The present invention relates to a computer-implemented intrusion detection system (IDS) and method for detecting computer network intrusions in real time.
Computer intrusions and cyber attacks are on the rise. Reports by research organizations and law enforcement agencies indicate, consistently, that the number of computer-security incidents has been increasing geometrically in the last few years. As a countermeasure, organizations have begun to employ intrusion detection systems, in addition to various access control mechanisms, firewalls, and virus scanners, for protection of computer networks and information assets. Current technologies for building IDSs include statistics-based analysis methods, expert systems, learning machines, and software agents.
There are serious drawbacks of currently available IDSs, including the following,                centralized detection: the computation required for intrusion detection is usually carried out by a single host, resulting in very limited bandwidth in processing traffic data        lacking real-time performance: as a consequence of the above, the IDS either fails to detect intrusions as they are occurring, or it slows down traffic and takes time to analyze packets for intrusion analysis, at the expense of quality of service provided to users        low detection accuracy: high rates of false positives (false alarms of intrusion, resulting in waste of resource, and inconvenience/annoyance to users) and false negatives (actual intrusions and attacks went undetected, resulting in financial loss and damage to information asset)        low pattern-scalability: the number of attack signatures that the IDS is capable of learning is limited        low network-scalability: the number of hosts on the network that can be protected is limited; further, the configuration of the network being protected may not be changeable        lacking response capability: the IDS can initiate only very limited, if any at all, response actions upon detecting intrusions        lacking attacker tracing capability: as a consequence of the above, the IDS is not equipped for tracing attacks and collecting data for forensics        low adaptability: the IDS is based on detection algorithms that do not allow adjustable thresholds; further, the (learning machine based) IDS needs to be retrained once new attack patterns are known        inapplicability to wireless networks: the IDS is designed for wired networks and has limited capability in serving networks that allow standard and/or ad-hoc wireless networking        
It is therefore an object of the present invention to provide an improved computer-implemented intrusion detection system and method for detecting computer network intrusions, especially in real time.