Recently, the amount of Internet traffic has increased enormously. People have become increasingly dependent upon the Internet. At the same time, hacking activities on the Internet have also increased. As people are more dependent upon the Internet, they become more vulnerable to attacks on the servers and client computers.
The increasing threat of intrusion attacks on the servers or the Internet network has created a strong need for mechanisms through which Internet Service Providers (ISPs) can offer safer Internet access to customers without interruption to the operation of the network and the servers due to such intrusion attacks. The ISPs need a complete intrusion protection solution that can detect, prevent, and react to unauthorized activity throughout the network. However, current network architectures lack efficient tools that enable ISPs to provide intrusion attack protection to their customers at wire speed without interrupting their service and adding a significant processing burden on the host servers. Without such efficient mechanisms for intrusion attack protection, ISPs cannot obtain customer confidence in their ability to provide a secure network infrastructure.
In the past, various types of intrusion detection systems have been developed for IP networks such as the Internet. So far, primarily two types of intrusion detection devices have been developed, i.e., host-based intrusion detection systems and network-based intrusion detection systems.
Host-based intrusion detection systems typically run on the host system that they are protecting. Agent software is installed on the host server that is to be monitored. The agent software tracks unauthorized access attempts or other unauthorized activities on the host server. They typically require a certain amount of additional network packet processing by the host servers, thus slowing down the services that the host servers provide.
Network-based intrusion detection systems typically run on the network itself. Typically, agents are installed on LAN (Local Area Network) segments or behind firewalls to monitor and analyze network traffic. These network-based intrusion detection systems typically provide intrusion detection while running in promiscuous mode on the network. They observe the network traffic and compare it against previously identified intrusion attack signatures. Typically, network-based intrusion detections systems cannot operate at the wire speed of the network, so they are incapable of running in in-line mode and taking appropriate action against the attacks in real time. Examples of such network-based intrusion detection systems are RealSecure™ from Internet Security Systems, Inc., and NetProwler™ from Symantec Corporation.
Therefore, it is necessary for the ISPs to have an intrusion detection system that runs in in-line mode and enables the ISPs to provide intrusion detection and protect their customers from intrusion at wire speed without adding a large processing burden on the host servers. In addition, the intrusion detection system should be easy to customize, so that ISPs can offer intrusion detection services on a selective basis, thus providing flexibility and creating a separate revenue source for the ISPs.