Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1998-12-29
2001-10-09
Heckler, Thomas M. (Department: 2182)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
Reexamination Certificate
active
06301668
ABSTRACT:
TECHNICAL FIELD OF THE INVENTION
The present invention relates in general to computer network security and, more particularly, to a method and system for adaptive network security using network vulnerability assessment.
BACKGROUND OF THE INVENTION
Network security products such as intrusion detection systems (ID systems) and firewalls can use a passive filtering technique to detect policy violations and patterns of misuse upon networks to which the Security products are coupled. The passive filtering technique usually comprises monitoring traffic upon the network for packets of data. A signature analysis or pattern matching algorithm is used upon the packets, wherein the packets are compared to “attack signatures”, or signatures of known policy violations or patterns of misuse.
In order to properly detect policy violations and patterns of misuse, security products often must place the packets of data in contexts relevant to such connection criteria as space, time, and event. Space is usually defined in terms of a source-destination connection at the port level. Time is defined as the amount of time to continue associating packets for the type of connection defined by the source-destination connection. Event is defined as a type of connection, which in turn defines the types of policy and misuse signatures that can occur with each packet. As the size of a network expands, there are greater numbers of connections which leads to greater numbers of lookups and comparisons that must be performed by the security product.
Two problems are associated with conventional security products. First, conventional security products have insufficient information to self-configure for reliable detection of policy violations and patterns of misuse. For example, conventional security products have no mechanism to reliably ascertain network information of the network to which the security product is coupled. This leads to such disadvantages such as being unable to accurately predict the effect of a particular packet upon a destination device. Furthermore, a conventional security product has no mechanism to ascertain the network topology and thus cannot predict if a certain packet will reach its intended destination. Such a lack of network information compromises the security product's ability to detect such attacks such as insertion attacks, evasion attacks and denial of service attacks. Some of these problems with conventional security products are documented by Ptacek and Newsham,
Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection,
Secure Networks Incorporated, January 1998.
A second problem associated with conventional security products is the result of scarcity of processor and memory resources. Conventional security products may begin to drop packets and shut down certain tasks in an unpredictable fashion once the system depletes its memory or processor resources. As the size of a network grows, such a failure becomes more likely, as the greater the number of connections onto the network requires a greater number of lookups and comparisons performed by the Security product. Additionally, an increase in number and complexity of the types of misuse the security product is required to detect can further degrade performance. An increase in traffic flow further drains a security product's resources. As a result, conventional ID systems cannot operate effectively at high network bandwidth utilization.
Some conventional systems have attempted to achieve performance gains by decreasing the number of misuse signatures the security product monitors. Fewer signatures translate into fewer memory comparisons for each packet that flows through the security product. However, such a solution makes a network more vulnerable to attacks.
Other conventional systems rely on the user to enumerate the network information, such as the types of operating systems and applications running on the protected network. These systems then disable certain misuse signatures accordingly.
Such a conventional solution, however, introduces additional problems. For example, if the user provides an inaccurate assessment of the network, then incorrect signatures may be disabled, meaning that undetected policy violations and network attacks are possible. Additionally, networks are rarely stable environments and the addition or deletion of devices or services can make the original network information supplied by the user inaccurate.
A further disadvantage of such conventional security products is that they are not designed to function in an environment wherein the traffic exceeds their memory or processor capacity. Such conventional systems, when confronted with traffic that exceeds their capacity, may start dropping packets and degrade performance in an unpredictable fashion. This can lead to an unknown security posture or profile, which can leave a network more vulnerable to undetected attacks.
SUMMARY OF THE INVENTION
In accordance with the present invention, a method and system for adaptive network security using network vulnerability assessment is disclosed that provides significant advantages over conventional intrusion detection systems. According to one aspect of the present invention, a method for adaptive network security comprises directing a request onto a network. A response to the request is assessed to discover network information. A plurality of analysis tasks are prioritized based upon the network information. The plurality of analysis tasks are to be performed on monitored network data traffic in order to identify attacks upon the network.
According to another aspect of the present invention, a system for adaptive network security comprises a scan engine coupled to a network. The scan engine can direct a request onto a network and assess a response to the request to discover network information. A protocol engine is also coupled to the network. The protocol engine performs a plurality of protocol analyses on network data traffic to identify attacks upon the network. A signature engine is coupled to the network and compares the network data traffic to a plurality of attack signatures to identify attacks upon the network. A priority engine is coupled to the analysis engine, the protocol engine, and the signature engine. The priority engine prioritizes the plurality of protocol analyses and the plurality of attack signatures based upon the network information.
According to another embodiment of the present invention, the priority engine can prioritize a plurality of system services based upon the network information.
It is a technical advantage of the present invention that it can more reliably detect policy violations and patterns of misuse because of the use of the network information.
It is another technical advantage of the present invention that it allows for the maintenance of a network map, which can allow for greater types of misuse patterns to be detected.
It is a further technical advantage of the present invention that it allows for a reliable, predictable, and prioritized shutdown of analysis tasks in the event resources are depleted.
It is another technical advantage of the present invention that effective intrusion detection can be had at network speeds above 50 to 60 Mbps.
It is another technical advantage that the present invention provides for adaptive network security, as the invention can adapt to a changing network environment and recalibrate in order to maintain a sufficient level of network security.
Other technical advantages should be apparent to one of ordinary skill in the art in view of the specification, claims, and drawings.
REFERENCES:
patent: 5032979 (1991-07-01), Hecht et al.
patent: 5101402 (1992-03-01), Chiu et al.
patent: 5278901 (1994-01-01), Shieh et al.
patent: 5341422 (1994-08-01), Blackledge, Jr. et al.
patent: 5414833 (1995-05-01), Hershey et al.
patent: 5448724 (1995-09-01), Hayashi
patent: 5488715 (1996-01-01), Wainwright
patent: 5524238 (1996-06-01), Miller et al.
patent: 5557742 (1996-09-01), Smaha et al.
patent: 5606668 (1997-02-01),
Gleichauf Robert E.
Randall William A.
Teal Daniel M.
Waddell Scott V.
Ziese Kevin J.
Baker & Botts L.L.P.
Cisco Technology Inc.
Heckler Thomas M.
LandOfFree
Method and system for adaptive network security using... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and system for adaptive network security using..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and system for adaptive network security using... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2614858