1. Field of the Disclosure
The present disclosure is directed generally to network flow and, more particularly, to a system and method for rule-based anomaly detection on IP network flow.
2. Description of the Related Art
Detecting unwanted traffic is a crucial task in managing data communications networks. Detecting network attack traffic, and non-attack traffic that violates network policy, are two key applications. Many types of unwanted traffic can be identified by rules that match known signatures. Rules may match on a packet's header, payload, or both. The 2003 Slammer Worm, described in D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver, “Inside the slammer worm,” IEEE Security and Privacy, vol. 1, no. 4, pp. 33-39, 2003 exploited a buffer overflow vulnerability in the Microsoft SQL server, was matchable to a signature comprising both packet header fields and payload patterns.
Packet inspection can be carried out directly in routers, or in ancillary devices observing network traffic, (e.g., on an interface attached to the network through a passive optical splitter). Special purpose devices of this type are available from vendors, often equipped with proprietary software and rules. Alternative software systems such as Snort available at http://www.snort.org can run on a general purpose computer, with a language for specifying rules created by the user or borrowed from a community source.
In any of the above models, a major challenge for comprehensive deployment over a large network, such as a Tier-1 ISP, is the combination of network scale and high capacity network links. Packet inspection at the network edge involves deploying monitoring capability at a large number of network interfaces (access speeds from OC-3 to OC-48 are common). Monitoring in the network core is challenging since traffic is concentrated through higher speed interfaces (OC-768 links are increasingly being deployed). Wherever the traffic is monitored, many hundreds of rules may need to be operated concurrently. Whereas fixed-offset matching is cheap computationally and has known costs, execution of more complex queries may hit computational bandwidth constraints. Even when inspection is operated as a router feature, there may be large licensing costs associated with its widespread deployment.