In the computer security field, “intrusion” is a broad term encompassing many undesirable activities. The objective of an intrusion may be to acquire information that a person is not authorized to have (referred to as “information theft”), it may be to cause business harm by rendering a network, system, or application unusable (referred to as “denial of service”) and/or, it may be to gain unauthorized use of a system as a stepping stone for further intrusions elsewhere. Intrusions can follow a pattern of information gathering, attempted access, and then destructive attacks.
Some intrusions can be detected and neutralized by the target system, although often not in real time. Other intrusions may not be effectively neutralized by the target system. Intrusions can also make use of “spoofed” packets which are not easily traceable to their true origin. Many intrusions now make use of unwitting accomplices—that is, machines or networks that are used without authorization to hide the identity of the intruder. For these reasons, detecting attempts at information gathering, access attempts, and intrusion accomplice behaviors can be an important part of intrusion detection.
As illustrated in FIG. 1, intrusions can be initiated against a host 100 on an internal network 115 by, for example, an intruder 130 that is on an external network 135 (e.g., internet) or from an intruder 110 that is on the internal network 115. A firewall 120 may provide some protection against intrusions from external networks. However, it may not prevent intrusions once the firewall has “approved” entry into the internal network 115, and it may not provide protection when the intrusion is initiated from inside the internal network 115 (e.g., intruder 110). In addition, end-to-end encryption can limit the types of intrusions that can be detected by an intermediate device, such as the firewall 120, because the intermediate device may be unable to evaluate the packets in an unencrypted form for evidence of an intrusion.
An Intrusion Detection System (hereinafter, “IDS”) can provide detection of many types of intrusions. Referring to FIG. 2, an IDS may include sniffers that examine network traffic. Sniffers may be placed at strategic points in networks, such as shown by a sniffer 210 in front of the firewall 220; by a sniffer 230 behind the firewall 220; by a sniffer 240 on the internal network 115; and/or by a sniffer 250 between a host 260 and the internal network 115. Sniffers may use “pattern matching” to try to match communicated information against a known intrusion signature. Performing pattern matching on all network traffic can require significant processing time, and may result in a backlog of traffic to be analyzed and a resulting delay in identifying an intrusion. Growth in the number of known intrusion signatures that are used for pattern matching further increases the processing time and associated delay in identifying an intrusion.
Upon detecting an intrusion, a sniffer may alert an IDS management system 270, which may take action to stop an intrusion. For example, sniffers 230 and 250 have been illustrated as communicating “alerts” to the IDS management system 270. Sniffers may also, or may alternatively, notify a service, such as IBM's Emergency Response Services (ERS) unit 200, which provides logging and analysis of security alerts that are detected by IDS components. In the illustrated example, the sniffer 210 before the firewall 220 sends alerts to the Emergency Response Services unit 200. However, a damaging intrusion may occur before a sniffer identifies the intrusion and an IDS management system takes action to stop the intrusion.
Further background discussion on intrusion detection services is provided in U.S. patent application Ser. No. 10/058,870, filed Jan. 28, 2002, and entitled Integrated Intrusion Detection Services.