A global computer network uses routers to route packet based data traffic from a source computer or a server to a destination computer or server. A router in a network may perform different functions or roles. There are border routers to a network that are situated between a businesses internal network and Internet Service provider to the global network. The border router, also called a gateway router, protects or acts as gatekeeper based on a security policy for an internal computer network of a business. Then there are internal routers that connect and mediate traffic between computers of a business's internal network. A business's networks that are protected by a one or more border routers or gateway routers are also called autonomous networks.
There are generally two classes of traffic among the routers; one is for the network maintenance based on many existing protocols such as BGP, IGP and RIP between local network and global network routers. The other is for user traffic from one source server to a destination source server. Based on many news items, these autonomous networks of a business are under constant cyber attack from entities through out the global network using either one or both of the traffic types.
There are different methods of attack on a network using many new and evolving methods. One type of attack is to overload the system by sending large traffic to a single node and is called denial of service attack. The other type of attack attempts to get inside the network by various ruses that make the attack traffic indistinguishable from other traffic at the border routers that screen the traffic. The purpose of this type of attack is to learn and/or steal valuable data and information that is stored inside the servers of the network.
There have been developed many forms of defenses to counter these different types of attacks. The main one is firewall that can screen traffic based on access control lists and filter traffic based on predefined signatures in the data. As an additional means of security, in prior art, filters are used to filter the contents of data packets that have a signature representing a known anomaly, such as a virus, worm etc. Such filters are used in the host and may be used in some gateway routers and are not used in the routers in the network.
The other type of defense is to measure the statistical behavior of traffic and to compare that with the normal traffic to determine if an attack is happening. For such security situations, defensive techniques of packet flow traffic analysis are used to discern anomalous rate of packet flow by comparing them with the normal traffic flow patterns. The audit log files are examined either in real time or after the attack to determine if an attack has happened in the past. These techniques have been given the names of Intrusion Detection and Prevention Systems (IDS/IPS) by the information security industry.
Another type of defense is to encrypt the packet. To provide security during transmission of the data packet, the data part is encrypted by the sending computer and decrypted by the receiving computer. To provide additional security of that of to prevent data flow analysis of data packets by adversaries based on source and destination IP addresses, it is desirable to hide the source and destination addresses of the packet. For this purpose, prior art uses a scheme identified as IP Sec protocol that is widely used in the industry and that in that the entire packet including the header part and the data part is encrypted and a new header called outer header is added. The IP Sec function may be performed between the gateway routers of networks.
All of these defenses have problems and are not entirely successful in their defenses and attacks still take place. In spite of these defenses, based on published news items, harm-causing packets are still introduced in the network. If there is no prior signature for a known anomaly, then it is not possible to filter data packets. Hence the harm intentioned packets are indistinguishable from other packets and cannot be separated based on the content of the packet, either in the header or the data.
The underlying reasons for such attacks is that the source and destination IP addresses are entirely made up by a sender, and hence there is no assurance to the receiver of a data packet that these are genuine.
Hence, it is an objective of this invention to teach new types of computer network defense techniques that are, believed to be, more effective and address the underlying reasons why such attacks are successful. Author has filed many patents, that teach other types of network defenses. This application teaches yet another type of computer network defense.