As information technology has become popularized with the assistance of the rapid development of information and communication technology combined with computers, network environments, and the Internet, so too has malicious network access, such as intrusions into server systems and the transmission of harmful traffic. A number of conventional security solutions are available to block malicious network accesses. These systems traditionally include the use of firewalls or dedicated network intrusion detection systems on a protected network.
Intrusion detection, in general, can be performed manually or automatically. Manual intrusion detection typically incorporates examining a log file system record or other evidence for signs of intrusions, including the amount of network traffic to or from a system or network. Systems that perform automatic intrusion detection are typically referred to as Intrusion Detection Systems (IDS). An IDS can be either host-based, if it monitors system calls or logs, or network-based if it monitors the flow of network packets. Conventional IDS's are generally a combination of these two approaches. When a probable intrusion is discovered by a conventional IDS, typical actions to perform include logging relevant information to a file or database, generating an email alert, or generating a message to a pager or mobile phone.
Determining what the probable intrusion actually is and taking some form of action to stop it or prevent it from happening again are usually outside the scope of intrusion detection. However, some forms of automatic reaction have been implemented through the interaction of Intrusion Detection Systems and access control systems such as firewalls.
Extrusion detection (or outbound intrusion detection) is a branch of intrusion detection aimed at developing mechanisms to identify successful and unsuccessful attempts to use the resources of a computer system to compromise other systems. Extrusion detection techniques generally focus on the analysis of system activity and outbound traffic in order to detect malicious users, networks or malware (malicious software) or network traffic that may pose a threat to the security of neighboring systems.
While intrusion detection is most concerned about the identification of incoming attacks (intrusion attempts), extrusion detection systems try to prevent attacks from being launched in the first place. They implement monitoring controls at “leaf” nodes of a protected network—rather than concentrating them at choke points, e.g. routers—in order to distribute the inspection workload and to take advantage of the visibility that a system has of its own state. The ultimate goal of extrusion detection is to identify attack attempts launched from an already compromised system in order to prevent them from reaching their target, thereby containing the impact of the threat.
Contemporary IDS and IPS (intrusion/extrusion defense) technologies, while effective, do not completely solve the problems associated with intrusion or extrusion attacks. If they do detect and initiate a defense, in most cases the prevention is implemented at the destination—either at the host or firewall in front of the host. The offending host or hosts may continue to launch the intrusion (in cases such as Denial of Service (DoS) or Distributed DOS (DDoS))—with the prevention including adding packet filters or dynamic logic to toss out or ignore the inbound offending packets, resulting in additional firewall or host processing.
What is needed therefore is a method for notifying an offending host of an intrusion attack so that proper action can be taken at the offending host to inhibit further transmission of the attack.