1. Technical Field
The present disclosure relates to intrusion detection and, more specifically, to intrusion detection with automatic signature generation.
2. Description of the Related Art
In today's highly computer dependant environment, computer security is a major concern. The security of computer networks is routinely threatened by computer viruses, Trojan horses, worms and the like. Once computer networks are infected with these malicious programs, the malicious programs may have the ability to damage expensive computer hardware, destroy valuable data, tie up limited computing resources or compromise the security of sensitive information.
Worms can be particularly catastrophic forms of malicious programs. Worms can infect a computer network and quickly commandeer network resources to aid in the worm's further propagation. After a worm has infected computers and computer networks a destructive payload can then be delivered. Destructive payloads can have many harmful consequences, for example, valuable hardware and/or data can be destroyed, sensitive information can be compromised and network security measures can be circumvented.
As a result of quick propagation, new worms can travel fast and quickly become a threat to computers and computer networks around the world.
To guard against the risk of malicious programs such as worms, businesses may often employ antivirus programs, intrusion detection systems and intrusion protection systems. Antivirus programs are computer programs that can scan computer systems to detect malicious computer code embedded within infected computer files. Malicious code can then be removed from infected files, the infected files may be quarantined or the infected file may be deleted from the computer system. Intrusion detection systems and intrusion protection systems (IDSs) are systems that can be implemented on a computer network that monitor the computer network to detect anomalous traffic that can be indicative of a potential problem, for example a worm infection. IDSs may be either active or passive. Active IDSs may take affirmative measures to remedy a potential infection when found while passive IDSs may be used to alert a network administrator of the potential problem.
IDSs often attempt to identify the presence of network infection by analyzing packets of data that are communicated over the network. Packets are generally examined and compared with signatures of known malicious programs. When a signature matches a packet, the packet may be indicative of a malicious program infection.
IDSs that rely on signatures for the detection of malicious programs must regularly receive and install updated signatures corresponding newly discovered malicious programs. If no signature has been received and installed for a particular malicious program, the IDS might not be able to identify the malicious program.
Modern malicious programs such as worms are able to spread very quickly from computer network to computer network throughout the world. Unfortunately, they can spread so quickly that they can infect many networks before a signature for detecting the malicious program can be developed, distributed and installed.
An IDS is needed that can detect the presence of previously unknown malicious programs and automatically generate an effective signature that can be used by the IDS to protect the network against the malicious program.