1. Field of the Invention
The present invention relates to intrusion detection systems. More particularly, the invention concerns an intrusion detection system that operates in a remote, on-demand computing service environment.
2. Description of the Prior Art
By way of background, many institutional entities purchase or lease computing resources and deploy them physically within their facilities. Users of these data processing systems will typically connect thereto over an institutional network or, to a limited degree, the institution may allow trusted individuals some type of VPN (Virtual Private Network) remote access over a public network, such as the Internet. In either case, the type of access to the data processing system (and by whom) is known.
Remote, on-demand computing is a more recent innovation in the data processing field. According to this model, a customer obtains computing services from a remote computer system that is not under the customer's physical custody and control. Instead, the remote system is typically owned by another entity that maintains the system at its own premises. In some cases, the system owner's equipment used to provide remote, on-demand service may be spread over plural geographic locations, as where the remote on-demand system comprises a computer grid network with plural interlinked data processing hosts. A disadvantage of remote, on-demand computing is that it is difficult for the remote user to know whether or not their applications and data are being accessed by others who may also have access to the same computer equipment, such as a system administrator associated with the on-demand service provider. On-demand users are generally provided with firewall protection implemented on the data processing hosts assigned to provide the on-demand services. However, firewalls only block network-originating intrusions, and only based on a fixed set of specific rules. Events such as a login by an on-premises administrator via a local console are typically not blocked, or even reported.
An intrusion detection system can detect unusual events and provide a record of suspected activity, regardless of its point of origin. However, as far as known, intrusion detection has not been offered to remote on-demand users so that they can monitor intrusion activity on the remote data processing hosts to which they are assigned. This may cause customers to be reluctant to take advantage of remote, on-demand services. For example, consider a hardware vendor who wishes to encourage a proprietary software vendor to test the software vendor's software on the hardware vendor's computing platform. Given the option of either running the software under a remote, on-demand service model or simply borrowing or renting the hardware and setting it up at their own facility, a security conscious software vendor may well insist on the latter arrangement. This is undesirable from the hardware vendor's perspective due to the high capital costs of equipment loaner and leasing programs.
Accordingly, an intrusion detection system is needed that can provide remote on-demand computing service users with the security assurances they require before utilizing such services. What would be particularly desirable is an intrusion detection system for use in a remote, on-demand computing service environment wherein users are provided with a view of the remote data processing resources as though such resources where physically “in house,” and wherein the users are fully informed whenever security has been violated. Preferably, remote, on-demand service users should have the ability to fully define each type of security event they desire to have monitored and to specify how such events are to be handled.