1. Field of the Invention
The present invention relates generally to computer network attacks, and more particularly to detecting low and slow probes.
2. Description of Related Art
A variety of attacks on computer networks have been documented. A source, a target, and a type characterized most attacks. Various security management systems have been developed to assist in the recognition of attacks, e.g., the identification of the type of attack. Typically, log data from firewalls and intrusion detection systems (IDSs) was stored for subsequent analysis and use.
Sometimes before the log data were stored, attempts were made to correlate events in the log data to assist in identifying an attack, the start of an attack, or anomalous events that could indicate gathering of information for a subsequent different type of attack, for example. One particular troublesome attack was referred to as a low and slow reconnaissance gathering attack or probe.
The purpose of the low and slow probe was to avoid detection by the security management systems, the intrusion detections systems and/or the firewalls. Typically, in a low and slow probe, network accesses were widely separated in time. The time periods between accesses were selected so as to be statistically insignificant to a security system based on collecting data.
Rule-based methods and search-based methods were used in correlation techniques to identify low and slow probes. Unfortunately, some correlation techniques required intensive amounts of memory for storage and analysis. These techniques were also error-prone due to the high volume of event traffic versus the long periods between accesses.
Efforts by intrusion detection system (IDS) vendors to reduce false positives have resulted in signatures that are not likely to match the sparse events associated with low and slow probes. Thus, such events are not categorized or even noticed by most IDS systems.
Finding rare occurrences of host addresses and network addresses on an intranet can be done by brute force. For example, all the log data can be collected in an indexed data store. A series of queries can be used on the indexed data store to find addresses that occur in the indexed data store within a given window, e.g., more than two times but less than 100 times.
For this approach to be successful, network addresses that do not exist must be searched for one by one. Consequently, using an indexed data store of log data is search intensive and relies on all the data being collected prior to the search. In general, this approach does not perform well and is not useful for real time display.
Also, if all packet data on a 100 MBit switched network working at 33% utilization is stored, 4.125 MB of storage per second are required. After 10 minutes, 2,475 MB are needed, or 14.85 GB per hour. Thus, saving raw packet data for subsequent analysis requires restrictive amounts of data. Detection of a low and slow attack that spans several weeks would required several weeks of raw packet data. Even with today's cheap mass storage, several weeks of raw packet data would occupy an inordinate amount of storage and would take an inordinate amount of computing power to sort through.
So called “low and slow attacks” usually actually refer to reconnaissance in preparation for attacks. Source addresses that appear intermittently over long time periods, so as to be statistically insignificant to a log analysis based security system may not be identified. One possible reason for such packets on the network is the probing for the presence of a particular service or the particular address ranges in use, in other words, network reconnaissance. For example, see the description of the Mitnick attack, in Stephen Northcutt and Judy Novak, Network Intrusion Detection, An Analyst's Handbook, Second Edition, Chapter 7, “Mitnick Attack,” New Riders, Indianapolis, Ind., pp 107-123 (2001).
To determine whether a slow and low attack has occurred, or is occurring, it is necessary to determine the purpose of the low-frequency intrusions on the network. However, before the purpose of the low-frequency intrusions can be analyzed, the low-frequency intrusions must be reliably identified.