Computer system security issues have become extremely important as more and more computers are connected to networks, like the Internet. Attacks on computer systems have become increasingly sophisticated due to the evolution of new hacker tools.
In response to more sophisticated attacks, new intrusion detection systems (IDS) are being developed and deployed to monitor and prevent attempts to intrude into computer networks. Intrusion detection systems attempt to identify unauthorized or malicious attempts against a computer system or network of computer systems. An IDS may comprise one or more event generation mechanisms that report identifiable events to one or more management facilities. A countermeasure mechanism may also be included within the IDS for executing an action intended to thwart or negate a detected event.
Applications including hostile attack applications responsible for transmitting data across a network medium will often have a distinctive signature within the transmitted data. The signature may comprise recognizable data that is contained within one or more packets. Signature analysis is often performed by the IDS. A signature analysis algorithm may search for a particular string that has been identified as associated with a hostile application. Once the string is identified within a network data stream, the one or more packets carrying the string may be identified as ‘hostile’ or exploitative, and the IDS may then perform any one or more of a number of actions, such as logging the identification of the string, performing a countermeasure, or simply ignoring the string.
In general, an IDS will scan received packets for an occurrence of a given signature included within a plurality of known attack signatures. Because the signature analysis is performed in real time, that is as the packets are received, performance is critical because positive identifications may require proactive actions on the part of the IDS.