1. Field of Invention
The present invention relates generally to the field of intrusion prevention. More specifically, the present invention is related to a novel self-optimizing intrusion prevention system and method.
2. Discussion of Prior Art
FIG. 1 illustrates a prior art intrusion prevention process 100. In such a prior art process, known attack patterns are filtered through the Attack Signature Filtering engine 102 (supported by a vulnerability research team) and the rest of the traffic is passed through a Behavior Analysis component 104. Behavior Analysis component 104 is responsible for detecting abnormal activities that were not detected by the signature engine (such as new and unknown attacks), and to characterize and mitigate them according to this characterization.
In this scenario, the word ‘mitigate’ is key, as prior art Behavioral Analysis technologies cannot hermetically block unknown attacks, but rather mitigate them. This inherent limitation of the prior art originates in the fact that a Behavior Analysis system must analyze multiple sequential events before making an accurate decision about a behavior. Thus, there is always a chance that the attack will be able to slip through and hit the protected network. Taking the example of worm propagation, even a small amount of packets that succeed to slip through the protection before the behavior of the worm has been correctly characterized can impose a threat to the network.
The U.S. patent to Anderson et al. (U.S. Pat. No. 7,028,179), assigned to Intel Corporation, teaches an apparatus and method for secure, automated response to distributed denial of service attacks. Anderson et al. teach a method comprising the steps of receiving notification of a distributed denial of service (DDoS) attack, establishing security authentication with an upstream router from which attack traffic is received, and transmitting one or more filters to the upstream router such that attack traffic is dropped by the upstream router to terminate the DDoS attack. However, it should be noted that Anderson et al.'s method fails to teach or suggest a signature characterization process and/or propagation rules mechanisms implemented in conjunction with such transmission of filters.
Whatever the precise merits, features, and advantages of the prior art, none of them achieves or fulfills the purposes of the present invention.