1. Field of the Invention
This invention is directed to systems and devices that detect attempts to gain unauthorized access to a network.
2. Related Art
Computer networks have become ubiquitous in offices, factories and even the home. Moreover, these networks are interconnected in various different ways. For example, local area networks associated with each site of a large commercial operation are often interconnected into wide-area networks. Home-based networks are often interconnected on an ad-hoc basis to employer or commercial networks using dial-up connections. Finally, almost every network, whether home-based, office-based or otherwise, is connected to the Internet, at least occasionally. In fact, many networks, including almost all commercial and office-based networks, and an increasing number of home-based networks, are connected to the Internet using “always on” connections such as cable, DSL, or satellite connections.
As computer networks have become ubiquitous, they have provided attractive targets for many malicious activities. All networks are vulnerable to attacks by intruders who attempt to gain unauthorized access to the network. Intruders can be internal to the network or outsiders who access the network using one of the above-outlined external connections.
All software systems contain bugs. The more complex a software system is, the more bugs it has and the more difficult it is to find such bugs. Accordingly, networks have holes in their operating software that allow unauthorized access and/or unauthorized use. A network that allows unauthorized access and/or use allows malicious users to steal data, such as personal data that allows for identity theft, corporate data such as trade secrets and other confidential information, and the like. Malicious, unauthorized access or use also permits malicious users to destroy data or otherwise disrupt commercial activities that use the intruded-on network, to use the intruded-on network as a base for redirected attacks against yet other networks in attempts to hide the malicious user's identity, and the like. Other types of unauthorized access or use, such as denial of service attacks and the like, can also be extremely disruptive to networks and their owners.
Intruders from outside of the network may attack a network's external presence, such as, for example, the network's web servers, e-mail servers and/or the like, or may attempt to obtain unauthorized access to machines within the network. As indicated above, such outside intruders can approach the network via the Internet, using dial-up lines, or may approach the network from a partner network that is linked to that network. For example, for a corporate network, such partner networks can include the network of a vendor, a customer, a reseller or the like.
Intruders also can be legitimate internal users of the network. Such internal intruders include users who misuse network privileges or who impersonate higher-privileged users. It is estimated that 80% or more of security breaches of a network are committed by inside intruders.
Thus, intrusions typically come in two flavors, intra-system intrusion and remote intrusion. Intra-system intrusion refers to intruders that already have some level of privilege to access the system. Intra-system intrusions attempt to gain additional administrative privileges for such intruders. In contrast, remote intrusion involves an intruder who attempts to penetrate a network remotely via some external connection to the network. Such remote intruders are usually completely unauthorized to access the network.
Accordingly, to prevent such unauthorized access or use, many networks employ firewalls and/or intrusion detection systems (IDS), including network intrusion detection systems (NIDS). In general, firewalls provide static protection, while intrusion detection systems provide protection that is more dynamic. Firewalls are simply devices that shut off all external access to a network, except for a few gateways that are specifically enabled. For example, a firewall, when first installed, typically stops all communication between the network and the external world. The firewall is then configured by carefully adding rules that allow specific types of traffic to go through the firewall. For example, a typical corporate firewall allowing access to the Internet will stop all UDP and ICMP traffic, stop incoming TCP connections but allow outgoing TCP connections. This stops all incoming connections from the Internet, such as from Internet hackers, but still allows internal users to connect in the outgoing direction.
Unfortunately, a firewall is simply a fence around the network having a couple of well-chosen gates. Such firewalls have no capability of detecting whether someone is attempting to break in or if those going through the gates are actually authorized to do so. Thus, firewalls are unable to stop intruders who are already authorized to pass through the gateways provided by the firewall, nor are they able to prevent intruders who are able to bypass or otherwise break through the firewall.
In contrast, intrusion detection systems (IDS), which include network intrusion detection systems (NIDS), can be used to determine whether a person requesting access to a network is doing so legitimately or is trying to gain unauthorized access to the network. Intrusion detection systems are also able to identify system intruders who originate from within the system. Because firewalls merely place a fence around the network, they do not look to activities inside the network that are properly classified as intrusions.
There are generally two different classes of intrusion detection systems: anomaly detection systems and signature recognition systems. Anomaly detection systems attempt to detect unauthorized intrusions based on identifying statistical anomalies. One advantage of anomaly detection-based intrusion detection systems is that the intrusion detection system can detect anomalies without having to understand the underlying cause behind the anomalous network activity. However, intrusions can escape detection if they do not create an anomaly. In contrast, misuse network intrusion detection systems, which are also called signature recognition-based intrusion detection systems, operate by examining the traffic traveling past a monitored point on the network for patterns that match defined attack signatures. For every different attack technique, a specific signature for that attack must be created for the intrusion detection system. One advantage of such signature recognition-based intrusion detection systems is that the attack does not need to create an anomaly. However, if the attack does not match any of the signatures provided to the signature recognition-based intrusion detection system, the attack will not be recognized and will be allowed to proceed.