The present application is related to a co-pending application entitled xe2x80x9cSYSTEM, METHOD AND COMPUTER PROGRAM PRODUCT FOR IMPROVING COMPUTER NETWORK INTRUSION DETECTION BY RISK PRIORITIZATIONxe2x80x9d which was filed coincidently herewith by the same inventor(s) under Ser. No. 10/011,165, and which is incorporated herein by reference.
The present invention relates to intrusion detection scanning methods, and more particularly to improving intrusion detection scanning performance.
Network security management is becoming a more difficult problem as networks grow in size and become a more integral part of organizational operations. Attacks on networks are growing both due to the intellectual challenge such attacks represent for hackers and due to the increasing payoff for the serious attacker. Furthermore, the attacks are growing beyond the current capability of security management tools to identify and quickly respond to those attacks. As various attack methods are tried and ultimately repulsed, the attackers will attempt new approaches with more subtle attack features. Thus, maintaining network security is on-going, ever changing, and an increasingly complex problem.
Computer network attacks can take many forms and any one attack may include many security events of different types. Security events are anomalous network conditions each of which may cause an anti-security effect to a computer network. Security events include stealing confidential or private information; producing network damage through mechanisms such as viruses, worms, or Trojan horses; overwhelming the network""s capacities in order to cause denial of service, and so forth.
A variety of intrusion detection programs have been developed to detect and protect against threats to network security. As is known in the art, a common method of detecting these threats is to use a scanning engine to scan for known attacks against networked computers. These attacks can be identified by their unique xe2x80x9cattack signaturexe2x80x9d which generally consists of a string of binary or text data. Upon the detection of an attack signature by the scanning engine, protective measures can be taken, including: sending alerts; intercepting harmful traffic; or disconnecting users who launch attacks.
Such intrusion detection programs are often positioned on a network to monitor traffic between a plurality of network devices. In use, a network administrator may set a sensitivity of an intrusion detection program which dictates a degree of certainty required before an event is determined to be a threat. In other words, by setting the intrusion detection program sensitivity low, fewer benign events will be misidentified as attacks, but the amount of actual attacks that go undetected may increase. On the other hand, by setting the intrusion detection program sensitivity high, more potential attacks will detected, but the amount of work required to differentiate between the misidentified events and actual attacks increases.
There is thus a need for a technique to decrease the workload of a network administrator by reducing the number of potential attacks which must be ascertained as actual attacks, while preventing any actual attacks from going undetected.
A system, method and computer program product are provided for scanning a source of suspicious network communications. Initially, network communications are monitored for violations of policies. Then, it is determined whether the network communications violate at least one of the policies. Further, a source of the network communications that violate at least one of the policies is identified. Upon it being determined that the network communications violate at least one of the policies, the source of the network communications is automatically scanned.
In one embodiment, it may also be determined whether the network communications exploit at least one of a plurality of known vulnerabilities. Further, a remedying event may be executed if it is determined that the network communications exploit at least one of the known vulnerabilities.
In another embodiment, the policies may be user-defined. Further, the policies may be defined to detect potential attacks in the network communications.
In still another embodiment, the scan may include a risk assessment scan for identifying vulnerabilities at the source. A remedying event may be initiated based on the risk assessment scan. As an option, a database of known vulnerabilities may then be updated based on the risk assessment scan. Such database of known vulnerabilities may then be utilized for determining whether the network communications exploit at least one of a plurality of the known vulnerabilities, and executing a remedying event if it is determined that the network communications exploit at least one of the known vulnerabilities, as set forth hereinabove.
As an option, the present embodiment may be carried utilizing an intrusion detection tool in combination with a risk assessment scanning tool. In the alternative, the various operations may be executed utilizing a single module.
By this design, a intrusion detection tool may monitor the network communications with a low sensitivity when determining whether such network communications exploit a plurality of known vulnerabilities. While, in the prior art, this would mean that actual attacks may go undetected, the present embodiment prevents this by scanning any source of policy-violating, anomalous behavior using a risk assessment scanning tool. To this end, by adding an additional level of abstraction, any potential attacks may be ruled out using a risk assessment scan without an increase in network administrator workload.