1. Field of the Invention
This invention relates to data network management. More particularly, the invention relates to an improved system and method for analyzing and preventing unauthorized use of data network resources.
2. Description of the Related Art
The rapid increase in the use of data networks by both corporations and private organizations has created a need for improved security and network management techniques. Organizations today store substantial amounts of confidential information on network servers and workstations including trade secrets, marketing strategies, financial documents, and classified technical information. The disclosure of such information to the public would, in most instances, cause severe damage to the organization.
In addition to the danger of confidential information being read out from the network, there is also a danger of unwanted information being written to the network. For example, with a working knowledge of how to evade currently available security systems, computer hackers (i.e., unauthorized users) are capable of crashing network servers and workstations, corrupting valuable data, and uploading computer viruses to the network. As such, organizations are forced to spend millions of dollars each year in an attempt to prevent this type of data network intrusion.
One system for handling a type of network misuse is commonly referred to as a “firewall.” Firewalls are generally situated between a local area network (hereinafter “LAN”) and all other external networks (e.g., the Internet). The firewall analyzes all incoming and outgoing digital information and makes a decision as to whether the information should be passed through or discarded. The firewall uses one or more algorithms provided by a network administrator to perform this analysis. For example, a network administrator may configure tables listing acceptable source and destination addresses for network traffic. Traffic addressed to an unlisted source or destination will be filtered out and discarded by the firewall.
Firewalls provide insufficient protection against computer hackers for a variety of reasons. One major reason is that firewalls only protect LANs from the outside world whereas the threat posed by computer hackers is not merely external. In fact, the majority of potential computer hackers are internal computer users, most of who already have access to the LAN. Although an individual user will typically be provided only limited access to LAN resources, the user may fraudulently acquire access to additional resources by misappropriating other users' passwords (or using other known computer hacking techniques).
A second problem associated with firewalls is that they are static in nature, requiring continuous updates by network administrators to work properly. If a computer hacker obtains the information necessary to break through the firewall (i.e., information needed to disguise his data as data originating from a legitimate source) he will acquire access to resources on the LAN. Another significant problem with firewalls is that they exclude data in an overly simplistic fashion: data is either passed through or it is discarded. No additional analysis is performed on incoming or outgoing data to determine whether the originator of the data—who may be disguising himself to the firewall—is attempting to misuse resources on the LAN.
A third problem with firewalls is that they do little to protect against abuse of “public” access. A firewall is like a lock on the doors of a convenience store that is open 24-hours a day. The public must be allowed into the store in order to conduct business transactions, the firewall must allow both the public as well as hackers, and can do little to detect or defend against the hackers masquerading as normal members of the public.
One technique used to augment the limited scope of protection provided by firewalls has been referred to as “misuse detection.” Misuse detection is the process of monitoring and reporting unauthorized or inappropriate activity on network computers. For example, Smaha et al., U.S. Pat. No. 5,557,742 (hereinafter referred to as “Smaha”) discloses a process for detecting a misuse condition by applying predetermined “misuse signatures” to identify known misuses of networked computers. An example of a misuse signature is four unsuccessful logins on a network computer followed by a successful login (see Smaha column 12, lines 12-13).
Several problems exist, however, with respect to prior misuse detection systems. First and foremost, these systems are overly simplistic in the manner in which they evaluate misuse conditions. For example, these systems simply identify misuse signatures transmitted across the network and generate an alert condition in response. They do not factor in relevant information which would allow a more accurate misuse determination such as, for example, the context in which the data signatures are transmitted, the types of nodes to which the data signatures are directed, and/or the responses of the nodes. As such, these systems are incapable of determining the likelihood that the attempted misuse actually succeeded. Intruder scans and attacks are so numerous on networks exposed to the Internet that distinguishing effective attacks from the background “noise” of the Internet has become extremely difficult, if not impossible.
An additional problem with prior art misuse detection systems is that these systems can only identify activity as being suspicious, but cannot conclusively differentiate among deliberate misuse attempts, accidents (e.g., user enters the wrong password), or normal incidents (e.g., network manager uses pings to monitor network performance). Thus, prior art misuse detection systems record all suspicious events and rely upon the intelligence of the operator to wade through the “false-positives” in order to find salient records.