1. Field of the Invention
The present invention relates to a network intrusion detection and prevention system and a method thereof, and more particularly, to a network intrusion detection and prevention system and a method thereof in which in case where unknown network intrusion occurs, the network intrusion is detected using an anomaly behavior based detection method and at the same time, a new signature applicable to a signature based detection method is created within a short time on the basis of the detection result and the created new signature is verified, and the verified signature is applied to a signature based detecting system to rapidly prevent the network intrusion.
2. Description of the Related Art
A conventional network intrusion detection and prevention system generally employs a signature based detection method or an anomaly behavior based detection method. At this time, in the signature based detection method, a signature for a well-known network intrusion way is previously prepared and applied to the intrusion detection or prevention system to inspect all of packets on a network one by one in each of system and detect the network intrusion while confirming whether or not the applied signature exists at the packets.
Since the signature based detection method simply compares the packet with the signature, it is used for many network security equipments due to a very high accuracy and high speed of detection. However, the signature detection method has a drawback in that it cannot detect new network intrusion not having the known signature.
Accordingly, in order to solve a drawback of the signature based detection method, the conventional anomaly behavior based detection method is applied to the system. The anomaly behavior based detection method has been developed to detect a new attack, not the known attack. The anomaly behavior based detection method allows an intrusion detection and prevention system to previously identify normal behavior information of a general user, and traces an abnormal network operation to search for the network intrusion and the like in case where the abnormal network operation against a normal behavior is generated on the basis of the normal behavior information. The anomaly behavior based detection method has a great advantage in that the unknown attack can be detected.
However, the anomaly behavior based detection method has a drawback in that a normal user is falsely determined as being the network intrusion such as false-positive and at the same time, the known attack, which can be searched using the signature based detection method, cannot be erroneously searched. Furthermore, the anomaly behavior based detection method has a drawback in that since it takes a so long time to detect the network intrusion unlike the signature based detection method, the network intrusion cannot be protected.
Accordingly, a current network intrusion detection and prevention system employs all of two detection methods to consolidate a network security system. However, even in the current network intrusion detection and prevention system, the new network attack is not perfectly detected. In case where the unknown new attack occurs, the current network intrusion detection and prevention system has a drawback in that due to an insufficient association between the two detection methods, it cannot only detect the new attack within a short time, but also due to a very high detection rate, it cannot rapidly cope with a new Worm or a Distributed Denial of Service (DDOS) attack having a critical bad influence on the network, to cause a critical damage on the network.