Field
Embodiments of the present invention generally relate to the field of computer networks. In particular, various embodiments relate to methods and systems for logging data to facilitate capturing and understanding of the context of an attack.
Description of the Related Art
Networked computers represent significant targets of opportunity for both recreational and malicious hackers, viruses, worms, scripted attacks, etc. Hacks and hackers have different levels of sophistication and gain access in cases of successful hacks to a computer through its network interface when the interface is coupled to the Internet. Computers supporting Internet Protocol (IP) and other IP network nodes are identified by their IP address, wherein each network interface can support up to several thousand ports. To help manage security of a given network interface, a firewall may be employed for processing data arriving at individual ports. Some ports, such as ports commonly used for HTTP protocol support, may be assigned or opened to allow traffic to pass through to a corresponding service, for example, running on a web server, which is configured to manage HTTP traffic. The firewall may close all other ports to restrict outside traffic from gaining access to the network.
A computer network typically includes a collection of interconnected computing devices that exchange data and share resources. Such devices may include, for example, web servers, database servers, and file servers, routers, printers, end-user computers and other devices. Such a variety of devices may execute a myriad of different services and communication protocols, wherein each such service or communication protocol can expose the network to different security attacks.
Firewalls and intrusion detection systems are devices that are used to protect a computer network from unauthorized or disruptive users. A firewall can be used to secure a local area network (LAN) from users outside the network by checking, routing, and frequently labeling messages sent to or from users outside the network. An intrusion detection system (IDS) can be used to recognize suspicious patterns of behavior in a communication system, wherein examples of intrusion detection systems can include network intrusion detection system (NIDS) and a host intrusion detection system (HIDS). A NIDS can be used to examine information being communicated within a network to recognize suspicious patterns of behavior, wherein HIDS can be used to examine information being communicated through a particular host computer within a network to recognize suspicious patterns of behavior. Information obtained by an IDS can be used to block unauthorized or disruptive users from accessing the network.
With the development of network technologies and applications, network attacks are greatly increasing both in number and severity. Being a key technique in network security domain, Intrusion Prevention Systems (IPSs) play a vital role of detecting various kinds of attacks and securing the networks from such detected attacks. Another purpose of an IPS is to log evidence of intrusions within normal audit data. IPS is an effective security technology, which can detect, prevent and possibly react to an attack, wherein the IPS performs monitoring of activities by target sources and employs various techniques for providing security services. An IPS may also gather evidence of an attacker's activity, remove the attacker's access to the network and reconfigure the network to resist the attacker's penetration technique and/or subsequent network access by the attacker.
Generally, firewalls, intrusion detection systems, or specific packet analyzers create log records across one or more sessions (source-destination interactions) that record information regarding packets associated with such sessions, wherein the log records can include details of requested or sent packets such as source IP, destination IP, timestamp, destination port and other details. Analysis of such packets, at run time, can help intrusion detection systems or other such tools in assessing whether the packet is an attack packet. To assist with post attack analysis, some existing intrusion detection systems log one or more packets once an intrusion is detected; however, merely logging one or more packets received after the attack has been detected is not typically sufficient to aid those performing post-attack analysis in understanding the complete context of the attack.