« PreviousContinue »
(19) United States
(12) Patent Application Publication (io) Pub. No.: US 2004/0073800 Al
Shah et al. (43) Pub. Date: Apr. 15,2004
(54) ADAPTIVE INTRUSION DETECTION SYSTEM
(76) Inventors: Paragi Shah, Conshohocken, PA (US);
Vikram Phatak, Lower Gwynedd, PA
(US); Robert Scipioni, Collegeville, PA
Schnader Harrison Segal & Lewis LLP
1600 Market Street
Philadelphia, PA 19711 (US)
(21) Appl. No.: 10/443,568
(22) Filed: May 22, 2003
Related U.S. Application Data
(60) Provisional application No. 60/357,957, filed on May 22, 2002.
Patent Application Publication Apr. 15,2004 Sheet 1 of 2 US 2004/0073800 Al
Patent Application Publication Apr. 15,2004 Sheet 2 of 2 US 2004/0073800 Al
ADAPTIVE INTRUSION DETECTION SYSTEM
 This application is based, and claims priority to, provisional application having serial No. 60/357,957, a filing date of May 22, 2002, and entitled An Adaptive Intrusion Detection System for a Computer Network.
BACKGROUND OF THE INVENTION  1. Field of the Invention
 The present invention relates to an adaptive intrusion detection system for a computer system or network. More particularly, the present invention relates to an adaptive intrusion detection system for a computer network that is capable of recognizing both known and new types of computer attacks by learning from known types of attacks and past attacks against computer networks and automatically compensating for changes in the network that impact the vulnerability state and vulnerabilities of computers and hosts and the systems and services on the network.
 2. Description of the Prior Art
 Traditionally, securing sensitive systems and their information from being accessed by unwanted parties over a public system meant just that—controlling access. Unfortunately, the public nature of the Internet makes networks more easily vulnerable to attack by malevolent external entities, such as computer hackers, who create programs that launch computer attacks against networks, typically by attempting to circumvent or penetrate the network's firewall. Consequently, security is an issue of foremost concern for any organization utilizing a publicly accessible network, such as the Internet to communicate. More and more sophisticated methods have been created to address the weaknesses of the systems before them. Access control is not enough.
 In response to the need for an added level of control over access to information there has been a focus on monitoring the actual content of the data, or payload, flowing into and out of systems. The purpose of this monitoring is to detect intruders. Intrusion detection is a method of monitoring all access to systems, with the hope of identifying access with a malicious intent to exploit vulnerabilities of those systems. These exploits can be used as a vehicle to, among other things, gain access to information, or to deny authorized users from using the system's resources. The intent of gathering this data by security personal is to either learn of vulnerabilities a system possesses (which can then be used to remediate the situation), or to identify the source of the intrusion in hopes to deny further access. The data gathered from intrusion detection systems can also be used in an attempt to penalize the offender.
 Unfortunately, existing intrusion detection systems used, as a compliment to access control, has not sufficiently addressed the problems. Monitoring all access to systems consumes valuable time and resources. It also requires a relatively high level of technical prowess to determine when an event of note has taken place. Many (if not most) times the responsible party reviewing the data misinterprets it or is unable to respond in a timely fashion. Clearly the prior art of intrusion detection is a useful tool, but a limited one.
 Controlling access to information is not reacting to events after they have occurred, but determining where
systems and services are vulnerable before the access has taken place. Armed with this information a solution can then become active in defending those resources.
 Network security hardware, software and/or firmware, such as firewalls and intrusion detectors and the like, are typically employed to monitor traffic across the computer network and to manage security. When an attack occurs, the event is generally logged and the network administrator may be alerted by the network security system, although generally after the damage to the network has occurred, if the network was vulnerable to the attack. In these conventional systems, the network administrator, sitting at a terminal, attempts to manually defend against attacks.
 These conventional security systems have significant drawbacks: a)they can only recognize a type of attack that they have been preprogrammed to detect b)they can not adapt to attack types using past types of attacks as a guide, c) the number of known (much less unknown) attack types against networks, numbering in the thousands, is great, while the number of attack types that can be successful against a particular network are relatively small, usually less than one hundred and, without continuous significant manual adjustments to reflect the actual systems, services and vulnerabilities of a particular network, the security system cannot distinguish between attack types that can be successful against a particular network, due to the vulnerabilities of the particular network, from attack types that cannot succeed against a particular network because the vulnerabilities to those attack types do not exist in the particular network, thus making it nearly impossible for a network administrator to timely respond to an attack type that can succeed against a particular network, d) the security system cannot adjust to changes in the network without a network administrator's continuous review of a particular network's systems, services and related attack vulnerabilities, and subsequent continuous adjustment of the security system to reflect those changes. These systems have the significant disadvantage that if the security system does not properly identify an attack that, due to the particular network's vulnerabilities, can be successful, and, just as important, distinguish the attack from the multitude of attacks that will not be successful, then critical portions of the network can be penetrated or damaged before the administrator can recognize that a successful attack has occurred.
 Accordingly, an intrusion detection system is needed that is capable of: a)adapting to new types of computer attacks and storing information on known attacks and logging and acting on relevant attacks against the network, b)automatically identifying the vulnerabilities that exist in a particular network's systems and services and updating such information when changes occur in the systems and services, c) automatically updating its databases of globally (all networks including systems and services available for networks) known systems and services vulnerabilities, and the associated attack types that attempt to exploit those vulnerabilities, d)correlating the actual vulnerabilities that exist in a particular network with the signature information identifying attack types that attempt to exploit those vulnerabilities, e) actively looks for only those attack types to which the particular network is vulnerable, known as relevant attack types and taking action when relevant attack types are identified, alerting network administrators, stop