Electronic systems and circuits have made a significant contribution towards the advancement of modern society and are utilized in a number of applications to achieve advantageous results. Numerous electronic technologies such as digital computers, calculators, audio devices, video equipment, and telephone systems have facilitated increased productivity and reduced costs in analyzing and communicating data, ideas and trends in most areas of business, science, education and entertainment. Frequently, electronic systems designed to provide these advantageous results are realized through the use of networked resources that facilitate leveraged utilization of centralized utility and data resources by distributed components. While the leveraged utilization of the centralized resources is advantageous, organization and maintenance of the centralized resources is usually very complex and often susceptible to detrimental intrusive attacks.
Centralizing certain resources within a distributed network typically provides desirable benefits. For example, centrally storing and/or processing information typically reduces wasteful duplicative storage and/or processing resources at each remote networked system. The ever increasing demand for centralized type services is largely attributable to the ever growing cost of specialized information technology services and the increasing complexity of managing mission critical Enterprise and Internet applications. In supporting desirable flexibility and extensibility, centralizing resources can involve handling diverse applications, architectures and topologies (e.g., associated with a multi-vendor environment). Managing the infrastructure of a large and complicated centralized networked resource environment raises many challenging operational issues.
Providing security for important centralized network assets is usually very important and also often complex. Offering ubiquitous access to a diverse set of centralized resources introduces challenges associated with protecting the centralized resources from intrusive attacks (e.g., that can detrimentally affect service quality). Traditional intrusion detection systems are usually limited to one type of sensing capability with each type of intrusion detection sensing involving different strengths and weaknesses. A host intrusion detection system (HIDS) usually tries to detect intrusion on a host. A HIDS is usually limited to sensing very localized events and often only detects events on a particular host system and no where else. Some HIDS are focused on data integrity which may expend a lot of resources on false alarms that are solely triggered by a date problem and do not necessarily provide a reliable indication of an intrusion attempt. A network intrusion detection system (NIDS) usually tries to detect intrusions directed at traffic on a network segment. For example, NIDS are usually limited to sniffing network traffic at a switching point. While NIDS may often be deployed to service a rather significant part of a network, it is usually limited to deployment at a network egress point. Since traditional intrusion detection systems do not typically have broad sensing capabilities, it usually means that the systems have weak or no protection from the types of intrusion attacks which are not the primary focus of a particular sensor.
It is desirable to have protection against a variety of different potential types of intrusion attacks. However, traditionally this involves a variety of different intrusion detection systems and sensors from multiple vendors. Managing diverse overall system intrusion detection is usually difficult and expensive, and often produces increased management difficulties. The various intrusion detection sensors usually issue alerts with different severity assignments and different attributes. Traditionally, it is very difficult to resolve the differences in the sensor alerts to achieve an indication as to the true character and/or severity of an intrusion. For example, different conventional intrusion detection systems have different consoles and databases and intrusion detection sensors often sense different things such as signatures, data anomalies, file changes, and/or source addresses. Dealing with diverse alerts from multi-vendor equipment is usually resource intensive (e.g., an IDS management console for each system) and interpreting the intrusion detection information is usually laborious and often requires a significant level of knowledge and expertise on each proprietary IDS system management console. The diversity can also increase susceptibility to flaws associated with human error (e.g., to circumvention of the underlying infrastructure protection measures through security holes introduced by human error).
The diversity can introduce duplication problems. A system may include two different types of sensors that have at least partially overlapping detection intrusion sensing indications that provide duplicate alarms. Interpreting and recognizing the redundancy can be difficult. Misinterpreting and not recognizing the duplication can be wasteful and lead to detrimental interruptions. For example, some resource administrators may respond to an intrusion attempt by haulting and/or shutting down a system repeatedly. In addition, trying to manually interpret alarms in multi-vendor and multi-type sensor systems can lead to false positive and false negative indications of intrusion attempts. For example, conventional attempts at interpreting a variety of different unconsolidated and uncorrelated alarms can easily result in a false indication of an intrusion attempt or a false indication that an intrusion attempt is not occurring.
In addition to detecting a potential intrusion attempt, it is usually desirable to implement corrective action. Implementing proper corrective action usually relies upon an indication of an intrusion attempt and proper interpretation of the detection information. Traditional attempts at responding to diverse intrusion detection alarms are usually resource intensive and laborious. Understanding the possible appropriate corrective mechanisms to implement an effective incident response strategy and operational framework with traditional event handling operational principles is complex and traditionally a difficult endeavor.