Field
The disclosed embodiments generally relate to techniques for providing computer security in networked computer systems. More specifically, the disclosed embodiments relate to the design of a system that performs an inter-arrival time (IAT) fingerprint intrusion-detection technique to provide enhanced cybersecurity.
Related Art
Massive data breaches involving millions of credit card numbers stolen from networked computer systems have received a lot of publicity lately. These data breaches by malicious intruders have caused the targeted corporations to suffer large-scale financial losses and also long-term damage to their customer relationships. Such financial losses and loss of goodwill are troubling. However, malicious intruders can potentially inflict significantly greater harm by targeting supervisory control and data acquisition (SCADA) networks that connect enterprise servers, which are commonly used by the United States government and other organizations as “front end networks” for controlling energy production facilities, power grids, water treatment plants, nuclear power plants, and most of the chemical processing plants in the world.
Both SCADA networks and enterprise-computing networks typically use Ethernet frames to forward packets among multiple nodes of the network until they reach their final destination. To achieve this, Ethernet frame headers contain the source and destination media access control (MAC) addresses.
One particularly challenging instance of malicious intrusion happens when an attacker is able to spoof in software the IP and MAC addresses, as well as the login credentials (e.g., through “phishing”) for authenticated users, to bypass firewalls and other security measures, to gain access to critical assets and information. For business-critical and mission-critical networks where the only authenticated users are inside the firewall (or otherwise inside the same facility as the critical computing assets), it is not possible for conventional security measures to distinguish between authentic, benign local users and malicious remote users who have spoofed IP and MAC addresses and login credentials for legitimate local users.
Hence, what is needed is an intrusion-detection system that can differentiate between malicious remote users and legitimate local users.