Many systems exist to provide some measure of security in a computer network. For example, network intrusion detection systems (NIDS) use sophisticated detection techniques to monitor network traffic on a specified segment of a network. One drawback with NIDS is that they are reactive instead of proactive. For example, NIDS perform a rule-based analysis of data packets by looking for signatures in the data packets. A signature is a sequence of data that indicate a security risk. Upon detecting a security risk, NIDS generate an alarm that identifies the source and destination nodes involved in the security risk. The nodes are identified by host and destination addresses in the headers of the analyzed data packets. Unfortunately, the alarm identifies the nodes by Internet Protocol (IP) address, which is often dynamic. That is, those nodes can have a different IP address at a later point in time. Therefore, the alarm report must be acted upon before the nodes' IP addresses change, which is not always practical. For example, remediation efforts typically lag the reception of the alarm report.
Moreover, unfortunately the NIDS system generates too many false alarms because it has no mechanism for determining if the signature that caused the alarm will actually cause a security problem in the system. That is, while typical NIDS know that a potential security risk has arisen because a specific signature was detected, they do not know whether the nodes are actually at risk. For example, the nodes may have a security patch in place unbeknownst to the NIDS.
One conventional way to reduce false alarms is to use adaptive scanning techniques. Adaptive scanning techniques validate NIDS events by determining if a destination node is actually threatened by the signature detected by the NIDS. For example, the destination node may have in place a security patch and thus is not actually at risk. Adaptive scanning techniques also rate legitimate attacks by assigning a priority to them. However, although conventional adaptive scanning techniques actively probe a network for vulnerabilities, they react to the NIDS event and hence are not proactive. Moreover, because they trigger based on a NIDS event, adaptive scanning techniques are based on IP addresses. This is acceptable for networks with devices with statically assigned IP addresses. However, another approach is desirable for networks with computer systems that do not have a static IP address.
Computer systems without a static IP address provide security challenges for the conventional methods discussed above. Mobile computer systems are especially problematic. However, even a non-mobile computer system that has a dynamically assigned IP address can present security problems for conventional methods. Remediation, such as updating a new virus protection program on all computer systems in a network, is a particular problem. However, the security challenge exists in situations other than remediation. As an example of the unique security challenge, when a laptop physically moves in a network, it will generate multiple alarms in a NIDS due to its multiple IP addresses. Even a computer system that does not move, but that uses a dynamically assigned (DHCP) IP address will cause multiple alarms in a NIDS. A conventional NIDS cannot correlate these multiple alarms to a single a computer system. Hence, remediation efforts are very difficult. Moreover, security issues other than remediation are negatively impacted by changing identifiers of computer systems.
Therefore, it would be advantageous to provide a method and system that facilitates remediation efforts in a computer network. Such a method and system would advantageously be proactive. It would be further advantageous if the method and system is able to determine that an entity that physically moves in a network is the same entity that was previously recognized elsewhere in the network. It would be still further advantageous to correlate multiple alarms having different IP addresses associated therewith as being related to the same computer system.