1. Field of the Invention
The present invention relates to computer networks. More particularly, the present invention relates to a method and system for assessing activities within a computer network using Bayesian networks to, for example, detect attacks on the computer network, characterize and assess the nature and objectives of the attacks, and assess the vulnerability and security state of the computer network.
2. Background Information
It is known to monitor activity within computer networks. For example, there are computer network security software products for Information Assurance (IA) which focus on Intrusion Detection (ID) and other systems that provide activity logs. These software products range in sophistication from utilities that simply log network activities to intrusion detection systems (IDSs) which capture IA/ID domain expertise in thousands of rules. Responses from these ID products may be, for example, to alert a system administrator, trigger automated system shutdowns or reconfigurations, or cue more intensive data collection. Automated responses against possible computer network attacks are currently limited, false alarm rates are high, and extensive manual intervention is required to assess possible attacks on computer networks.
Research in the area of IA has concentrated on detecting computer network attack activity and determining responses at the system or local network level. Current computer network security software products, such as, for example, the Automated Intrusion Detection Environment (AIDE) developed by the United States Air Force Research Laboratory, perform “low-level” intrusion detection by answering questions such as, for example “Is this activity a port scan?” or “Are these illegal logins?”. However, computer network security software products do not characterize the computer network attack. Current IA software products do not perform “high-level” attack assessment by asking questions such as, for example, “What type of attacker are we dealing with?” or “What is the objective of the attacker?” Rather, a system administrator typically looks at the data collected at numerous sites to detect a coordinated attack.
Computer network security devices, such as IDSs, can generate huge amounts of data. Detecting a coordinated attack can become difficult if the system administrator has to digest reports from numerous IDSs at numerous sites. As a consequence, large amounts of data generated by these computer network security devices are frequently not analyzed. Even when detecting attacks on a local network, computer network security software products are often configured to defer “high-level” analysis to the system administrator. Such a process is inefficient and cannot support a real-time attack assessment and response. In addition, the network security analyst needs a capability to fuse the outputs from different computer network security devices to make these high-level assessments about host or network attack activity to generate appropriate responses.
It would be desirable to provide a system and method that provide a high-level assessment of the nature and objectives of attacks on computer networks using outputs from computer network security devices to automatically characterize routine attacks, to reduce the amount of manual intervention required to assess possible attacks on computer networks, to assess the vulnerability and security state of the network, and to allow operators to focus on novel or sophisticated computer attacks.