A computer network typically includes a collection of interconnected computing devices that exchange data and share resources. The devices may include, for example, web servers, database servers, file servers, routers, printers, end-user computers and other devices. The variety of devices may execute a number of different services, operating systems (or operating system versions) and communication protocols. Each of the different services, operating systems and communication protocols may expose the network to different security vulnerabilities. A malicious user or “hacker” may exploit these security vulnerabilities to gain unauthorized access to, disrupt or generally attack the network.
Typically, techniques for detecting these network attacks use pattern matching. In particular, an Intrusion Detection and Prevention device (“IDP”) may reside at an edge of a network and be statically configured or provisioned to apply regular expressions or sub-string matches to detect defined attack patterns within data streams entering the network. Some networks may feature more or less security vulnerabilities that require the IDP device to be statically provisioned to identify and/or prevent more or less attacks. Alternatively, the IDP device may be statically configured or provisioned to detect not only the harmful attacks but also those attacks that pose little to no security threat to the network, as these harmless attacks may provide a network administrator with information concerning malicious activity in general and increase network security.
However, this additional information does not come without a cost due, in part, to the static manner in which most IDP devices are provisioned. To provide information regarding both harmful and harmless attacks, the IDP device may be statically configured to detect a full set or range of attack patterns, which consumes significant device resources (e.g., processor cycles, memory, etc.). During times of high network congestion, the IDP device may be unable to process all of the data and delay, if not prevent, delivery of the data to preserve network security by denying entry to unanalyzed data. Thus, by provisioning the IDP device to detect and/or prevent the full set or range of attack patterns, the IDP device may, during times of high network congestion, compromise network connectivity.