1. Technical Field
The present disclosure generally relates to information handling systems and in particular to a system and a method for performing intrusion detection in an information handling system.
2. Description of the Related Art
As the value and use of information continue to increase, individuals and businesses seek additional ways to process and store information. One option available to users is information handling systems. An information handling system generally processes, compiles, stores, and/or communicates information or data for business, personal, or other purposes, thereby allowing users to take advantage of the value of the information. Because technology and information handling needs and requirements vary between different users or applications, information handling systems may also vary regarding what information is handled; how the information is handled; how much information is processed, stored, or communicated; and how quickly and efficiently the information may be processed, stored, or communicated. The variations in information handling systems allow for information handling systems to be general or configured for a specific user or specific use such as financial transaction processing, airline reservations, enterprise data storage, or global communications.
Businesses rely on communication networks in order to function on a daily basis. Businesses have to provide email, internet access, and other remote-access services to employees for the organization to function. The communication networks have interfaces to external communications connections or networks such as the internet. Communication networks that connect to the internet are at risk of intrusions or attack. Attacks can take any number of forms. For example, an attack can attempt to gain access to information, or to degrade the performance of the network or connected devices such as computers. Some attacks are designed to deny external access or to insert viruses onto a system.
Various systems exist that operate to prevent these attacks. For example, some networks employ firewalls to prevent unwanted access. Firewalls operate by blocking internet traffic exhibiting certain predefined characteristics, such as traffic that originates from a particular internet address, traffic that attempts to access a particular network port, or traffic that attempts to access a particular destination within the network. Firewalls are advantageous as they characterize and block internet traffic quickly. Firewalls, however, are limited in the amount of the data that can be analyzed and blocked. Firewalls also are limited by relying on knowledge by the network administrator of the type of traffic that should be blocked.
Some networks add devices known as an intrusion detection system to make up for some of the failings of a firewall. The intrusion detection system is installed just behind the firewall, and is used to provide further analysis of traffic that is not blocked by the firewall. The intrusion detection system provides a more extensive analysis of incoming communications such as analyzing traffic in a distributed denial-of-service attack. Unfortunately, the additional analysis required in using an intrusion detection system can significantly slow network traffic. The use of an intrusion detection system can also be complex and expensive, requiring additional hardware and software resources in order to be implemented.