The present invention relates generally to intrusion detection for a computer system. More particularly, the invention is a computer-implemented intrusion detection system and method that monitors a computer system for activity indicative of attempted or actual access by unauthorized persons or computers.
Because of the increasing reliance on Internet, Intranet and extranet network computer access, intrusion into computer systems by unauthorized users is a growing problem. An intrusion is unauthorized access or attempted access into or unauthorized activity in a computer or information system. Intrusion detection technologies are therefore becoming extremely important to improve the overall security of computer systems. Intrusion detection is the process of identifying that an intrusion has been attempted, is occurring or has occurred.
In most intrusion detection systems, data may be automatically collected and reduced but the analysis of that data usually remains manual. Profiling and pattern recognition techniques also have been used to analyze the data collected and presented to an intrusion detection system. The off-line analysis involves determining normal behavior for a user, application or system. The normal behavior is then used to develop sets of rules. Significant deviations from the rules, referred to as anomalous behavior, may then be flagged as potential intrusions. Some intrusion detection systems, based on anomaly detection techniques, look for statistically anomalous behavior, that is, behavior that appears unusual when compared to other user behavior. One drawback of anomaly detection systems is that they are prone to both false positive and false negative alerts because the rules are general in nature and not specific for the behavior of each user. False positives occur when the intrusion detection system identifies an event as an intrusion when none has occurred. False positives may divert the attention and time of the system administrator and security staff and if frequent enough, may cause a lack of confidence in the intrusion detection system. False negatives are instances where the intrusion detection system fails to detect an intrusion while it is occurring or after it has occurred. The result may be slow or no response to the intrusion that can result in financial loss and system damage. False negatives often occur because the models used to profile the anomalous behavior do not adequately predict the intruder behavior and its result within the computer system.
Some intrusion detection systems use expert systems, which are driven from an encoded rule base to monitor policy compliance. The expert system applies the rules to assure all users are operating within their privileged rights. Even in the expert system, the encoded rules are usually generated by profiling the anomalous behavior and then building a rule based system. This means that the expert system intrusion detection system at present suffers from the same problems such as false positives and false negatives as the anomalous detection systems. Other systems have passive monitor functions that continually analyze data presented to them. They are similar to antivirus functions in that they can only detect what has been defined to them. Another type of intrusion detection system is a scanner. Unlike other intrusion detection tools that report when a threshold has been exceeded, scanners actively attempt to find security holes (called vulnerabilities) and unauthorized hardware and software.
The above mentioned intrusion detection methods have many drawbacks. One is that the systems can only detect and monitor what has been previously defined to them, either using expert system rules or rules developed through data collection reduction and analysis or through profiling. This can result in false negatives because unknown attacks have not been previously defined. In addition, most systems only analyze and develop profiles and patterns after the fact. These profiles and patterns of behavior are subsequently incorporated into rule-based systems to recognize future attacks. Even in those instances where alerts are issued in near real-time, valuable time and the intruder""s trail can be lost. In addition, many of these systems require human intervention, both in the initial analysis of data and profile and pattern recognition building steps and when an anomalous event has occurred, to determine the action to be taken. Relying on human intervention can delay the identification of the intrusion and may not prevent network damage or exploitation.
To be able to detect intrusions as they are occurring or soon after, there is a need for the intrusion detection system to be a real-time system. There is a need to automatically build profiling data specific for each user or class of users that can be used to determine normal actions for a user to reduce the occurrence of false alarms and to improve detection. There is a need for a system that can detect suspicious actions, determine the source and institute autonomous responses. There is also a need for the intrusion detection system to take automatic action, without waiting for a human administrator to intervene and act, to mitigate the effects of an intrusion and to prevent future actions. There is also a need to coordinate information transfer within host, multi-host and network environments so responses to intrusions can be coordinated. In addition, there is a need to combine the above listed capabilities with real-time monitoring of log audit files, port scan detection capability and session monitoring.
The present invention provides a real-time intrusion detection method and system. The intrusion detection system automatically and dynamically builds user profile data (known as a signature) for each user (or alternatively, a class of users) that can be used to determine normal actions for each user to reduce the occurrence of false alarms and to improve detection. The user profile data (signature) is saved and updated every time the user logs on and off the system. The advantage of dynamically building user profile data based on past user behavior and comparing it to that user""s current behavior is that the number of false alarms is reduced. In addition, there is no need to enter sets of rules prior to system initialization. The system detects suspicious actions, determines the source and institutes autonomous responses. The system acts to mitigate the effects of an intrusion and to prevent future actions without waiting for human action. The automatic actions to be taken can be specified by the system administrator prior to initialization of the system. The automatic actions can be tailored to address the specific anomaly detected by the intrusion detection system. For example, through a local or system controller, the system can log the events, disable user accounts and block access to the system. In one embodiment, the system coordinates information transfer within host, multi-host and network environments to coordinate intrusion response. The system combines the above listed capabilities with real-time monitoring of log audit files, port scan detection capability and session monitoring. Throughout this document, use of the terms dynamic or dynamically in relation to a process means that the process is operating in real-time or close to real-time.