It has become common in recent years for businesses to connect their computers through an internal network. This network allows each individual computer to communicate with the other computers in the business, allowing data to be quickly and easily transmitted from one employee to another. As many of these businesses have found, this can result in substantial financial savings due to increased efficiency. As these same businesses may have also discovered, however, this solution is not without its problems.
The primary concern for many businesses is that the business' network is vulnerable to breach by unwanted intruders, or “hackers.” In some cases, hackers attempt to invade systems to gain access to files, such as confidential code or other proprietary information. In other cases hackers enter systems with malicious intent and attempt to plant corrupt data on the system, such as a computer virus. In both cases, the attack is much easier if the network is connected to the Internet or another external network. No matter the reason, hackers are never desired in a network environment because after gaining access to a single machine it is generally fairly simple to access all other machines on the network.
In an attempt to prevent the problems discussed above, many vulnerability assessment tools have been produced which allow system administrators to examine computers in a network environment to determine vulnerabilities to a potential attack. One method of detecting vulnerabilities is to collect and analyze data from the computers as it passes through routers on the network. One particular representation of this data, which can be produced by many commercial network routers, is “flow” data summaries. A flow record summarizes the participants, bandwidth, ports and routing specifics of a communication between two computers, and is a desirable data source for computer network security analysis because of its compact size and ease of instrumentation. Implementations of this method of data aggregation include Cisco Netflow and the open-source “cflowd.”
Flow records can be analyzed to determine if the network has been breached. This process requires detailed, reliable, data records that do not rely on sampling or further aggregation of records. The problem with this kind of flow data production is that, in addition to its flow data production function, each flow-producing router must perform significant data routing functions for network traffic. When traffic flow is heavy, a primary function that is sacrificed is flow data production, thus facilitating undetected intrusion by a hostile individual. Additionally, the flows generated by many routers have been shown to be imprecise or inaccurate. Flows generated by routers also lack information that could be helpful in detecting network intruders as flow data was originally intended for network engineering statistics. It is therefore necessary in the art to create a data monitoring tool for network intrusion detection that produces security enhanced flow records without reliance on routers.
U.S. Pat. No. 5,878,420, entitled “NETWORK MONITORING AND MANAGEMENT SYSTEM,” discloses a system for monitoring a network wherein a series of sampling assemblies are connected to a selection of Local Area Networks (LANS) throughout the network to extract data packets from these LANS for traffic analysis. The data is analyzed and stored in a database. The present invention does not use this method to manage data. U.S. Pat. No. 5,878,420 is hereby incorporated by reference into the specification of the present invention.
U.S. Pat. No. 6,243,667, entitled “NETWORK FLOW SWITCHING AND DATA EXPORT,” discloses a method for switching in computer networks in response to message flow patterns. In this method, routers identify a new message flow and determine the proper processing for the packets in the flow. For every packet thereafter, the router determines if the packet belongs to an existing flow and, if it does, analyzes it in the same manner as the packets in that flow were previously processed. The present invention does not process packets in this manner. U.S. Pat. No. 6,243,667 is hereby incorporated by reference into the specification of the present invention.
U.S. Pat. No. 6,651,099, entitled “METHOD AND APPARATUS FOR MONITORING TRAFFIC IN A NETWORK,” discloses a method of examining packets passing through a computer network by extracting packet information from each computer on a network using a packet acquisition device, examining these packets to determine if the packets are of the same flow, and updating the existing flow entry or creating a new flow entry in a flow database as appropriate. The present invention does not examine packet information in this manner. U.S. Pat. No. 6,651,099 is hereby incorporated by reference into the specification of the present invention.
Though many methods exist for collecting and analyzing data packets, none provide a method that accurately and efficiently processes all packets passing through the system. Further, no prior art method discloses utilizing the analysis-enhanced flow data to create a practical intrusion detection system.