NETWORK INTRUSION DETECTION IN A NETWORK THAT INCLUDES A DISTRIBUTED VIRTUAL SWITCH FABRIC
A network intrusion detection system (NIDS) works in conjunction with a distributed virtual switch fabric to provide enhanced network intrusion detection in a way that does not require as much human intervention, autonomically adjusts to hardware changes in the network, and responds much more quickly than known network intrusion detection systems. The NIDS accesses network information from the distributed virtual switch fabric, which gives the NIDS access to a virtual view that includes hardware information for all networking devices in the network. This allows the NIDS to automatically determine network topology, update itself as hardware in the network is added or changed, and promptly take automated service actions in response to detected network intrusions. The result is a NIDS that is easier to configure, maintain, and use, and that provides enhanced network security.
Latest IBM Patents:
- Integration of selector on confined phase change memory
- Method probe with high density electrodes, and a formation thereof
- Thermally activated retractable EMC protection
- Method to manufacture conductive anodic filament-resistant microvias
- Detecting and preventing distributed data exfiltration attacks
1. Technical Field
This disclosure generally relates to networked computer systems, and more specifically relates to network intrusion detection in a network that includes a distributed virtual switch fabric.
2. Background Art
Networked computer systems are the life blood of today's business world. With the explosion of information available on the Internet, and the corresponding explosion of network technology used by companies both large and small, the complexity of networked computer system continues to increase. One important aspect for networked computer systems is security, which includes making sure that unauthorized agents do not intrude on the network. Network Intrusion Detection Systems (NIDS) have been developed that allow a system administrator to configure notification rules that correspond to certain attack signatures. When an attack that matches an attack signature is detected by the NIDS, the NIDS notifies the system administrator as specified in the corresponding notification rule. In this manner, a system administrator is made aware of the unauthorized network intrusion, and in response can take steps to counteract the network intrusion.
Many modern networks include a relatively large number of network devices, and may also include many different levels of networks, including networks between systems, networks within system, and virtual networks between or within systems. Known NIDS require the system administrator to manually configure the NIDS according to the network topology. This can be a daunting task for many of today's complex networked computer systems. In addition, known NIDS only notify the system administrator when a network intrusion is detected. Known NIDS must also be manually updated by the network administrator anytime a change to the network occurs, such as adding or replacing a network device. Without a way to perform network intrusion detection on complex networks without requiring so much human knowledge and interaction, providing the desired level of security for intrusion detection on modern networks will be difficult.
BRIEF SUMMARYA network intrusion detection system (NIDS) works in conjunction with a distributed virtual switch fabric to provide enhanced network intrusion detection in a way that does not require as much human intervention, autonomically adjusts to hardware changes in the network, and responds much more quickly than known network intrusion detection systems. The NIDS accesses network information on a bridge of the distributed virtual switch fabric, which gives the NIDS access to hardware information for all networking devices in the network. Because the NIDS can discover the network topology by interrogating the bridge on the distributed virtual switch fabric, manual configuration of network topology within the NIDS by a system administrator is not required. In addition, access to the network information via the bridge gives the NIDS the capability of not only monitoring and alerting a human system administrator, but the NIDS may also take various service actions when an intrusion is detected, without any action required of a human system administrator. These service actions may be taken immediately, dramatically increasing the security of the network by automatically neutralizing any detected intrusions immediately using an automated service action instead of merely notifying a system administrator. The result is a NIDS that is easier to configure, maintain, and use, and that provides enhanced network security.
The foregoing and other features and advantages will be apparent from the following more particular description, as illustrated in the accompanying drawings.
The disclosure will be described in conjunction with the appended drawings, where like designations denote like elements, and:
The claims and disclosure herein provide a network intrusion detection system (NIDS) that works in conjunction with a distributed virtual switch fabric to provide enhanced network intrusion detection in a way that does not require as much human intervention, autonomically adjusts to hardware changes in the network, and responds much more quickly than known network intrusion detection systems. The NIDS accesses network information from of the distributed virtual switch fabric, which gives the NIDS access to a virtual view that includes hardware information for all networking devices in the network. This allows the NIDS to automatically determine network topology, update itself as hardware in the network is added or changed, and promptly take automated service actions in response to detected network intrusions. The result is a NIDS that is easier to configure, maintain, and use, and that provides enhanced network security.
Referring to
NIDS1 710 and NIDS2 720 perform method 1100 in
Referring to
As advances in networking have been made, an effort has resulted in providing a virtual view of many different networks in a networked computer system. Some network professionals refer to a complex set of networks as a “network fabric”, which implies that one fabric covers all network connections and all systems in the networked computer system. For example, Juniper Networks has developed a product called Qfabric that allows providing a virtual view of all networks and systems in a networked computer system. Such a configuration is shown in
The presence of the DVE switch fabric 1360 with its virtual view 1362 of the networked computer system allows a new and improved NIDS that is much easier to configure and maintain, and can take automatic service actions when a network intrusion is detected. Referring to
Referring to
Referring to
There are different changes to the network that can be handled autonomically, as shown in table 410 in
Some examples are now provided to illustrate the difference between the function of prior art NIDS and the NIDS 190 disclosed herein. For the first example, let's assume a NIDS needs to be deployed to monitor all network traffic in a virtual local area network (vlan) X running on a physical network Y. In the prior art, the system administrator would deploy a prior art NIDS somewhere in the physical network Y. The system administrator would then have to manually enter all network end points, speeds and any other needed network topology or configuration information into the NIDS. The system administrator would also have to manually enter all the trusted adapter MAC addresses into the NIDS. The system administrator would also have to configure the notification rules for the various attack signatures. The system administrator can then enable the NIDS to monitor the network traffic in vlan X and physical network Y. The NIDS watches the incoming/outgoing traffic for vlan X and physical network Y, and learns Internet Protocol (IP) addresses, Address Resolution Protocols (ARPs), gateways, etc. As shown in
For the NIDS 190 shown in
In a second example, we assume an existing network adapter is swapped for a new network adapter while the network is up and running In the prior art, the node, blade or PCI slot that contains the network adapter to be serviced is powered down. The hardware swap of the network adapters is performed. The hardware is powered on, and the link goes active. The new hardware sees network traffic and is part of the network. The NIDS detects network packets from a MAC address that is unrecognized, and as a result, alerts the system administrator as shown in
For the NIDS 190 in the same second example, where an existing network adapter is swapped for a new network adapter while the network is up and running, the node, blade or PCI slot that contains the network adapter to be serviced is powered down. The hardware swap of the network adapters is performed. The hardware is powered on, and the link goes active. The new hardware sees traffic and is part of the network. The NIDS detects network packets from a MAC address that is unrecognized, and as a result, queries the virtual view 1362 in the DVE switch fabric 1360 via the DVE information bridge 1370, which tells the NIDS the new network adapter is a replacement for the old network adapter. The NIDS autonomically updates its rules and traffic records to change from the old MAC address to the new MAC address. The NIDS thus autonomically adjusts to the swap in network cards without suspending and re-enabling the NIDS, as required in the prior art. The result is a more secure network because the NIDS is always operational.
In a third example, we assume the NIDS is up and running, and detects an IP-spoof attack. For the prior art NIDS, such as NIDS 710 and 720 shown in
For the NIDS 190 in
As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method or computer program product. Accordingly, aspects of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a “circuit,” “module” or “system.” Furthermore, aspects of the present invention may take the form of a computer program product embodied in one or more computer readable medium(s) having computer readable program code embodied thereon.
Any combination of one or more computer readable medium(s) may be utilized. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C++ or the like and conventional procedural programming languages, such as the “C” programming language, Streams Processing language, or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
Aspects of the present invention are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer readable medium that can direct a computer, other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions stored in the computer readable medium produce an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.
The computer program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
The methods disclosed herein may be performed as part of providing a web-based service. Such a service could include, for example, offering the method to online users in exchange for payment.
The disclosure and claims are directed to a network intrusion detection system (NIDS) that works in conjunction with a virtual view in a distributed virtual switch fabric to provide enhanced network intrusion detection in a way that does not require as much human intervention, autonomically adjusts to hardware changes in the network, and responds much more quickly than known network intrusion detection systems. The NIDS accesses network information from of the distributed virtual switch fabric, which gives the NIDS access to a virtual view that includes hardware information for all networking devices in the network. This allows the NIDS to automatically determine network topology, update itself as hardware in the network is added or changed, and promptly take automated service actions in response to detected network intrusions. The result is a NIDS that is easier to configure, maintain, and use, and that provides enhanced network security.
One skilled in the art will appreciate that many variations are possible within the scope of the claims. Thus, while the disclosure is particularly shown and described above, it will be understood by those skilled in the art that these and other changes in form and details may be made therein without departing from the spirit and scope of the claims.
Claims
1. A computer-implemented method for detecting network intrusions in a networked computer system that includes a plurality of networks interconnecting a plurality of systems, the plurality of systems including a distributed virtual switch fabric that provides a virtual view of the plurality of networks and the plurality of systems, the method comprising the steps of:
- querying the distributed virtual switch fabric to determine from the virtual view network topology and configuration of the networked computer system;
- defining a plurality of attack signatures that specify characteristics of network intrusions;
- defining a plurality of service actions that each may be performed automatically without input from a human system administrator when a network intrusion that matches at least one of the plurality of attack signatures is detected by the network intrusion detection system;
- detecting a network intrusion in the networked computer system that matches at least one of the plurality of attack signatures; and
- in response to detecting the network intrusion that matches the at least one of the plurality of attack signatures, autonomically performing at least one of the plurality of service actions without input from a human system administrator.
2. The method of claim 1 wherein the plurality of service actions comprises monitoring a compromised host that originated network traffic detected as the network intrusion.
3. The method of claim 1 wherein the plurality of service actions comprises quarantining a compromised host that originated network traffic detected as the network intrusion.
4. The method of claim 1 wherein the plurality of service actions comprises moving to a different network a compromised host that originated network traffic detected as the network intrusion to a different network.
5. The method of claim 1 wherein the plurality of service actions comprises shutting down a compromised host that originated network traffic detected as the network intrusion.
6. The method of claim 1 further comprising the steps of:
- detecting an addition to the plurality of systems;
- querying the distributed virtual switch fabric to determine if the addition is reflected in the virtual view of the plurality of networks and the plurality of systems; and
- when the addition is reflected in the virtual view, autonomically changing the network topology and configuration without input from a human system administrator.
7. The method of claim 1 further comprising the steps of:
- detecting a change to the plurality of systems;
- querying the distributed virtual switch fabric to determine if the change is reflected in the virtual view of the plurality of networks and the plurality of systems; and
- when the change is reflected in the virtual view, autonomically changing the network topology and configuration without input from a human system administrator.
8. A computer-implemented method for detecting network intrusions in a networked computer system that includes a plurality of networks interconnecting a plurality of systems, the plurality of systems including a distributed virtual switch fabric that provides a virtual view of the plurality of networks and the plurality of systems, the method comprising the steps of:
- (A) configuring a network intrusion detection system by performing the steps of: querying the distributed virtual switch fabric to determine from the virtual view network topology and configuration of the networked computer system; defining a plurality of attack signatures that specify characteristics of network intrusions; defining a plurality of service actions that each may be performed automatically without input from a human system administrator when a network intrusion that matches at least one of the plurality of attack signatures is detected by the network intrusion detection system;
- (B) running the network intrusion detection system, which performs the steps of: monitoring network traffic in the networked computer system; detecting a network intrusion in the networked computer system that matches at least one of the plurality of attack signatures; and in response to detecting the network intrusion that matches the at least one of the plurality of attack signatures, when a corresponding action for the detected network intrusion is to notify a human system administrator, notifying the human system administrator of the network intrusion, and when the corresponding action for the detected network intrusion is to perform a specified service action, automatically performing the specified service action and notifying the system administrator, wherein the specified service action comprises performing at least one of the following steps: monitoring a compromised host that originated network traffic detected as the network intrusion; quarantining the compromised host; moving to a different network the compromised host; and shutting down the compromised host.
Type: Application
Filed: Nov 27, 2012
Publication Date: Aug 22, 2013
Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATION (Armonk, NY)
Inventor: International Business Machines Corporation
Application Number: 13/685,784
International Classification: G06F 21/50 (20060101);