1. Field of the Invention
The present invention is related to methods and systems for protection against network threats and, in particular, to a method and system for optimization of network traffic monitoring for presence of threats.
2. Description of the Related Art
Recently, the number of computer threats has drastically increased. For example, malware applications, such as computer viruses, network worms, Trojans, as well as malicious attacks, have become very common. Subsequently, Intrusion Detection Systems (IDSs) have been developed and are widely used for protection of networks and individual computer systems.
The IDSs include hardware and software means intended for analyzing network (or computer system) events in order to detect attacks against vulnerable systems or services (applications). The IDSs also detect instances of unauthorized access. A typical IDS intercepts incoming traffic (i.e., transmitted network data) and analyzes it for presence of threats. Typically, the threats are detected using heuristic rules and signature analysis (using pre-stored signatures of known threats).
A conventional architecture of a network IDS is shown in FIG. 1. Network traffic is intended for computer systems 111 located within a LAN 110. The network traffic is analyzed for presence of threats by a network IDS 100. If the threats are detected by the IDS 100, the IDS 100 can block (entirely or partially) transmission of the traffic data to the computer systems 111.
If the traffic data is blocked partially, only a portion of the traffic data deemed clean by the IDS 100 is passed on to the computer systems 111. However, if the IDS 100 (using heuristic analysis) cannot produce a definitive verdict regarding the safety of the traffic data, the traffic data can be passed on along to the recipients with a warning about the presence of suspicious components within the traffic data. Alternatively, the IDS 100 can be implemented on each computer system 111 and can perform analysis of the network traffic coming into this computer system.
As speed of network connections increases and as the number of threats grows daily, modern IDSs have to analyze larger volumes of network traffic data using growing signature databases and large sets of heuristic rules. This creates significant delays in delivering the traffic data to a recipient. The delay is directly connected to traffic analysis.
There are a number of solutions intended for optimization of traffic security processing and increasing productivity of the IDSs. For example, U.S. Pat. No. 7,617,533 discloses a system for detection of network attacks based on signature analysis of the network traffic performed at a network switch or a router. In order to optimize the process, only a portion of the incoming network traffic is analyzed.
U.S. Pat. No. 7,950,059 describes a method for detecting malware in a data stream. Only part of the data stream deemed suspicious is checked for malware. The part of the data stream is deemed suspicious based on the presence of illegal character in a protocol of the data stream.
U.S. Patent Publication No. 20100077482 describes a method for malware code detection in a data stream transmitted over network. In order to speed up data processing, a special list containing samples of malware codes and information about portions of the data stream that may contain malware code is generated. Based on the information contained in the list, only portions of the data stream are checked.
U.S. Pat. No. 7,535,909 discloses a method for processing network packets, where a size of a filtering window changes according to packet size. If the packet size is smaller than a size of a filtering window, the size of the window is reduced to the size of the packet. A minimal size of the packets to be checked is set, and the packets with the size below the minimal size are let through without checking. Thus, the filtering window adjusts to the packet size, and the packets with small sizes are excluded from checking, which speeds up overall processing of the packets.
The above described solutions allow for speeding up network traffic processing. However, a desired level of reliability is not provided. In particular, if a new network threat is introduced, it can go undetected within a data stream, with a high probability.
U.S. Patent Publication No. 20070179935 describes a method of detecting malware code within a network data stream. The data stream is checked inside a window of a pre-set size using a number of checking modules. Each module checks a portion of a code against signatures of a certain size. Then, the window is shifted based on the result of comparison for further checking. This solution increases reliability of checking of the network traffic, but requires checking of the entire stream. Thus, the efficiency of the proposed method is low.
Accordingly, there is a need in the art for a system and method for efficient and reliable security processing of the network traffic.