Network security management is becoming a more difficult problem as networks grow in size and become a more integral part of organizational operations. Attacks on networks are growing both due to the intellectual challenge such attacks represent for hackers and due to the increasing payoff for the serious attacker. Furthermore, the attacks are growing beyond the current capability of security management tools to identify and quickly respond to those attacks. As various attack methods are tried and ultimately repulsed, the attackers will attempt new approaches with more subtle attack features. Thus, maintaining network security is on-going, ever changing, and an increasingly complex problem.
Computer network attacks can take many forms and any one attack may include many security events of different types. Security events are anomalous network conditions each of which may cause an anti-security effect to a computer network. Security events include stealing confidential or private information; producing network damage through mechanisms such as viruses, worms, or Trojan horses; overwhelming the network's capability in order to cause denial of service, and so forth.
The first line of defense against all of these types of security events is typically the denial of access through good passwords and strong firewalls at the nodal level of a computer network. However, one of the unintended consequences of security systems that defeat attempts to steal information or produce network damage and report the status is that repelling a large scale attack may lead to such a large number of trouble messages as to overwhelm the network and lead to denial of service simply by the volume of messages.
A large network is likely to concurrently experience security events at some or multiple nodes on a frequent basis. Many of these security events are likely to be of low sophistication and easily repulsed by the protection software and systems at the affected nodes. Thus, real-time reporting of these security events can be counter productive when the reporting uses large amounts of bandwidth. However, a coordinated series of even low sophistication security events may indicate a real problem that must be addressed to maintain the network's capability and effectiveness.
Some conventional security management tools available to a network manager for determining the effects of attacks fall into three categories, network modelers, static analyzers and testers, and dynamic analyzers.
Network modeling tools are popular for the original design and updating of networks. They typically are configured with various communication protocols and node types and can depict the hierarchy of the network along with symbols for the various types of nodes in the network. They also have load generation modules to help the designer arrive at the needed capacity on the nodes and transmission paths. Network modeling tools are used to answer "what if" types of analysis questions. For example, by eliminating a node or set of nodes and one or more of the communication paths network modeling tools can simulate the effects of a successful attack. Also, additional load can be generated to simulate the messaging that might result from an attack, successful or not. Through these methods, the network administrator can gain some knowledge of the robustness of his or her design and validate some mitigation approaches. Unfortunately, a shortcoming of network modeling tools is that they cannot be used in a dynamic manner to display the current status of a network. Rather, they only display the entries from some network description data base.
Static analyzers are tools that may be used by a network manager to simulate an attack against his own network. Static analyzers can probe for network weaknesses by simulating certain types of security events that make up an attack. Other tools can test user passwords for suitability and security. There are also tools that can search for known types of security events in the form of malicious programs such as viruses, worms, and Trojan horses. Unfortunately, these tools either test the integrity of the network, or identify a security event after it has occurred. They do not provide an immediate response in the case of an attack made up of several security events of differing types.
Dynamic analyzers are tools that are used to monitor networks and respond at the time of the attack. Dynamic analyzers typically look for specific actions that signify an attack or compare user actions to previously stored statistics to identify significant changes. They also provide messages to the network manager when they sense a possible security event. However, this latter mechanism leads to a significant problem for network capacity if the number of security events were so large that the trouble message for an attack consumes all or a significant portion of the available bandwidth. Another problem with dynamic analyzers is that they work primarily on a nodal basis. Thus, they are unable to amalgamate the security events occurring at a multiplicity of nodes in a computer network to obtain a network view of an attack. So dynamic analyzers may miss the significance of a coordinated series of low level security events at multiple nodes. Also, because of their nodal orientation, their reports tend to be presented as lists of data that can be difficult to evaluate quickly in the event of a large scale attack, or an attack that involves many security events at many nodes.
Thus, what is needed is a system and a method that has the capability of providing a network view of an attack as the attack is occurring. Furthermore, what is needed is a system and method for displaying attack information in a usable and quickly interpretable form to a network manager while minimizing the loading on the computer network. If an attack occurs at a time of stress, a network manager may be overwhelmed with both responding to an attack and providing operational control and messages through the network. Thus, what is needed is a system and a method that provides a network manager with knowledge of the severity and overall nature of the attack, what its expected impact could be, and a set of recommended actions. In addition, what is needed is a system and method that has the ability to evolve with evolving threats to effectively mitigate new approaches to network attacks.