There are three main types of intrusion detection systems currently used to detect hacker attacks on computer networks: signature analysis systems, statistical analysis systems, and systems based on probabilistic reasoning. Signature analysis systems compare current data traffic patterns with stored traffic patterns representing the signature or profile of various types of hacker attacks. These systems generate an alert if the pattern of traffic received by the network matches one of the stored attack patterns.
Statistical analysis systems compare current data traffic patterns with statistical profiles of previous traffic patterns. These systems generate an alert if a current traffic pattern is significantly different from a stored profile of “normal” traffic. Examples of both statistical- and signature-based intrusion detection systems are described in Porras, et al., “Live Traffic Analysis of TCP/IP Gateways,” Internet Society's Networks and Distributed Systems Society Symposium, March 1998.
Examples of intrusion detection systems based on probabilistic reasoning are described in U.S. patent application Ser. No. 09/653,066 entitled “Methods for Detecting and Diagnosing Abnormalities Using Real-Time Bayes Networks.” In one such system, a Bayes network is established that includes models (called “hypotheses”) that represent both normal traffic and attack traffic received by a computer network. Traffic actually received by the network is examined in real-time to identify its relevant characteristics or features, such as volume of data transfer, number of erroneous connection requests, nature of erroneous connection requests, ports to which connections are attempted, etc. Information about these relevant features is then provided to the Bayes network, which calculates a system belief (a probability) that the current network traffic is either normal traffic or attack traffic.
A typical intrusion detection system may include one or more sensors that monitor network traffic in the manner discussed above, and one or more other sensors that monitor network resources. A system operator or network administrator (usually a person) reviews all of the alerts generated by the system.
A major problem with existing intrusion detection systems is that they often provide misleading, incomplete, or low-quality information to the system operator; this may make it impossible to take proper steps to protect the network. For example, during a large-scale hacker attack each of the system's sensors may generate hundreds of alerts. Although each alert may be accurate, the sheer number of alerts could easily overwhelm the system operator. Moreover, false alarms can be triggered by normal traffic directed towards a malfunctioning network resource, such as a server. These false alarms could distract the system operator from alerts triggered by actual hacker attacks. Finally, most intrusion detection systems are unable to detect low-level attacks such as port sweeps, in which hackers slowly “probe” a network to discover its structure and weaknesses.