A computer network typically includes a collection of interconnected computing devices that exchange data and share resources. The devices may include, for example, web servers, database servers, file servers, routers, printers, end-user computers and other devices. The variety of devices may execute a myriad of different services and communication protocols. Each of the different services and communication protocols exposes the network to different security vulnerabilities.
Conventional techniques for detecting network attacks use pattern matching. In particular, an intrusion detection system (“IDS”) applies regular expressions or sub-string matches to detect defined patterns within a data stream. Multiple patterns may be used in an attempt to improve the accuracy of the attack detection. In order to improve the probability of detecting an attack, the IDS may attempt to identify the type of software application and protocol associated with the data stream. Based on the identification, the IDS selects the appropriate patterns to apply in order to detect a network attack, a term which is used herein to include viruses or other malicious activity.
Malicious users may implement network attacks at various layers of the Open Systems Interconnection (OSI) reference model. For example, denial of service (DoS) attacks have been implemented historically at layer three (network layer) or layer four (transport layer) of the OSI model. One such example is SYN flood attacks, where an attacker bombards a network server with synchronization (SYN) packets, which may result in an overflow in the number of open connections for the server. Similar attacks include ACK floods and reset (RST) attacks. These attacks take place below layer seven, also referred to as the application layer. Conventional techniques for blocking such attacks include detecting two or more consecutive SYN packets from the same originating device. In this manner, conventional techniques prevent attacks at lower layers of the OSI reference model.
Malicious users have recently developed network attacks that act at layer seven (application layer) of the OSI model. As one example, DoS attacks acting at the application layer, also referred to as flood attacks at the application layer, may involve one or more malicious entities such as automated software agents, e.g., bots, that continually issue requests that consume a large amount of a web server's resources. Such recent network attacks are more connection-based, in that the malicious software agents typically do not begin such a flood attack until after initializing a network session, e.g., by completing a TCP three-way handshake. Therefore, conventional methods used for preventing attacks that occur at lower layers, such as SYN floods, are ineffective at preventing these new malicious users or software agents from using more sophisticated method of flooding a server or other device. The network attacks may also be protocol-compliant, and therefore may be difficult to detect using mechanisms that look for protocol anomalies.
Malicious entities, such as users or software agents, may, alone or in combination with one or more other software agents, flood a server with requests for a service that consume a large amount of resources. Conventional approaches to protecting such a server typically disable the service or throttle access to the service to prevent the server from crashing. However, this may result in legitimate clients being unable to utilize the service. In some cases, such an approach may result in lost revenue or customer dissatisfaction.