1. Field of the Invention
The present invention relates to providing security in networked computer systems. More specifically, the present invention relates to a method and apparatus for detecting denial-of-service attacks by gathering and analyzing execution profiles of code within a kernel of a networked computer system.
2. Related Art
The open architecture of the Internet is instrumental in facilitating rapid dissemination of information. By making information available on a single web site, it is instantly accessible from millions of geographically distributed computer systems. Unfortunately, the open architecture of the Internet also makes computer systems vulnerable to attacks launched from any of the millions of computer systems coupled to the Internet.
One common type of attack is a “denial-of-service” attack, in which a large volume of spurious packets are sent from one or more malicious client computer systems to a server computer system. For example, by sending a large number of spurious requests to a web server, the web server can become so overwhelmed that it is unable to service legitimate requests from non-malicious computer systems. Hence, the web server is effectively rendered inoperative.
One method of detecting denial-of-service attacks is to use a network-based intrusion detection system to examine packets as they stream across the network. A network-based intrusion detection system typically operates by looking for signatures of known attacks. Hence, network-based intrusion detection systems do not operate well against unknown denial-of-service attacks that have not been previously encountered.
The limitations of network-based intrusion detection system arise from the fact a network-based intrusion detection system can only obtain limited information regarding how a specific packet is likely to interact with a specific server. In fact, network-based intrusion detection systems are typically unable to determine if a specific packet will be received by a specific server. They are even less likely to be able to determine how a specific packet will interact with a specific server. Hence, a network-based intrusion detection system has a hard time differentiating an unknown denial-of service attack from a high-traffic condition on the network.
What is needed is a method and an apparatus for detecting denial-of-service attacks that does not suffer from the above-listed problems of network-based intrusion detection system.