Computer networks have become an increasingly important means for communicating public and private information between and within distributed locations. The Internet is one example of a public network commonly used for communicating public and private information. Internet web servers provide access to public information, such as news, business information, and government information, which the Internet makes readily available around the world. The Internet is also becoming a popular forum for business transactions, including securities transactions and sales of goods and services. A large number of people have come to depend upon reliable Internet access and secure communications on a day-by-day and even second-by-second basis. Like the Internet, private networks also have become common means for communicating important information. Private networks, such as company intranets, local area networks (LANs), and wide area networks (WANs) generally limit access on a user-by-user basis and communicate data over dedicated lines or by controlling access through passwords, encryption, or other security measures.
One danger to reliable and secure network communications is posed by hackers or other unauthorized users disrupting or interfering with network resources. The danger posed by unauthorized access to computer network resources can vary from simple embarrassment to substantial financial losses. For example, serious financial disruptions occur when hackers obtain financial account information or credit card information and use that information to misappropriate funds.
Typically, network administrators use various levels of security measures to protect the network against unauthorized use. Intrusion detection systems are commonly used to detect and identify unauthorized use of a computer network before the network resources and information are substantially disrupted or violated. In general, intrusion detection systems look for specific patterns in network traffic, known as intrusion signatures to detect malicious activity. Conventional intrusion detection systems often use finite state machines, simple pattern matching, or specialized algorithms to identify intrusion signatures in network traffic. Detected intrusion signatures are reported to network administration.
A problem with conventional intrusion detection systems is that when a new vulnerability, or type of attack on the network, is discovered, a new intrusion signature must be generated and installed for each intrusion detection system. As a result, unless a network administrator frequently checks for new signatures developed by an intrusion detection provider and installs the new signatures for each sensor in his or her system, the system will remain vulnerable to the new types of attack. Because new types of attacks appear more frequently than network administrators typically check with an intrusion detection provider for new signatures, networks often remain vulnerable to new types of attacks even though new signatures are available to identify and prevent such attacks.