Operators of large networks have tools to address the self-propagating attack behavior such as from “network worms”, which automatically, opportunistically attack networked computing devices. Often, worms “propagate” themselves across a network faster than humans can intervene to stop them. As a result, a number of systems are available that run on the network communications devices or host computers, such as client or server computers, that can combat this propagation.
Operators also need more robust tools for maintaining the security of networks against other types of attacks and to generally enforce security policies. For example, many host computers perform specified tasks that are critical and other tasks that may be less critical or less common or more susceptible to security breaches. As security policies change or threat levels to the network change access to the host computers should be adapted accordingly.
Currently available Network Intrusion Detection Systems (NIDS) can detect network attacks such as worm outbreaks by comparing all traffic to a database of known worms. The operation is similar to ubiquitous virus checking software that scans received and stored files at client computers. These NIDS are deployed at the edges of enterprise networks to insulate the networks from unauthorized access from third party or public networks, such as the InterNet.
Anomaly Detection Systems (ADS) detect worm outbreaks by observing network behavior and noticing deviations from normal network traffic patterns. Exemplary Anomaly Detection Systems generate a matrix of observed traffic rates. A typical implementation generates a matrix representing the cross product of every host on the network against every other host on the network against every port or protocol on which traffic is observed. When rates exceed a learned or statically assigned traffic rate or, more typically, when traffic is seen on a port for the first time, a typical ADS will generate an alert.
Still another type of system generates a multigraph-based model of the network, where the vertices in the graph represent hosts and edges between hosts represent different protocols on which traffic is observed. A hierarchical clustering algorithm reduces this from a multigraph of hosts on the network to a multigraph of groups of similar hosts. Alerts are generated when traffic between hosts or groups does not match a learned edge between the hosts or groups.
Standard network security practices at large networks also involve firewall devices to block traffic from untrusted, typically all InterNet hosts, on untrusted protocols, which are typically any protocol other than HTTP (hyper text transfer protocol) and SMTP (simple message transfer protocol). In this manner, worm outbreaks are stifled by lack of connectivity from untrusted, infected hosts to vulnerable hosts of the network.
The current state of the art also provides for the blocking of traffic in response to detection of a propagating attack behavior. Here, Network Intrusion Prevention Systems (NIPS) detect worms in the same manner as NIDS systems, but are deployed in the same manner as network firewalls, on the network edges that interface with larger networks, such as the InterNet or service provider networks. When worms are detected, communications through the network involving infected hosts are selectively dropped.
The current state of the art also provides for a simple control plane between a detection system and an access control device. The popular open source “Snort” NIDS includes a plugin, called “snort_sam”, that reconfigures firewalls and router access control lists (ACLs) to block traffic corresponding to alerts generated by the Snort NIDS.