Patent Grant
7886357
This invention relates generally to intrusion detection and more particularly to a method and system for reducing the false alarm rate of network intrusion detection systems.
Network Intrusion Detection Systems (“NIDS”) are typically designed to monitor network activity in real-time to spot suspicious or known malicious activity and to report these findings to the appropriate personnel. By keeping watch on all activity, NIDS have the potential to warn about computer intrusions relatively quickly and allow administrators time to protect or contain intrusions, or allow the NIDS to react and stop the attack automatically. In the security industry, a NIDS may either be a passive observer of the traffic or an active network component that reacts to block attacks in real-time.
Because NIDS are passive observers of the network traffic, they often lack certain knowledge of the attacking and defending host that makes it impossible to determine if an attack is successful or unsuccessful. Much like an eavesdropper overhearing a conversation between two strangers, NIDS very often lack knowledge of the context of the attack and, therefore, “alarm” on network activity that may not be hostile or relevant.
Some systems attempt to address this problem by building a static map of the network they are monitoring. This knowledge is usually built by scanning all the systems on the network and saving the result to a database for later retrieval. This system is inadequate for most networks because the topology, types, and locations of network devices constantly change and requires the administrator to maintain a static database. Additionally, the stress of constantly scanning and keeping the network databases up to date is very intensive and may often slow down or cause network services to stop functioning.
According to one embodiment of the invention, a method for reducing the false alarm rate of network intrusion detection systems includes receiving an alarm indicating a network intrusion may have occurred, identifying characteristics of the alarm, including at least an attack type and a target address, querying a target host associated with the target address for an operating system fingerprint, receiving the operating system fingerprint that includes the operating system type from the target host, comparing the attack type to the operating system type, and indicating whether the target host is vulnerable to the attack based on the comparison.
Some embodiments of the invention provide numerous technical advantages. Other embodiments may realize some, none, or all of these advantages. For example, according to one embodiment, the false alarm rate of network intrusion detection systems (“NIDS”) is substantially reduced or eliminated, which leads to a lower requirement of personnel monitoring of NIDS to respond to every alarm. A lower false alarm rate is facilitated even though knowledge of the entire protected network is not required. Because knowledge of the network is not required, hosts may be dynamically added to the network. According to another embodiment, critical attacks on a network are escalated and costly intrusions are remediated.
Other advantages may be readily ascertainable by those skilled in the art from the following figures, description, and claims.
For a more complete understanding of the present invention and the advantages thereof, reference is now made to the following description taken in conjunction with the accompanying drawings, wherein like reference numbers represent like parts, and which:
Embodiments of the invention are best understood by referring to
Unprotected network 102 may be any suitable network external to protected network 104. An example of unprotected network 102 is the Internet. Protected network 104 may be any suitable network, such as a local area network, wide area network, virtual private network, or any other suitable network desired to be secure from unprotected network 102. Link 106 couples unprotected network 102 to protected network 104 and may be any suitable communications link or channel. In one embodiment, communications link 106 is operable to transmit data in “packets” between unprotected network 102 and protected network 104; however, communications link 106 may be operable to transmit data in other suitable forms.
In one embodiment, NIDS 108 is any suitable network-based intrusion detection system operable to analyze data packets transmitted over communications link 106 in order to detect any potential attacks on protected network 104. NIDS 108 may be any suitable combination of hardware, firmware, and/or software. Typically, NIDS 108 includes one or more sensors having the ability to monitor any suitable type of network having any suitable data link protocol. In a particular embodiment, the sensors associated with NIDS 108 are operable to examine data packets on an IP (“Internet Protocol”) network using any suitable protocol, such as TCP (“Transmission Controlled Protocol”), UDP (“User Datagram Protocol”), and ICMP (“Internet Controlled Message Protocol”). Upon detection of a possible attack on protected network 104, NIDS 108 is operable to generate an alarm indicating that an attack on protected network 104 may have occurred and may block the attack outright. This alarm is then transmitted to passive analysis tool 110 for analysis as described below.
According to the teachings of one embodiment of the present invention, passive analysis tool 110 receives an alarm from NIDS 108 and, using the information associated with the alarm, determines if an attack is real or a false alarm. Passive analysis tool 110 significantly lowers the false alarm rate for network intrusion detection systems, such as NIDS 108, in the network environment and lowers the requirement of personnel, such as network administrator 112, monitoring these systems to respond to every alarm. Details of passive analysis tool 110 are described in greater detail below in conjunction with
Network administrator 112 may be any suitable personnel that utilizes passive analysis tool 110 in order to monitor potential attacks on protected network 104 and respond thereto, if appropriate. Network administrator 112 typically has passive analysis tool 110 residing on his or her computer in order to receive filtered alarms from passive analysis tool, as denoted by reference numeral 114.
Alarm input layer 202 is generally responsible for accepting the alarm from NIDS 108 and passing it to other system components for analysis. In one embodiment, alarm input layer 202 accepts the alarm from NIDS 108 and determines if the alarm format is valid. If the alarm format is invalid, then the alarm is disregarded. If the alarm format is valid, then the alarm is sent to alarm interpretation layer 204. Alarm input layer 202 is preferably designed to be NIDS vendor independent so that it may accept alarms from multiple NIDS sources concurrently with no modification.
Generally, alarm interpretation layer 204 receives the alarm from alarm input layer 202 and performs an analysis on the alarm. In one embodiment, alarm interpretation layer 204 determines whether the alarm is from a supported NIDS vendor. If the alarm is not from a supported NIDS vendor, an alert is generated and the alarm is disregarded. If the alarm is from a supported NIDS vendor, then alarm interpretation layer 204 is responsible for determining the NIDS vendor alarm type, relevant operating system type being attacked (e.g., Microsoft Windows, Sun Solaris, Linux, UNIX, etc.), the source address, target network address, the alarm severity, the alarm description, and any other suitable parameters associated with the alarm. Some of this information is used by passive analysis 110 to test if the alarm is real or false, as described in more detail below in conjunction with
Target cache look-up 206 indicates that a look-up is performed by passive analysis tool 110 in order to determine if the target host has already been checked for the particular attack indicated by the alarm. The lookup may be performed in any suitable storage location, such as a local state table or database.
OS fingerprinting mechanism 208 performs a passive analysis of the target host to determine the operating system type of the target host. Briefly, in one embodiment, passive analysis tool 110 sends Internet Protocol (“IP”) packets at the target host with special combinations of protocol flags, options, and other suitable information in the header in order to ascertain the operating system vendor and version number. Operating system fingerprinting is well known in the industry and, hence, is not described in detail herein. An advantage of this type of OS fingerprinting is that it requires no internal access to the target host other than remote network connectivity. OS fingerprinting mechanism 208 may build an operating system type within seconds of execution and stores this information in a suitable storage location for later retrieval and use.
Port fingerprinting mechanism 210 functions to identify a target port address stored in a suitable storage location when a host is added or deleted dynamically. Port fingerprinting mechanism 210 works in conjunction with OS fingerprinting mechanism 208 to determine, for example, if an attacked port on a target host is active or inactive. This allows passive analysis tool 110 to quickly determine an attack could work. For example, an attack against TCP port 80 on a target host may be proven to have failed by checking the target host to see if port 80 is active to begin with.
Alarm output layer 212 is responsible for taking the analyzed data from passive analysis tool 110 and either escalating or de-escalating the alarm. In other words, alarm output layer 212 functions to report a valid alarm; i.e., that a particular target host is vulnerable to an attack. A valid alarm may be reported in any suitable manner, such as a graphical user interface, a log file, storing in a database, or any other suitable output.
Additional description of the details of the functions of passive analysis tool 110, according to one embodiment of the invention, are described below in conjunction with
Accordingly, at decisional step 306, it is determined whether the target address has been found in the system cache. If the target address is found, then at decisional step 308, it is determined whether the cache entry time is still valid. In other words, if a particular target host was checked for a particular type of attack within a recent time period, then this information is stored temporarily in the system cache. Although any suitable time period may be used to store this information, in one embodiment, the information is stored for no more than one hour. If the cache entry time is still valid, then the method continues at step 310 where the OS fingerprint of the target host is received by passive analysis tool 110.
Referring back to decisional steps 306 and 308, if the target address is not found in the system cache or if the cache entry time is invalid for a particular target address that is found in the system cache, then the operating system fingerprint of the target host is obtained by passive analysis tool 110 using any suitable OS fingerprinting technique, as denoted by step 312. The operating system fingerprint is then stored in the system cache at step 314. The method then continues at step 310 where the operating system fingerprint of the target host is received.
The attack type and the operating system type of the target host are compared at step 316 by passive analysis tool 110. At decisional step 318, it is determined whether the operating system type of the target host matches the attack type. If there is a match, then a confirmed alarm is reported by step 320. If there is no match, then a false alarm is indicated, as denoted by step 322. For example, if the attack type is for a Windows system and the operating system fingerprint shows a Windows host, then the alarm is confirmed. However, if the attack type is for a Windows system and the operating system fingerprint shows a UNIX host, then this indicates a false alarm. This then ends the example method outlined in
Although the method outlined in
Thus, passive analysis tool 110 is intelligent filtering technology that screens out potential false alarms while not requiring knowledge of the entire protected network 104. Alarm inputs are received from a deployed NIDS, such as NIDS 108, and analyzed to determine if an attack is real or a false alarm. This is accomplished even though agents are not required to be installed on each computing device of the protected network 104.
If a lease expire is detected by passive analysis tool 110, then the system cache is accessed, as denoted by step 406. At decisional step 408, it is determined whether the target address associated with the lease expire is found in the system cache. If the target address is found in the system cache, then the entry is purged, at step 410, from the system cache. Passive analysis tool 110 then continues to monitor the DHCP server. If a target address is not found in the system cache, then the lease expire is disregarded, as denoted by step 412. Passive analysis tool 110 continues to monitor the DHCP server.
Referring back to decisional step 404, if a lease issue has been detected, then the system cache is accessed, as denoted by step 414. At decisional step 416, it is determined whether the target address associated with the lease issue is found in the system cache. If the target address is found, then the entry is purged, at step 418. If the target address is not found in the system cache, then the method continues at step 420, as described below.
At step 420, the operating system fingerprint of a target host is obtained at step 420. The operating system fingerprint is stored in the system cache, as denoted by step 422 for a particular time period. Passive analysis tool 110 then continues to monitor DHCP server.
The method outlined in
Although the present invention is described with several example embodiments, various changes and modifications may be suggested to one skilled in the art. The present invention intends to encompass those changes and modifications as they fall within the scope of the claims.
This application claims the benefit of Ser. No. 60/319,159, entitled “A System and Method for Reducing the False Alarm Rate of Network Intrusion Detection Systems,” filed provisionally on Mar. 29, 2002.
| Number | Name | Date | Kind |
|---|---|---|---|
| 5727152 | Coolegem et al. | Mar 1998 | A |
| 5919257 | Trostle | Jul 1999 | A |
| 5961644 | Kurtzberg et al. | Oct 1999 | A |
| 5991881 | Conklin et al. | Nov 1999 | A |
| 6070244 | Orchier et al. | May 2000 | A |
| 6134664 | Walker | Oct 2000 | A |
| 6148407 | Aucsmith | Nov 2000 | A |
| 6182223 | Rawson | Jan 2001 | B1 |
| 6275942 | Bernhard et al. | Aug 2001 | B1 |
| 6279113 | Vaidya | Aug 2001 | B1 |
| 6282546 | Gleichauf et al. | Aug 2001 | B1 |
| 6301668 | Gleichauf et al. | Oct 2001 | B1 |
| 6405318 | Rowland | Jun 2002 | B1 |
| 6408391 | Huff et al. | Jun 2002 | B1 |
| 6415321 | Gleichauf et al. | Jul 2002 | B1 |
| 6460141 | Olden | Oct 2002 | B1 |
| 6477651 | Teal | Nov 2002 | B1 |
| 6513122 | Magdych et al. | Jan 2003 | B1 |
| 6647400 | Moran | Nov 2003 | B1 |
| 6714513 | Joiner et al. | Mar 2004 | B1 |
| 6725377 | Kouznetsov | Apr 2004 | B1 |
| 6785821 | Teal | Aug 2004 | B1 |
| 6839850 | Campbell et al. | Jan 2005 | B1 |
| 6941467 | Judge et al. | Sep 2005 | B2 |
| 6950845 | Givoly | Sep 2005 | B2 |
| 6957348 | Flowers et al. | Oct 2005 | B1 |
| 6990591 | Pearson | Jan 2006 | B1 |
| 7058968 | Rowland et al. | Jun 2006 | B2 |
| 7073198 | Flowers et al. | Jul 2006 | B1 |
| 7152105 | McClure et al. | Dec 2006 | B2 |
| 7162649 | Ide et al. | Jan 2007 | B1 |
| 7197762 | Tarquini | Mar 2007 | B2 |
| 7200866 | Kim et al. | Apr 2007 | B2 |
| 7237264 | Graham et al. | Jun 2007 | B1 |
| 7444679 | Tarquini et al. | Oct 2008 | B2 |
| 20020052876 | Waters | May 2002 | A1 |
| 20020087882 | Schneier et al. | Jul 2002 | A1 |
| 20030056116 | Bunker et al. | Mar 2003 | A1 |
| 20030196123 | Rowland et al. | Oct 2003 | A1 |
| Number | Date | Country |
|---|---|---|
| 2003243253 | Apr 2010 | AU |
| 2 484 461 | Nov 2003 | CA |
| ZL038103931 | Oct 2008 | CN |
| 985 995 | Mar 2000 | EP |
| 1 504 323 | Dec 2009 | EP |
| WO 9957625 | Nov 1999 | WO |
| WO 0054458 | Sep 2000 | WO |
| WO 0070464 | Nov 2000 | WO |
| WO 0184270 | Nov 2001 | WO |
| WO 0219077 | Mar 2002 | WO |
| WO 03084181 | Oct 2003 | WO |
| 2003098413 | Nov 2003 | WO |
| WO 2005109824 | Nov 2005 | WO |
| WO 20060082380 | Aug 2006 | WO |
| WO 2007122495 | Nov 2007 | WO |
| Number | Date | Country | |
|---|---|---|---|
| 20030212910 A1 | Nov 2003 | US |
| Number | Date | Country | |
|---|---|---|---|
| 60319159 | Mar 2002 | US |
