Computer networks often face malicious attacks originating from public networks. Such attacks currently include pre-attack probes, worm propagation, network flooding attacks such as denial of service (DoS) and distributed DoS (DDoS) attacks, authorization attacks, and operating system and application scanning. In order to evade detection, attackers may utilize spoofed IP addresses.
DoS and DDoS attacks dispatch large numbers of network packets or application requests, in order to overwhelm victim bandwidth, network resources, and/or victim servers, resulting in denial of services to legitimate users. Examples of DoS/DDoS attacks include Internet Control Message Protocol (ICMP) flood attacks, User Datagram Protocol (UDP) flood attacks, and Transmission Control Protocol (TCP) SYN flood attacks.
Some attacks are stateless, i.e., the attacker does not attempt to establish a connection with a particular host, but rather attempts to generally flood the victim network with packets. Other attacks are stateful. In these stateful attacks, the attacker establishes multiple connections with a victim host, by sending packets that conform to protocol standards. The attacker leaves these connections open, typically by completing only a portion of the protocol handshake. The open connections consume resources of the host indefinitely, or until the host times out the connections.
Some stateful attacks are executed at the transport layer (Layer 4 of the OSI network model). For example, during a Transmission Control Protocol (TCP) SYN flood attack, an attacker sends multiple SYN packets from one or more spoofed addresses to a victim host. The victim host responds to each SYN packet by sending a SYN/ACK packet to the spoofed address, and opens a SYN_RECVD state, which consumes host CPU resources. The attacker never responds with the expected ACK packet. As a result, the host's resources are consumed and unavailable for legitimate operations.
Other stateful attacks are executed at the application layer (Layer 7). Such application layer stateful attacks include, for example, SMTP (Simple Mail Transfer Protocol), POP (Post Office Protocol), IMAP (Internet Message Access Protocol), and FTP (File Transfer Protocol) attacks. In these attacks, the attacker typically leaves the host server waiting indefinitely in one of the states, such as one of the handshake states, or until the host server times out the connection.
Application layer stateful attacks also include the “RCPT TO” attack. In this attack, an attacker sends an SMTP mail message having a large number of recipients, as indicated by the repetition of the RCPT TO command of the SMTP protocol. This attack sometimes serves as a DoS attack. The large number of recipients consumes the resources of the victim host (typically an SMTP mail server) , degrading performance and sometimes causing the host to fail. The attacker may also launch an RCPT TO attack in order to send spam to a large number of recipients within the victim network, or to scan the victim network to collect information for subsequent attacks.
Common systems used to protect networks at their peripheries include firewalls and network intrusion/prevention detection systems (IDSs/IPSs). Firewalls examine packets arriving at an entry to the network in order to determine whether or not to forward the packets to their destinations. Firewalls employ a number of screening methods to determine which packets are legitimate. IDSs/IPSs typically provide a static signature database engine that includes a set of attack signature processing functions, each of which is configured to detect a specific intrusion type. Each attack signature is descriptive of a pattern which constitutes a known security violation. The IDS monitors network traffic by sequentially executing every processing function of a database engine for each data packet received over a network.
U.S. Pat. No. 6,487,666 to Shanklin et al., which is incorporated herein by reference, describes a method for describing intrusion signatures, which are used by an intrusion detection system to detect attacks on a local network. The signatures are described using a “high level” syntax having features in common with regular expression and logical expression methodology. These high level signatures may then be compiled, or otherwise analyzed, in order to provide a process executable by a sensor or other processor-based signature detector.
U.S. Pat. No. 6,279,113 to Vaidya, which is incorporated herein by reference, describes a signature-based dynamic network IDS, which includes attack signature profiles that are descriptive of characteristics of known network security violations. The attack signature profiles are organized into sets of attack signature profiles according to security requirements of network objects on a network. Each network object is assigned a set of attack signature profiles, which is stored in a signature profile memory together with association data indicative of which sets of attack signature profiles correspond to which network objects. A monitoring device monitors network traffic for data addressed to the network objects. Upon detecting a data packet addressed to one of the network objects, packet information is extracted from the data packet. The extracted information is utilized to obtain a set of attack signature profiles corresponding to the network object based on the association data. A virtual processor executes instructions associated with attack signature profiles to determine if the packet is associated with a known network security violation. An attack signature profile generator is utilized to generate additional attack signature profiles configured for processing by the virtual processor in the absence of any corresponding modification of the virtual processor.
U.S. Pat. No. 6,453,345 to Trcka et al., which is incorporated herein by reference, describes a network security and surveillance system that passively monitors and records the traffic present on a local area network, wide area network, or other type of computer network, without interrupting or otherwise interfering with the flow of the traffic. Raw data packets present on the network are continuously routed (with optional packet encryption) to a high-capacity data recorder to generate low-level recordings for archival purposes. The raw data packets are also optionally routed to one or more cyclic data recorders to generate temporary records that are used to automatically monitor the traffic in near-real-time. A set of analysis applications and other software routines allows authorized users to interactively analyze the low-level traffic recordings to evaluate network attacks, internal and external security breaches, network problems, and other types of network events.
U.S. Pat. No. 6,321,338 to Porras et al., which is incorporated herein by reference, describes a method for network surveillance, the method including receiving network packets handled by a network entity and building at least one long-term and a least one short-term statistical profile from a measure of the network packets that monitors data transfers, errors, or network connections. A comparison of the statistical profiles is used to determine whether the difference between the statistical profiles indicates suspicious network activity.
U.S. Pat. No. 5,991,881 to Conklin et al., which is incorporated herein by reference, describes techniques for network surveillance and detection of attempted intrusions, or intrusions, into the network and into computers connected to the network. The system performs: (a) intrusion detection monitoring, (b) real-time alert, (c) logging of potential unauthorized activity, and (d) incident progress analysis and reporting. Upon detection of any attempts to intrude, the system initiates a log of all activity between the computer elements involved, and sends an alert to a monitoring console. When a log is initiated, a primary surveillance system continues to monitor the network. The system also starts a secondary monitoring process, which interrogates the activity log in real-time and sends additional alerts reporting the progress of the suspected intruder.
U.S. Pat. No. 6,282,546 to Gleichauf et al., which is incorporated herein by reference, describes a system and method for real-time insertion of data into a multi-dimensional database. The system includes a multi-dimensional database and a user interface operable to access and provide views into the multi-dimensional database. A data insertion engine is coupled to and operable to access the multi-dimensional database. The data insertion engine is further operable to receive and process a real-time data feed and to insert data into the multi-dimensional database responsive to processing of the real-time data feed. In one embodiment, the real-time data feed can represent exploited network vulnerabilities, and the system can be used for network intrusion detection and vulnerability assessment.
U.S. Pat. No. 5,278,901 to Shieh et al., which is incorporated herein by reference, describes a pattern-oriented intrusion detection system and method that defines patterns of intrusion based on object privilege and information flow in secure computer systems to detect actual intrusion occurrences. The system is described as being able to track both information and privilege flows within a system, and to uniformly define various types of intrusion patterns.
U.S. Pat. No. 6,535,227 to Fox et al., which is incorporated herein by reference, describes a graphical user interface for determining the vulnerability posture of a network. A system design window displays network items of a network map that are representative of different network elements contained within the network. The respective network icons are linked together in an arrangement corresponding to how network elements are interconnected within the network. Selected portions of the network map turn a different color indicative of a vulnerability that has been established for that portion of the network after a vulnerability posture of the network has been established.
U.S. Pat. No. 6,370,648 to Diep, which is incorporated herein by reference, describes techniques for detecting harmful or illegal intrusions into a computer network or into restricted portions of a computer network. The techniques use statistical analysis to match user commands and program names with a template sequence. Discrete correlation matching and permutation matching are used to match sequences. The result of the match is input to a feature builder and then a modeler to produce a score. The score indicates possible intrusion. A sequence of user commands and program names and a template sequence of known harmful commands and program names from a set of such templates are retrieved. A closeness factor indicative of the similarity between the user command sequence and a template sequence is derived from comparing the two sequences. The user command sequence is compared to each template sequence in the set of templates thereby creating multiple closeness or similarity measurements. These measurements are examined to determine which sequence template is most similar to the user command sequence. A frequency feature associated with the user command sequence and the most similar template sequence is calculated. It is determined whether the user command sequence is a potential intrusion into restricted portions of the computer network by examining output from a modeler using the frequency feature as one input.
US Patent Application Publications 2002/0107953 to Ontiveros et al. and 2002/0133586 to Shanklin et al., which are incorporated herein by reference, describe a method for protecting a network by monitoring both incoming and outgoing data traffic on multiple ports of the network, and preventing transmission of unauthorized data across the ports. The monitoring system is provided in a non-promiscuous mode and automatically denies access to data packets from a specific source based upon an associated rules table. All other packets from sources not violating the rules are allowed to use the same port. The system provides for dynamic writing and issuing of firewall rules by updating the rules table. Information regarding the data packets is captured, sorted and cataloged to determine attack profiles and unauthorized data packets.
US Patent Application Publication 2002/0083175 to Afek et al., which is incorporated herein by reference, describes techniques for protecting against and/or responding to an overload condition at a victim node in a distributed network. The techniques include diverting traffic otherwise destined for the victim node to one or more other nodes, which can filter the diverted traffic, passing a portion of the traffic to the victim node, and/or effect processing of one or more of the diverted packets on behalf of the victim.
US Patent Application Publication 2003/0014665 to Anderson et al., which is incorporated herein by reference, describes apparatus and a method for an automated response to a DDoS attack. The method includes receiving notification of a DDoS attack by an Internet host, which, responsively thereto, establishes security authentication from an upstream router from which the attack traffic, transmitted by one or more host computers, is received. The Internet host then transmits filter(s) to the upstream router generated based upon characteristics of the attack traffic. Once installed by the upstream router, the attack traffic is dropped to terminate the DDoS attack. In one embodiment, monitoring of the network traffic received by the Internet host is performed using pattern recognition, such as fuzzy logic, which can be trained to determine normal traffic levels. Based on the normal average traffic levels, the fuzzy logic can determine when traffic levels go above a pre-determined amount or threshold from the normal level in order to detect a DDoS attack.
US Patent Application Publication 2003/0009699 to Gupta et al., which is incorporated herein by reference, describes a method for detecting intrusions on a computer, including the step of identifying an internet protocol field range describing fields within internet protocol packets received by a computer. A connectivity range is established which describes a distribution of network traffic received by the computer. An internet protocol field threshold and a connectivity threshold are then determined from the internet protocol field range and connectivity range, respectively. During the operation of the computer, values are calculated for the internet protocol field range and connectivity range. These values are compared to the internet protocol metric threshold and connectivity metric threshold so as to identify an intrusion on the computer.
US Patent Application Publication 2003/0046581 to Call et al., which is incorporated herein by reference, describes an intelligent cache management system for protecting network devices from overload and from network packet flood attacks (such as DoS and DDoS attacks). The system frees allocated resources (memory, in particular) for reuse, when under sustained attack. In an embodiment, the system is used in connection with session-type packet processing devices of a computer network. The system comprises a memory management database for storing communication traffic classification and memory threshold values, and a memory monitor for tracking overall memory usage and determining when the memory threshold values stored in the memory management database are reached. A cache classifier is used to determine a class into which a given session of communications traffic falls. When the memory threshold value is reached, a pruning mechanism selects and prunes entries representing sessions on the packet processing device in accordance with the communication traffic classification and memory thresholds programmed in the memory management database.
US Patent Application Publication 2002/0162026 to Neuman et al., which is incorporated herein by reference, describes apparatus and a method for providing secure network communication. Each node or computer on a network has a secure, intelligent network interface with a coprocessor that handles all network communication. The intelligent network interface encrypts outgoing packets and decrypts incoming packets from the network based on a key and algorithm managed by a centralized management console on the network. The intelligent network interface can also be configured by the management console with dynamically distributed code to perform authentication functions, protocol translations, single sign-on functions, multi-level firewall functions, distinguished-name based firewall functions, centralized user management functions, machine diagnostics, proxy functions, fault tolerance functions, centralized patching functions, Web-filtering functions, virus-scanning functions, auditing functions, and gateway intrusion detection functions.
US Patent Application Publication 2002/0059078 to Valdes et al., which is incorporated herein by reference, describes probabilistic correlation techniques for increasing sensitivity, reducing false alarms, and improving alert report quality in intrusion detection systems. In an embodiment, an intrusion detection system includes at least two sensors to monitor different aspects of a computer network, such as a sensor that monitors network traffic and a sensor that discovers and monitors available network resources. The sensors are correlated in that the belief state of one sensor is used to update or modify the belief state of another sensor. In another embodiment, probabilistic correlation techniques are used to organize alerts generated by different sensors in an intrusion detection system. By comparing features of each new alert with features of previous alerts, rejecting a match if a feature fails to meet or exceed a minimum similarity value, and adjusting the comparison by an expectation that certain feature values will or will not match, the alerts can be grouped in an intelligent manner.
PCT Publication WO 02/45380 to Copeland, which is incorporated herein by reference, describes a flow-based intrusion detection system for detecting intrusions in computer communication networks. Data packets representing communications between hosts in a computer-to-computer communication network are processed and assigned to various client/server flows. Statistics are collected for each flow. The flow statistics are analyzed to determine if the flow appears to be legitimate traffic or possible suspicious activity. A concern index value is assigned to each flow that appears suspicious. By assigning a value to each flow that appears suspicious and adding that value to the total concern index of the responsible hosts it is possible to identify hosts that are engaged in intrusion activity. When the concern index value of a host exceeds a preset alarm value, an alert is issued and appropriate action can be taken.