Network security management is becoming a more difficult problem as networks grow in size and become a more integral part of organizational operations. Attacks on networks are growing both due to the intellectual challenge such attacks represent for hackers and due to the increasing payoff for the serious attacker. Furthermore, the attacks are growing beyond the current capability of security management tools to identify and quickly respond to those attacks. As various attack methods are tried and ultimately repulsed, the attackers will attempt new approaches with more subtle attack features. Thus, maintaining network security is on-going, ever changing, and an increasingly complex problem.
Computer network attacks can take many forms and any one attack may include many security events of different types. Security events are anomalous network conditions each of which may cause an anti-security effect to a computer network. Security events include stealing confidential or private information; producing network damage through mechanisms such as viruses, worms, or Trojan horses; overwhelming the network's capacities in order to cause denial of service, and so forth.
A variety of intrusion detection programs have been developed to detect and protect against threats to network security. As is known in the art, a common method of detecting these threats is to use a scanning engine to scan for known attacks against networked computers. These attacks can be identified by their unique “attack signature” which generally consists of a string of binary or text data. Upon the detection of an attack signature by the scanning engine, protective measures can be taken, including: sending alerts, intercepting harmful traffic, or disconnecting users who launch attacks.
Such intrusion detection programs are often positioned on a network to monitor traffic between a plurality of network devices. Unfortunately, the amount of traffic on networks such as the Internet is constantly growing. In conjunction with such growth, there is a steady growth of attack signatures that must be compared against the network traffic.
Due to these phenomena, an intrusion detection program is often overloaded and can not “keep up” with scanning all of the traffic. One result of such overload is the dropping of packets and connections by the intrusion detection program. This, in turn, results in the increased possibility that an attack will go unnoticed.