1. Field of the Invention
This invention generally relates to the field of computer security and more specifically to secure initialization of a computer intrusion detection system.
2. Description of Related Art
For over two decades, consumers have been using computers to conduct business, organize their lives and access information. Further, users today use the Web to do their banking, make stock trades, review their personal medical information and perform other tasks involving sensitive data. As the popularity of the Internet increases, consumers are increasingly maintaining network connectivity. In order to protect consumers' sensitive data, computer intrusion detection systems have risen in popularity as a way to protect confidential information.
Typically, anomaly-based intrusion detection systems are least reliable and most vulnerable during the initial stages of their deployment, i.e., the bootstrapping stage. In this stage, the intrusion detection system typically has to monitor the behavior of a computer system to learn what activities are normal for the system. Once the intrusion detection system (IDS) learns the normal behavior of the computer system, the IDS can identify deviations from that normal behavior that might signal intrusions. The IDS is often unreliable during bootstrapping because it yields a high rate of false positives. Many systems even suppress alarms during the learning period since they are so unreliable. Also, the IDS is vulnerable to mistakenly treating an intrusion as normal behavior if the system has been compromised prior to the bootstrapping phase of the IDS. If an IDS treats an intrusion as normal behavior, then it will be blind to that intrusion and will allow it to continue undetected.
The problem with current solutions to intrusion detection is that they use methods that either do not reduce false positives effectively or introduce trust requirements that are unnecessary. One solution is to suppress false alarms during an initial training phase on the monitored computer system. However, this basically means the computer system is not protected during the bootstrapping phase. Such a solution amounts to simply ignoring the problem rather than solving it. Another solution is to quarantine the protected computer system during the bootstrapping phase. This solution attempts to prevent the IDS from learning from a compromised computer system. However, it is often difficult and costly to quarantine a computer system. Also, the quarantined environment usually deviates significantly from the computer system's production environment. Thus, any learning that the IDS achieves during such a quarantine is of limited usability and the false alarm rate may remain high once the computer system is placed into production. Further, the quarantine method requires trusting the quarantine, which introduces another obstacle.
Therefore a need exists to overcome the problems discussed above, and particularly for a way to more securely bootstrap intrusion detection systems.