As network attacks become increasingly sophisticated and frequent, it has become nearly impossible for security administrators to keep pace with every exploit, worm, virus and denial-of-service attack. To address this issue, new relational network-modeling systems detect security threats by recognizing when network traffic patterns vary from the norm.

Implemented through software, relational network modeling analyzes the role of systems on a network, examining all inter-host relationships and communications. Collection devices placed in the network monitor traffic directly, either by capturing raw packets or from flow exports built by routers and switches.

The data is aggregated centrally, and the relational network-modeling system processes it to find the common patterns of normal network traffic, including patterns for certain times during the workweek. By gathering data directly from a network, the model system accurately represents the network's behavior from various observation points, including the ability to sort and graph by service, client and server.

This approach assumes that hosts generally will have a set of behaviors they rarely drift from so that, for example, Web clients always will be Web clients, not Web servers. For instance, Host A is a client of Host E using the HTTP protocol, but Host A talks to Host D using the DNS protocol. And Host D does not suddenly start behaving as an HTTP server for Host A under normal circumstances.

After a relational network-modeling system gathers data, it builds a model that administrators can use to define and enforce a policy. When deviations from acceptable use occur in the network, security alerts warn administrators of the change, a pro-cess known as anomaly detection.

Administrators can use relational network-modeling data to quickly characterize a worm's behavior and quarantine traffic specific to the worm's propagation without disrupting normal business traffic. Administrators then can enforce the normal network model, using internal subnet firewalls, router and switch access control list statements, and virtual LAN ACL statements to create exceptions for previously accepted, or normal, traffic and deny all other traffic. Relational network-modeling systems helps generate these ACL statements and push them out to network control plane switches, routers and firewalls.