The phenomenal growth of data networking has presented communication service providers with the continual challenge of responding to the millions of customers' demands for secure, reliable, and fast access to their networks. Such demands are particularly onerous when the customers (e.g., major corporations) utilize or interact with a number of geographically disperse networks—i.e., an enterprise network. For example, corporate users interact closely with other business partners in their regular conduct of business, and thus, the networks of these business partners require a certain level of reliability and security as well. Satisfying these demands is imperative to maintaining a competitive edge in an intensely competitive market. To further intensify the challenge of supplying fast and reliable communication services, service providers and their customers frequently are victims of various types of security threats that negatively impacts service availability. Conventional approaches to addressing security have been unsatisfactory in part because network attacks are seldom isolated to a particular local network, but can be coordinated across the entire enterprise network, and because of false positive of attacks, which results in waste of precious network resources.
FIG. 9 is a diagram of conventional system for detecting network intrusions across an enterprise network. As seen in the figure, a customer, such as a large business, has an enterprise network 900 that spans a number of sites A, B, C, and D, which operate respective local networks 901, 903, 905, and 907. Traditionally, these local networks 901, 903, 905, and 907 are managed locally using local network management systems (NMSs) 909, 911, 913, and 915 that are seldom integrated for monitoring and analysis of network events across the entire network 900. That is, these NMSs 909, 911, 913, and 915 are traditionally isolated, sharing little information on security threats. This lack of coordination is made evident particularly when the collective network events are numerous; in a typical enterprise network 900, the number of events can total in the tens to hundreds of millions. Under such an arrangement, an intruder 917 can readily mask its attack on the enterprise network by initiating false attacks to site A, while the true attack on the local network 905 of site C.
For instance, the intruder 917 can launch a denial-of-service (DoS) attack in site A to impact site C. A DoS attack is initiated to deliberately interfere or disrupt a customer's datagram delivery service. One type of DoS attack is a packet flood attack that provides constant and rapid transmission of packets to the victim computing system. The flood attack overwhelms the victim's connection. Examples of packet flood attacks specific to Unreliable Datagram Delivery Service Networks utilizing IP (Internet Protocol) include ICMP (Internet Control Message Protocol) flood, “SMURF” (or Directed Broadcast Amplified ICMP Flood), “Fraggle” (or Directed Broadcast UDP (User Datagram Protocol) Echo Flood), and TCP (Transmission Control Protocol) SYN flood. These attacks effectively prevent the subscribers from communicating to other hosts; in some circumstances, the effects of these attacks may cause a victim host to freeze, thereby requiring a system reboot. In addition to being a nuisance, a system freeze can result in lost of data if precautions were not taken in advance.
In response to the attacks of the intruder 917, the NMS 909 of site A may effectively shut down the communication interface and/or network elements responsible for connecting to site C. Accordingly, the NMS 909 of site A may unknowingly believe it has nullified the attack, when in fact, site C is negatively impacted. The NMS 913 of site C is unaware that site A has encountered attacks from the intruder 917, and therefore, cannot properly respond to the loss of connectivity to site A.
Further, the conventional security mechanisms, such as intrusion detection systems and firewalls, of the sites A, B, C, and D can be ineffective against certain types of attacks. For example, if the attack by the intruder 917 is slow over a long period. Additionally, traditional intrusion detection systems are merely signature-based. Consequently, new attacks in which no signature has been developed will go undetected until the subject signature is created.
Another drawback of conventional security systems for detecting anomalous events is that they are expensive to maintain and operate, given the continual introduction of new threats. Accordingly, customers seek service providers to offer a managed service, thereby eliminating the need to purchase the necessary hardware and software platforms and associated personnel. However, traditionally, attempts to provide managed security services have been manually intensive with respect to provisioning and installation.
Therefore, there is a need for detecting and resolving network security attacks across the entire enterprise network. There is also a need for a near real-time security mechanism that can protect against novel attacks and slow attacks. There is a further need to provide a security approach that can be easily deployed as a managed service.