The present invention relates to protecting computer networks against security breaches such as intrusion attacks. More specifically, it relates to a mechanism for securing the quality of service of the computer networks by responding to intrusion attacks on the computer networks.
Among the most common types of attacks on computer networks are intrusion attacks. These attacks can be categorized into categories such as application specific attacks, backdoor attacks, Denial of Service (DoS) attacks and Distributed Denial of Service (DDoS) attacks. Application specific attacks exploit the weaknesses in the application behavior to gain access to information or data that is otherwise denied to the attacker. Backdoor attempts break the security cover of network or hosts once and leave Trojan horses which can be used by the attacker to gain unauthorized access at will. DoS attacks attempt to crash a service being provided by a computer on a network or make it unusable, thereby denying the service to authorized users. In a typical DoS attack, a particular computer on the network attempts to crash the service. A more dangerous variety of a DoS attack is a DDoS attack. In such an attack, the attacking computer typically takes control of a large number of computers on the network, and attacks the host computer through them. Thus, legitimate users appear to be attackers, while the actual attacker is difficult to detect.
Recently, the amount of traffic on the Internet has increased enormously. At the same time, hacking activities on the Internet have also increased. This has led to an increase in threat of intrusion attacks on computer networks.
The increasing threat of intrusion attacks on computer networks has created a strong need for mechanisms which provide protection to computer networks from such attacks. Through such mechanisms, Internet Service Providers (ISPs) can offer safer Internet access to customers without interruption to the operation of the network. The ISPs need an intrusion protection solution that can detect, prevent, and react to unauthorized activity in any part of the network. Without such efficient mechanisms for intrusion attack protection, ISPs cannot obtain customer confidence in their ability to provide a secure network infrastructure.
An equally strong, if not stronger, need has been created due to the increasing threats of intrusion attacks and cyber terrorism on enterprise networks, government networks and military networks. Consequently, there is an increasing pressure on security administrators of these networks to put effective mechanisms in place to protect their networks against such attacks. However, current network architectures prove to be inadequate in providing full protection to these networks against such attacks.
In the past, various types of intrusion detection systems have been developed for networks such as the Internet. So far, primarily two types of intrusion detection devices have been developed. These are host-based intrusion detection systems and network-based intrusion detection systems.
Host-based intrusion detection systems typically run on the host system that they are protecting. An agent software is installed on the host server that is to be monitored. The agent software tracks unauthorized access attempts or other unauthorized activities on the host server.
Network-based intrusion detection systems typically run on the network itself. Typically, agents are installed on Local Area Network (LAN) segments or behind firewalls to monitor and analyze network traffic. These network-based intrusion detection systems typically provide intrusion detection while running in promiscuous mode on the network. These systems observe the network traffic and compare it against previously identified intrusion attack signatures.
However, just the detection of intrusion attacks does not provide protection against such attacks. Mechanisms are needed for providing response to such attacks so as to guard networks against these attacks. Also, responding effectively to DDoS attacks poses a challenge.
Thus, there is a need for mechanisms for effective and appropriate response to such attacks to protect ISP, enterprise and other networks. Further, there is need for mechanisms for effectively responding to and protecting networks against various types of intrusion attacks, including DDoS attacks. Moreover, there is a need for mechanisms to maintain Quality of Service levels of the computer network being protected even while an ongoing intrusion attack