1. Field of the Invention
The present invention relates to providing security in networked computer systems. More specifically, the present invention relates to a method and an apparatus that provides policy-driven intrusion detection for a large-scale networked computer system.
2. Related Art
As computers become more interconnected, it is becoming increasingly harder to safeguard computer systems from attacks launched across computer networks. Existing intrusion detection techniques can detect attacks to individual hosts and small computer networks. However, as intrusion detection techniques become more advanced, attackers have correspondingly grown more sophisticated. Attackers can make use of network connectivity to launch large-scale coordinated attacks from different locations on a network using different identities. In order to detect such large-scale coordinated attacks, intrusion detection systems need to be able to correlate massive amounts of information gathered from a large number of geographically distributed heterogeneous sources.
Unfortunately, existing intrusion detection systems (IDSs) do not correlate information effectively, or do so in an ad hoc manner. Existing IDSs typically do not provide tools for specifying policies, or if they do, the tools are very labor-intensive and tedious. Policies are typically implemented by manually configuring each computer system on a network to enforce the policy. This makes it hard to ensure that each computer system is configured to enforce a specific policy.
Furthermore, existing IDSs do not scale well. A single centralized global security analyzer that receives data from numerous locations on a large network can quickly become overwhelmed with too much data during a massive largescale attack.
Hence, what is needed is a method and an apparatus that allows intrusion detection policies to be specified at a global level, and to be automatically propagated to individual computer systems in a network, so that the individual computer systems are configured to implement the policy.
Additionally what is needed is a method and an apparatus that decentralizes control over a global policy so that a centralized global policy analyzer does not become overwhelmed with too much data.
Another problem in propagating a policy across a large network is that the individual computer systems that are coupled together by the network are typically heterogeneous. Consequently, it may be necessary to communicate with each different type of computer system in a different way.
Hence, what is needed is a method and an apparatus that allows configuration information and other types of information related to network security and intrusion detection to be communicated in a form that can be interpreted across a variety of different computing platforms.
One embodiment of the present invention provides a providing policy driven intrusion detection system for a networked computer system. This system operates by receiving a global policy for intrusion detection for the networked computer system. This global policy specifies rules in the form of a global security condition for the networked computer system and a global response to be performed in response to the global security condition. The system compiles the global policy into local policies for local regions of the networked computer system. Each local policy specifies at least one rule in the form of a local security condition for an associated local region of the networked computer system and a local response to be performed in response to the local security condition. The system communicates the local policies to local analyzers that control security for the local regions. A local analyzer compiles a local policy into specifiers for local sensors in a local region associated with the local analyzer. These specifiers are communicated to the local computer systems in the local region. This allows local computer systems to implement the local sensors.
In one embodiment of the present invention, each specifier for each local sensor specifies at least one security condition and at least one security response.
In one embodiment of the present invention, the system additionally receives security information specifying the local security condition at the local analyzer from the local sensors. The system uses the local policy to determine the local response to the local security condition, and sends information specifying the local response to the local sensors. Note that this local response can specify different responses for each of the local sensors.
In one embodiment of the present invention, the system additionally receives security information specifying the local security condition at the local analyzer from the local sensors, and sends information specifying the local security condition to a global analyzer, which facilitates enforcement of the global policy.
In one embodiment of the present invention, the system additionally receives security information at a global analyzer from the local analyzers. This security information specifies the global security condition. The system uses the global policy to determine the global response to the global security condition, and sends information specifying the global response from the global analyzer to the local analyzers.
In one embodiment of the present invention, the global response can specify different local responses for each of the local analyzers.
In one embodiment of the present invention, the local response can specify one of, terminating an intruding process, denying an intrusive operation, and filtering accesses to a computer system.
In one embodiment of the present invention, the specifiers for the local sensors are communicated in a platform-independent description language.
In one embodiment of the present invention, the global policy is received from a network security coordinator.