A computer network typically includes a collection of interconnected computing devices that exchange data and share resources. The devices may include, for example, web servers, database servers, file servers, routers, printers, end-user computers, and other devices. The variety of devices may execute a myriad of different services and communication protocols. Each of the different services and communication protocols exposes the network to different security vulnerabilities.
Conventional techniques for detecting network attacks rely on pattern matching and identification of protocol anomalies. For example, an intrusion detection and prevention (IDP) device typically applies regular expressions or sub-string matches to detect defined patterns within a data stream. Multiple patterns may be used in an attempt to improve the accuracy of the attack detection. In order to improve the probability of detecting an attack, the IDP device may attempt to identify the type of software application and protocol associated with the data stream. Based on the identification, the IDP device monitors the data stream to verify that the data steam conforms to accepted procedures for the particular protocol, i.e., that no protocol anomalies occur within the data stream. In addition, the IDP device selects and applies appropriate patterns to the data stream. In this way, the IDP device determines whether the particular data flow constitutes a network attack, such as transmission of a virus, denial of service (DoS) attack, or other malicious activity.
Many IDP devices utilize two separate software components (collectively “IDP software”) for detecting and handling network attacks—a processing engine and one or more decoders, each of which may correspond to a different communication protocol or service (e.g., an HTTP decoder, a Telnet decoder, an FTP decoder, etc.). In general, the processing engine reassembles the data stream to form application-layer data, associates the application-layer data with a particular type of application, and invokes an appropriate decoder for analyzing the reassembled data. The decoder analyzes the application-layer data to determine whether the packets represent a security risk.
When either the processing engine or any of the decoders fails during processing, the IDP software, including both the processing engine and the decoders, may crash, which in turn may expose the network to security risks or may cause a network outage for a period of time. Certain external auto-recovery processes may be used to monitor the IDP software, to identify when a crash occurs, and to restart the IDP software following the crash. Such a restart often requires a relatively long period of time to restart the processing engine and the decoders. Moreover, conventional auto-recovery processes are not able to prevent the crash from occurring.