A significant problem facing the Internet community is that on-line businesses and organizations are vulnerable to malicious attacks. Recently, attacks have been committed using a wide arsenal of attack techniques and tools targeting both the information maintained by the on-line businesses and their IT infrastructure. For example, recently identified attacks were committed using a combination of attack techniques at the network and application levels. In most cases, various attacks have been executed simultaneously in order to conduct a successful attack campaign against the target. Attackers use different tools to execute different attack techniques. Each such attack tool is designed to exploit weaknesses identified in one of the target's defense layers.
The scale of recent attacks has also been increased to include a multitude number of infected machines and groups of organized attackers who take part in a coordinated attack campaign. Thus, it has become a significant challenge to secure online businesses and organizations against targeted attack campaigns.
There are many different security systems designed to identify and mitigate attacks. However, typically each solution is designed to protect a single layer of the protected entity. For example, anti-virus programs may protect attacks in the form of viruses, worms, and/or Trojan horses. However, anti-virus programs cannot be efficient against network type attacks, such as denial-of-service (DoS), system intrusions, and the like which are typically handled by firewalls, intrusion prevention systems (IPS), or network appliances.
Most security systems detect attacks based on predefined patterns. The pattern may be related to the attack (e.g., a signature), to the behavior of the protected entity (e.g., a normal request rate, incoming and outgoing traffic attributes, etc.), and/or the behavior of the attack tool. Typically, a security system is configured with one or more policies that define a detection attack pattern and a mitigation action to be performed once a potential attack has been identified. For example, an attack pattern for detecting a DoS attack may be based on an average packet rate of an incoming traffic, while the mitigation action would be to drop incoming packets.
The disadvantage of this approach is that the security systems are limited to a “one dimensional” policy or attack rule. That is, currently available security systems, in most cases, take into consideration only the detection attack pattern without correlation to other inputs that can be utilized for better detection. Some security solutions consider attack patterns of the normal behavior of the protected entity (e.g., a web application, a server) and to the properties of the attacks. However, the major drawback of existing security solutions is that the detection and mitigation of attacks is not based on the attack tools that generated the attack and their operational limitations (weaknesses). As a result, existing security solutions do not provide any means for executing mitigation actions against the attack tools that generated the attack to exploit the operational limitations of such tools.
Thus, in today's environment where large scale attack campaigns are targeted against on-line businesses and organizations, existing security solutions may not be efficient for mitigating attack campaigns.
It would be, therefore, advantageous to provide a security solution for detecting and mitigating attacks based on a multi-dimensional policy. It would be further advantageous if the proposed security solution would mitigate attacks based on the tool that generated the attacks, by exploiting the tool's operational limitations.