1. Field of the Invention
The present invention relates to an apparatus and method for managing a session state for a stateful packet inspection (SPI).
2. Description of the Related Art
Conventional stateless analysis systems that detect intrusions using a packet at a point generate false positive alerts due to intrusion detection system evasion tools such as Stick or Snot.
A session stateful intrusion detection system such as a stateful packet inspection (SPI) has been introduced to solve the above problem. However, when a session state tracking function is used to perform session stateful intrusion detection, most currently available products cannot properly perform their functions due to rapid performance deterioration in the giga scale Internet.
Therefore, intrusion detection systems employing session stateful intrusion detection are required to increase their performance so as to catch up with the evolution speed of the rapidly developing Internet. To this end, most software-based products are changed into hardware-based products.
The session stateful intrusion detection must maintain and manage information of several hundreds of thousands to several millions sessions and solve lack of hardware resources so that hardware-based products can properly perform the giga scale Internet.
Since intrusion detection systems employing the session stateful intrusion detection maintain and manage information of sessions, they are vulnerable to denial of service (DoS) attacks such as synchronize sequence number (SYN) flooding. To solve this problem, a variety of methods such as Syn Cache, Syn Cookies, SynDefender, Syn Proxying, Synkill, etc. have been suggested. However, it is still quite difficult to solve the problem using these methods.