§1.1 Field of the Invention
The present invention concerns the administration of network resources. In particular, the present invention concerns facilitating the establishment and enforcement of effective network policies.
§1.2 Background Information
Network administrators routinely deal with a variety of abuses such as, network bandwidth by unauthorized application services, and the distribution of unauthorized content to name a few. Abusers can be malicious attackers looking for free resources to host their illegal activities, a malicious insider running a peer-to-peer hub, or simply an ill informed user unintentionally running an application proxy. Proliferation of peer-to-peer networks and wide use of tunnels makes it difficult to detect such abuses and easy to circumvent security policies.
The two most common defenses that are used to prevent network abuses are firewalls and Intrusion Detection Systems (IDS). Unfortunately, an IDS is not useful in detecting many types of abuses where the essence of the abuse is not captured by a simple set of signatures. Firewalls, on the other hand, are more effective in preventing abuse. Firewalls use port blocking to thwart unauthorized application services. For instance, if a security policy denies the use of Web servers inside a network then a firewall simply blocks traffic to port 80.
However, it is now well known that a firewall can be circumvented. For example, many firewalls do not block outbound connection requests. A malicious insider, or a host inside the network compromised by an attacker, can initiate a connection and transfer unauthorized data or make available an unauthorized service without being detected by a firewall. Another simple way to bypass the firewall would be to simply run the unauthorized service on a port that the firewall allows traffic on. For example, if the firewall blocks services on port 80 and leaves port 22 open so that users can telecommute, then a Web server can be configured to use port 22, thereby circumventing the security policy. A third way to get past the firewall is by tunneling. Tunneling works by encapsulating a network protocol within packets carried by another protocol. So in the above example, with the presence of a suitable proxy on the inside host, Web traffic could be tunneled through secure shell (SSH) traffic on port 22. Similarly, there are many other techniques to get past a firewall, given a malicious insider or a captured host inside the target network.
Firewall circumvention techniques present new challenges in abuse detection. Some abuse detection techniques simply use port blocking or bandwidth throttling. Routers simply monitor the bandwidth usage of hosts and enforce throttling when it exceeds a preset limit. However, this is not always an effective solution as the bandwidth may be used for legitimate purposes.
There have been some research work in identifying application types in the presence of weak port binding. (See, e.g., James P. Early, Carla E. Brodley, and Catherine Rosenberg, “Behavioral Authentication of Server Flows,” Nineteenth Annual Computer Security Applications Conference, pp. 46-55 (Las Vegas, Nev., USA, December 2003); and K. M. C. Tan and B. S. Collie, “Detection and Classification of TCP/IP Network Services,” Thirteenth Annual Computer Security Applications Conference, pp. 99-107 (San Diego, Calif., USA, December 1997). These techniques identify types of application using packet traces and machine learning algorithms. The present inventors believe that one of the disadvantages of such techniques is the potential for false positives where an application can be identified wrongly (as another application).
The present inventors have described techniques for flow content characterization (i.e., the ability to classify network packet contents as belonging to one of a set of data types like audio data, encrypted data, video data etc., though not necessarily the identity of the application being used). (See Kulesh Shanmugasundaram, Mehdi Kharrazi, Nasir Memon, “Nabs: A System for Detecting Resource Abuses via Characterization of Flow Content Type,” Annual Computer Security Applications Conference (Tucson, Ariz., 2004), and Mehdi Kharrazi, Kulesh Shanmugasundaram, Nasir Memon, “Network Abuse Detection via Flow Content Characterization,” 5th Annual IEEE Information Assurance Workshop (West Point, N.Y., 2004).) Other techniques characterize flow content using the media headers of various file types, like the “file (1)” command on Unix systems. Such approaches have shortcomings. For example, since media headers (e.g., JPEG headers, MPEG headers, etc.) can be modified easily, it is easy to circumvent techniques that rely on the header information. Further, since not every single packet contains header information, header-based monitoring techniques typically must examine each packet on the network. For instance, suppose there is a 200 KB JPEG image. When transmitted over network, this image will be split into approximately 200 packets, only one of which contains the header. A header-based monitoring system must be able to examine each packet on the network for the string “JFIF” to determine the content type is a JPEG image. Such a method might also result in false positives as the string “JFIF” could appear in a JPEG image or in a text file. In order to minimize such false positives the method would require some context information be maintained to properly identify the text. As the foregoing example illustrates, such techniques may be very expensive in terms of computational and memory resources and therefore might not be practical on large networks, especially if traffic volume is high. Besides, packet drops and asymmetric routing may result in such techniques losing the packet that contains the header information rendering it useless. Also note that some media types do not have headers at all. For example, plain-text and encrypted content usually have no headers to indicate their content type.
Finally, the present inventors believe that enforcing policies only of the basis of content type is too inflexible in many instances.
As can be appreciated from the foregoing, it would be useful to have improved techniques for enforcing network policies. It would be useful is such techniques did not need to rely on information in packet headers, or port information.
It would also be useful to permit the definition and enforcement of rich and flexible policies.