to detect intrusive attacks and generate alerts whenever an intrusive attack is identified.
Typical intrusion detection systems are signature-based and/or protocol-analysis based. Such systems typically include a subset of: port assignment, port following, protocol tunneling detection, protocol analysis, Transmission Control Protocol (TCP) reassembly, flow assembly, statistical threshold analysis, pattern matching and the like.
A typical problem associated with attack detection and prevention relates to the tradeoff between false negative and false positive alerts and blocking. If the intrusion detection is too tolerant, it may miss malicious attacks and prove ineffective. Too strict detection, on the other hand, may identify legitimate activities as suspicious, activate prevention measures and disturb the normal work flow of a system, a user, or an organization. Too strict detection and prevention also require more resources, such as computing time, computing power, storage, and others.
In conventional systems, many false positive alerts are caused by legitimate users performing legitimate but rare activities. Such activities may be either unusual in time or be limited to a subset of the system. For example, an IT person of an organization may be assigned to upgrade software required by the employees of a specific department in the organization, for example the finance department. The IT person may then access the computers of the finance department one after the other, change the privileges on each computer, access a web site, download the software, install it and change the privileges back. Many of these actions may generate intrusion alerts which are false positive. Checking these alerts takes significant resources which incur high costs on the organization. Even worse—such events may conceal or make it harder to identify events caused by true attack or attack attempts.