Security is a critical feature in modern communication network; providing a security solution requires an understanding of possible threat scenarios and their related requirements. Network security systems need also to be flexible, promoting inter-operability and collaboration across domains of administration.
As the communication networks expand and converge into an integrated global system, open protocol standards are being developed and adopted with a view to enable flexibility and universality of access to collection and exchange of information. Unfortunately, these open standards tend to make networks more vulnerable to security related attacks; TCP (transmission control protocol), was designed on the basis that system users would connect to the network for strictly legitimate purposes, so that no particular consideration was given to security issues. As many routing protocols rely on TCP (for example, border gateway protocol BGP uses TCP as its transport protocol) this makes them vulnerable to all security weaknesses of the TCP protocol itself.
There are many types of security concerns that must be considered in a network. This invention is concerned with detecting systems infected with worm(s). A worm is a program that replicates itself across a network in various ways, where the victim is not usually specifically targeted, but simply an unlucky host. The worms operate by exploiting both known and previously unknown software vulnerabilities and propagate rapidly across the network. By hijacking trusted applications such as web servers, mail transfer agents and log-in servers, which typically run with elevated privileges, worms can gain full access to system resources, and cause complete system compromise. Even though the impact of a worm on any given piece of network equipment is very often benign, the cumulative effects of tens of thousands of infected network elements spreading as fast as possible the malware to other network elements can be disastrous. Worms, especially the fast spreading “flash worms”, have wreaked havoc on the Internet; for example Code Red and Nimda caused major congestions in the Internet, in many cases requiring shutting down the entire network of many enterprises.
The reliability and security of an IP network is essential in a world where computer networks are a key element in intra-entity and inter-entity communications and transactions. While the current defense models have been around for years, to date none have been able to deliver on the final goal of providing full protection against all attacks with little associated cost and annoyance. The actual intrusion detection technology does not give the appropriate performance level required for high-end routers. To address this problem, new techniques are being currently devised. This is a key challenge for the telecom industry and many partial solutions have been proposed so far. The capacity to detect as fast as possible the propagation of worms, and to react efficiently to ongoing attacks in order to protect the network infrastructure is becoming a real challenge for network operators, particularly in the case of large distributed networks.
Attack detection methodology can be divided into two main categories: flow-based analysis and deep-packet analysis. Flow-based analysis is based on monitoring the traffic in the telecommunication infrastructure to detect unusual traffic patterns. It relies usually on technologies as Nefflow, IPFix, and Realtime Traffic Flow Monitoring (RTFM: http://www.auckland.ac.nz/net/Internet/rtfm/) implemented into the network routers. Deep-packet analysis methodology is based on tracking back single malicious IP packets by analyzing each packet to detect either known signatures or frequently seen patterns. The methods for tracking continuous flows may also be used to track-back single packets, such as iTrace.
Most flow-based analysis methods are based on statistical detection of anomalous traffic patterns. For example, ConSentry Networks uses a complex ASIC to handle statistical analysis of the traffic. Orcaflow product by Cetasea Networks uses statistics gathered from standard MIBs to find deviation from baseline, ProCurve Swithe by HP implements a connection rate limit, etc.
Other statistical techniques proposed for detecting attacks is “Sequential Hypothesis Testing”. While this approach has a fast reaction time, it requires determining whether each connection request succeeded or not. Other techniques propose monitoring different characteristics of worms, such as identifying identical (repeated) packets, or identifying a malicious packet based on absence of a DNS (domain name server) look-up, or assigning scores to packets based on e.g. the peer list, ARP (address resolution protocol) rate, internal network dark space, etc.
Ideally, a network operator strives to identify fast an infected machine and quarantine it as soon as possible; otherwise, the infection could well spread before any alarm is raised. However, the price to pay for detecting and preventing security attacks is overwhelming. Today, enterprises deploy a layered defense model, which includes firewalls, anti-virus systems, access management and intrusion detections systems (IDS). Besides being expensive, the solutions available so far do not detect and stop the spread of worm propagation across a network fast enough. Responsiveness is impacted by the fact that the current solutions are based on multiple components, which may have problems to communicate and coordinate the required counter-measures.
Monitoring and analysis of all packets going through high-end routers requires specialized hardware or additional equipment coupled with the routers, increasing the complexity and the cost of the infrastructure. Even so, it may still have effectiveness problems. The solutions based on recognizing the signature of an attack are quite inefficient, since these solutions have a large response time, always lagging new worms by days. Also, it is difficult to set appropriate limits to the number of connected hosts for defining an attack:[DW1] some servers legitimately talk to many hosts and some clients also talk to many hosts—for example, some web pages, like e.g. www.cnn.com, are complex and talk to dozens of hosts, so it is difficult to minimize both false positives and false negative.
Furthermore, it is extremely difficult to distinguish between the identity, or behavior of ‘good’ and ‘bad’ code. This results in a large number of ‘false positives’ that limit the purpose of many prevention systems to detecting events rather than protecting against them.
Traffic pattern anomaly detection provides a promising solution to detecting worms. Most approaches to traffic pattern anomaly detection are done with statistics of some sort and they can be classified into two main approaches—comparison vs behavior. In the comparison approaches, the plan is to establish a baseline characteristic of the respective flow and then to detect deviations from the baseline. Clearly, this approach cannot have a very fast detection time and is not ideally suited for worm detection.
The existing behavior approaches try to identify worm-like behaviors and try to identify hosts that exhibit any of these behaviors. There are several major drawbacks of the current behavior detection methods. All the existing products incorporate the worm behavior detection functions into high-performance ASIC parts in stand-alone switches. Individual network traffic (or ‘pipe’) is aggregated towards the high-performance ASIC making it an even more complex problem to separate out each host or port. Also, the speed of the aggregated pipe is likely to be higher than that of the individual pipes, so the aggregate CPU cycles needed, can be very high. The behavioral detection systems are more likely to be placed towards the core of the network, so local traffic will not be “seen” by the system. This means that an infected host could infect a whole workgroup without causing any alarms. Installing additional detection systems in the network will result in more delay for each packet, and will also increases management, etc.
In summary, this complex processing used by the current behavior approaches cannot be done at the fast data-path; any action taken by the existing behavioral detection systems is necessarily delayed. Any delay is nonetheless undesirable: in this context, any packet that gets through translates to potentially another infected machine.
Therefore, there is a need to provide new techniques and systems for detecting and confining malicious activities (e.g. internet worms) in a network that are easy to install and maintain.