1. Field of the Invention
The invention relates to the field of methods and systems for protecting computer networks and is more particularly, but not by way of limitation, directed to decoy network technology with automatic signature generation for intrusion detection and intrusion prevention systems.
2. Description of the Related Art
Computer networks typically interface with the Internet or other public computer systems and are thus vulnerable to attacks, unwanted intrusions and unauthorized access. One threat to networks is the so-called zero-day attack that exploits security vulnerabilities unknown to the system operators.
Conventional network security systems include a firewall that generally prevents unauthorized access to the network or its computers. Conventional systems also include intrusion detection systems (IDS) and intrusion prevention systems (IPS) that typically contain a library of signatures of malware payloads, which enable them to detect those defined exploits attempting to access production systems. When a connection is attempted to a network port, the IDS or IPS examines the low-level IP data packets and compares them to its library of signatures for a match. When a match is identified the IDS or IPS provides notification of the match.
The problem lies in the static nature of the conventional IDS and IPS signatures coupled with the ability of determined attackers to launch new undefined or zero-day automated attacks to gain access to the network. While an intrusion prevention system (IPS) equipped with behavioral signatures providing the ability to capture behavioral patterns offers a higher level of protection, these have similar drawbacks in that behavioral signatures are still static in nature and limited in their ability to stop zero-day attacks.
Still another type of network security systems utilizes a honeynet arrangement to attract and then trap a suspected attacker. A honeynet is made up of two or more honeypots on a network. Such measures typically are made up of a computer, data or network site that appears to be part of the network and appears to be one or more valuable targets, but which is actually an isolated component located away from production networks. These are typically passive measures effective against spammers and other low-level attacks. Such systems typically run emulated operating systems and services and are generally not useful against sophisticated attackers who can detect and effectively avoid the honeynet, never unloading their zero-day attack or payload for the honeynet to capture and analyze. Also, if the conventional honeynet configuration is not sufficiently separated from the network system, an attacker can use the honeynet to gain access to the network. Examples of emulated or software based honeypots include “honeyd” which is a GPL licensed daemon that is utilized to simulate network structures. Another example of emulated software based honeypots include “mwcollect” and “nepenthes” which are also released under the GPL license and which are utilized to collect malware. The “mwcollect” and “nepenthes” packages extract information on obtaining the malware binaries from the exploit payload.
Because each of the problems and limitations discussed above exist in the prior art devices and systems, there is a need for methods and systems that adequately protect networks from new and undefined attacks and that allow for real-time updates to a network's library of attack signatures.