A known solution for intrusion detection is the so-called protocol analysis technique. Protocol analysis takes advantage of the known structure of communications protocols for tracking all connections in a protected network. For each connection the system retraces the application level flow and simulates the behaviour of a possible victim. An alarm is generated when the system detects the execution of operations that somehow violate or stress the nature of the used protocol. An intrusion detection system based on the protocol analysis technique is illustrated for example in document US2003/0004688A1. The system illustrated is quite complex, as the protocol analysis technique requires high processing power, moreover, in order to efficiently retrace the behaviour of all protected computers, it is necessary to have an exhaustive knowledge of the protected network.
Statistical analysis is another well-known technique used in intrusion detection systems. Such systems try to detect statistical anomalies, triggering an alarm when a deviation from statistical values is detected. Statistical values may include for example the number of connections simultaneously open, traffic activity to/from a particular computer, or the length in time of connections. While the computing power in such systems is not so critical, it is extremely elaborate to identify which parameters are really symptomatic for determining the status of the network and which kinds of variations are to be detected. An example of intrusion detection system based on statistical analysis is illustrated in document WO 02/45380.
A further technique commonly used in intrusion detection systems is the pattern matching technique, which tries to detect the presence of an attack signature in a network packet. Each packet on the network is searched for various attack signatures (an attack signature is a string or a group of bytes), comparing group of bytes taken from the packet in question with a plurality of known attack signatures.
Depending on the choice of detecting algorithm and the frequency with which it is applied, the pattern matching technique may become a performance bottleneck. The problem of streamlining pattern matching techniques is addressed for example in documents U.S. Pat. No. 5,179,632 and U.S. Pat. No. 5,495,409, which illustrate some methods, not expressly related to network intrusion detection systems, for increasing performances of pattern-matching systems.
An improved intrusion detection system is disclosed in U.S. Pat. No. 6,477,651, which illustrates a system having dynamically loaded signatures. The solution proposed simplifies the modification of the system to adapt to new network vulnerabilities, so that the system supports upgrades in a dynamic manner without shutting down the intrusion detection system.
A further attempt to improve reliability of intrusion detection systems based on pattern matching techniques is illustrated in document U.S. Pat. No. 6,499,107. The method disclosed comprises monitoring network data traffic and analysing such traffic for assessing network information; a plurality of analysis tasks are prioritised based upon the network information, the analysis tasks are performed on the monitored traffic in order to identify attacks upon the network. Each signature has therefore an associated priority value, such value is used by the system for regulating the actuation of the corresponding analysis task.
Such systems identify as an attack any data replicating a known signature, either if it corresponds effectively to an attempt of attacking a vulnerable computer or a service, or if it is directed to a destination that does not exist or that is however not sensitive to that kind of attacks, or even in case the match is caused by legitimate data somehow similar to a known attack signature.
As a consequence, intrusion detection systems based on pattern matching techniques are inclined to generate too many false positives, i.e. false alarm warnings. False positives occur when a byte string in a packet matches a pattern signature, but the string is in fact not an attack at all.
The Applicant has tackled the problem of reducing the number of false positives in an intrusion detection system based on pattern matching techniques.
The Applicant observes that the number of false positives can be sometimes so large that the system itself becomes unserviceable, hiding authentic alarms among thousands of useless warnings.
The Applicant is of the opinion that a conventional pattern matching intrusion detection system has no intelligence to determine the true meaning and the ultimate effect of a detected pattern, thus triggering an excessive number of false positives.
In view of the above, it is an object of the invention to provide an intrusion detection system, based on pattern matching techniques, which is able of filtering alarm warnings for a drastic reduction of false positives.