1. Field of the Invention
Embodiments of the present invention relate to systems and methods for improving the speed of intrusion detection systems. More particularly, embodiments of the present invention relate to systems and methods for optimizing rules, improving work flow, and enhancing multi-rule inspection in intrusion detection systems that monitor network traffic.
2. Background Information
Computers and computer networks connecting such computers are vital components of modern society. Unfortunately, these computers and computer networks are susceptible to attacks from internal and external hostile sources. These attacks include but are not limited to viruses, worms, zombies, and Denial Of Service (DOS) attacks.
Any unauthorized use of or attack on a computer or computer network, whether successful or not, is called an intrusion. One method of combating such intrusions is to detect them before they occur or as they are occurring. This allows system and network administrators to identify the intrusion and prevent or ameliorate an attack. This can be done by analyzing all of the network traffic on a computer network, or analyzing all of the network traffic to and from a given computer.
Software and hardware designed to do this analysis are called Intrusion Detection Systems (IDSs).
IDSs typically analyze network traffic at the packet level. FIG. 1 is a schematic diagram showing the components of an exemplary conventional IDS. In IDS 100, packet acquisition system 120 gets or sniffs a packet from network traffic 110 and decodes it. Decoding includes but is not limited to deciphering protocol information and placing the packet in a human readable format. The acquired and decoded information is sent by packet acquisition system 120 to preprocessor 130. Preprocessor 130 prepares the packet for detection engine 140. This preparation or preprocessing includes but is not limited to defragmenting packets, decoding Hyper Text Transfer Protocol (HTTP) Universal Resource Identifiers (URIs), or re-assembly of Transmission Control Protocol (TCP) streams. The preprocessed packet is sent from preprocessor 130 to detection engine 140.
Packets are typically composed of layers of different network protocols. Each network protocol consists of a header portion and content portion. The header portion includes but is not limited to parameters specifically used by the protocol such as source and destination addresses and port information. The content information includes but is not limited to the actual data being sent. Since network protocols are layered, the content portion of one lower level network protocol will contain both the header and content information of a higher level network protocol.
Detection engine 140 searches a preprocessed packet for items in the packet that may constitute an intrusion. These items include but are not limited to specific parameters in the header portion of a network protocol, binary patterns in the content portion of a network protocol, or the combination of specific parameters in the header portion and binary patterns in the content portion of a network protocol. These items are hard coded in some IDSs. In other IDSs, these items are generated from rules that are provided to the IDS as input. In a rules-based IDS, as shown in FIG. 1, rules 150 are loaded into detection engine 140 during initialization or during executation of the IDS. A rules-based IDS provides greater flexibility. As new types of intrusions are discovered, they are added to the system as a new rule, and recompilation of the IDS is not required.
When detection engine 140 detects an intrusion, it passes the packet information to logging system 160. A rules-based detection engine 140 also sends any logging information provided in the rule that was matched. Logging system 160 includes but is not limited to storing the packet information in a file, storing any logging information from a matched rule in a file, or sending an alert message to another device or computer.
Because the number of different types of intrusions is steadily increasing with the increasing amount of network traffic across computer networks, rules-based IDSs are preferred. These types of IDSs allow new intrusion detection rules to be added quickly and easily. Unfortunately, however, increasing the number of rules is not without a cost. In conventional rules-based IDSs, as the number of the rules increases, the amount of time required to process each packet increases proportionally. As a result, as the speed of the network traffic is increased, a conventional rules-based IDS containing a large number of rules will not be able to process every packet.
In view of the foregoing, it can be appreciated that a substantial need exists for systems and methods that can advantageously improve the processing speed of rule-based IDSs as the speed of network traffic reaches and exceeds one gigabit per second.