Global networking of computers has greatly affected business. As the number of computers linked to networks grows, businesses increasingly rely on networks to interact. More and more people use electronic mail, websites, various file transfer methods, and remote office applications, among other types of software, to facilitate business transactions and perform job related tasks.
These applications and uses still rely on early network addressing technologies and flow control protocols to transmit data packets across networks. For example, the Internet Protocol (IP) is an addressing protocol for referencing remote devices on a network. The protocol is implemented to include a packet header that contains bits representing an address of the source, an address of the target, and various other parameters associated with the packet. The Address Resolution Protocol (ARP) is used to reconcile physical addresses on local segments of a network with IP addresses. Other protocols are used for flow control including Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). These protocols may be used to control the flow of packets across a network (e.g., between different network segments) including subdividing and reassembling the packets. TCP also includes methods for verifying the arrival of a packet. Other protocols include Internet Control Message Protocol (ICMP), Internetwork Packet Exchange (IPX), NetBios, and ARP, among others. Historically, these protocols were designed for use on a trusted network and as such do not include many security features. To address this problem, newer protocols are designed to include some security measures. However, at present, the global Internet and many local area networks predominantly use older protocols with various vulnerabilities.
Hackers and malfeasants take advantage of the weaknesses in these protocols to disrupt, infiltrate, or destroy networked devices. These attacks include worms, viruses, denial-of-service, and infiltration attacks, among others. Worms are self-replicating programs that infect computers. In some cases, these worms take advantage of the trusting relationships between computers to infiltrate a network and send network data to the attacker. Viruses infect files and utilize vulnerabilities of programs that interpret the files to propagate. A virus may also function to erase data. Denial-of-services attacks often limit the network activity of a target computer by inundating the target with requests or messages. In one example, an attacking computer or set of computers may send a plethora of low level pings to the target device. If the pings include a non-existent return address, the target machine could send a response message and pause over a timeout period for a response. In attempting to respond to the pings, the machine effectively denies network access to other applications.
Infiltrating attacks often circumvent password security and gain access to files. Once the attacker has accessed the network, the attacker may steal private information such as credit card or social security numbers. Moreover, the attacker may damage valuable data, install a worm or spying program, or install programs to utilize computational capacity.
Hackers use various tools and methodologies to discover vulnerable devices and interact with them. These tools include address scanners, port scanners, worms, and packet formulation programs, among others. For example, a hacker may send reconnaissance packets to a local network segment in search of a computer or device. Once a device is found, the hacker may scan the ports on the device in search of a vulnerable port.
Several approaches exist for protection against hackers. Typically, these protections are defensive shield-like methods. The most common are firewalls, intrusion detection systems (IDS), and anti-virus software. Firewalls are devices typically placed as shields between a local network and the global network. Firewalls are the most common form of network protection. They perform their function by limiting communication between the local network and global network in accordance with various filters and rules. Typically, network traffic is either blocked or permitted based on rules regarding protocols, addressing, and port number. These filters are infrequently changed and can unintentionally encumber certain permissible network traffic while permitting unwanted traffic. Furthermore, firewalls stop traffic from entering the network but do not operate within the interior of the network to prevent unwanted traffic from being disseminated.
Intrusion detection systems detect intrusions or attacks and report these attacks to network security. The systems predominantly use packet signatures to evaluate packets after the packets have entered the network. However, these systems have been shown to be unreliable as they can generate false positive results. Often, the systems require evaluation of the contents of a packet, a time-consuming process that can hinder network communication. Furthermore, to detect a threat, each packet passing through the network may need to be evaluated before an attack can be detected. In addition, these systems may not detect packets with signatures that are not found in their signature database, resulting in false negatives as well. Moreover, these systems often present the data to network security in a format that prevents timely response to threats.
Similarly, anti-virus software typically relies on file signatures to detect viruses. As such, frequent updates are required to maintain a current database of virus signatures. If an undocumented virus enters the network, the anti-virus software will likely fail. Furthermore, most anti-virus software resides on each host machine within the network. If the anti-virus software can be defeated by an attack on one host machine, every instance of the anti-virus software on every host machine can be defeated.
Many network security systems suffer from deficiencies in detecting and preventing attacks on a network. Many other problems and disadvantages of the prior art will become apparent to one skilled in the art of network security systems after comparing such prior art with the present invention as described herein.