In the current connected world of inter-operating networks, preventing unwanted access and unwanted intrusions are a constant issue. Some approaches to coping with network-based attacks involve detecting the occurrence of intrusions as a step to formulating a response. Typical intrusion-detection techniques have suffered from false positives and false negatives, both of which often have disastrous consequences. False negatives result in failure to protect a network from attacks, while false positives result in either lost business or in systems that “cry wolf.” Thus, false positives also result in failure to protect the network because this type of error also ultimately reduces the effectiveness of the solutions that are intended to protect the network from real attacks.
The problem of false positives and negatives results from two characteristics of typical intrusion detection systems. Even though there exist many products and approaches that attempt to protect data centers, servers and network resources from intrusion or attack, such as, for example, Denial of Service (DoS) attacks, the typical approaches all share the following characteristics:
(1) The approach bases intrusion detection solely on some kind of an examination of the network traffic. That is, whether the approach is online or offline, the approach determines whether an attack is present by looking at each packet and examining its characteristics and contents. Thus, more specifically, extrinsic knowledge that is gained from interacting with other tools and protocols in the network is seldom used to help in the detection. Moreover, the determination of whether traffic is trusted or is known to be bad when based solely on an examination of the current traffic itself is often not effective, or is too late to be useful.
(2) The intrusion detection's outcome is either “black” or “white.” That is, traffic is either categorized as trusted or known to be bad. There is typically no additional categorization of traffic that is neither trusted nor known to be bad. There is no concept of a gray area in a conventional system. Thus, there is no category of traffic that is intermediate, unknown, or suspect but not yet determined as known to be bad. Typically, depending on the particular implementation and user configuration, such suspect traffic is either categorized as trusted or as known to be bad.
As mentioned above, one problem with having only the two categories of “trusted” and “known to be bad” is that the user ends up with a significant amount of false positives, false negatives, or both. Both false negatives and false positives can cost a great deal of time and money. Both false positives and false negatives can cause disastrous consequences. For instance, when false negatives occur, the detection measure fails to protect against an unwanted intrusion and the organization's resources are exposed to the intruder. False positives can also be costly. Depending on the implementation, traffic categorized as known to be bad either triggers alarms, or is dropped. Dropping good traffic typically results in lost business and missed opportunities, and often has additional consequences. Alarm triggers result in information technology (IT) personnel spending time investigating the occurrence, which can cost a company in terms of employee resources, system down time and money. Having several false alarms erodes the confidence in the protective system such that when the system “cries wolf” enough times, the alarms are either ignored or the safeguards, responsive counter-measures, and notifications and/or protections, are tuned down too low to be effective. This reduces the ability of the protective system to detect and protect against the real attacks.
The U.S. Pat. No. 5,835,726, filed Jun. 17, 1996, and entitled “System for securing the flow of and selectively modifying packets in a computer network,” and U.S. Pat. No. 6,701,432, filed Apr. 1, 1999, and entitled “Firewall including local bus,” discuss the traditional systems mentioned above, including firewall type systems. The U.S. Pat. Nos. 5,835,726 and 6,701,432, are hereby incorporated by reference.