System and method for detecting computer intrusions
원문보기
IPC분류정보
국가/구분
United States(US) Patent
등록
국제특허분류(IPC7판)
G06F-011/30
G06F-015/00
G06N-005/00
출원번호
US-0651439
(2000-08-30)
발명자
/ 주소
Moran,Douglas B.
출원인 / 주소
Symantec Corporation
대리인 / 주소
Van Pelt, Yi &
인용정보
피인용 횟수 :
70인용 특허 :
20
초록▼
A system and method are disclosed for detecting intrusions in a host system on a network. The intrusion detection system comprises an analysis engine configured to use continuations and apply forward-and backward-chaining using rules. Also provided are sensors, which communicate with the analysis en
A system and method are disclosed for detecting intrusions in a host system on a network. The intrusion detection system comprises an analysis engine configured to use continuations and apply forward-and backward-chaining using rules. Also provided are sensors, which communicate with the analysis engine using a meta-protocol in which the data packet comprises a 4-tuple. A configuration discovery mechanism locates host system files and communicates the locations to the analysis engine. A file processing mechanism matches contents of a deleted file to a directory or filename, and a directory processing mechanism extracts deallocated directory entries from a directory, creating a partial ordering of the entries. A signature checking mechanism computes the signature of a file and compares it to previously computed signatures. A buffer overflow attack detector compares access times of commands and their associated files. The intrusion detection system further includes a mechanism for checking timestamps to identify and analyze forward and backward time steps in a log file.
대표청구항▼
What is claimed is: 1. A system for detecting intrusion on a host, comprising: a) a source of rules; b) a source of facts; and c) an analysis engine executed on a processor in communication with the source of rules and source of facts, configured to determine whether an intrusion has taken place by
What is claimed is: 1. A system for detecting intrusion on a host, comprising: a) a source of rules; b) a source of facts; and c) an analysis engine executed on a processor in communication with the source of rules and source of facts, configured to determine whether an intrusion has taken place by applying forward-and backward-chaining using facts from the source of facts and rules from the source of rules by: (i) using forward chaining to generate one or more inferences: (ii) determining which, if any, of the inferences matches a sub-goal associated with a rule from the source of rules; (iii) with respect to each inference that matches a sub-goal, applying backward chaining from that sub-goal's potential parents into other sub-goals; and (iv) for each sub-goal reached either by forward or backward chaining, determining whether the sub-goal indicates an intrusion has taken place, wherein the analysis engine is further configured to use continuations to schedule the processing of a goal based at least in part on whether the data required to continue processing the goal is available and based at least in part on a subdivision of rules into segments which each become a rule. 2. The system as recited in claim 1, wherein the analysis engine performs forward-chaining by using the facts to generate inferences using the rules, and the analysis engine is further configured to limit lengths of the forward-chaining. 3. The system as recited in claim 2, wherein the analysis engine is configured to perform backward-chaining from a goal and produce at least one sub-goal. 4. The system as recited in claim 3, wherein the analysis engine is configured to assign a score to the goal. 5. The system as recited in claim 4, wherein the score comprises at least one of a cost function, a confidence factor, a support value, and importance of the goal. 6. The system as recited in claim 4, wherein the analysis engine is further configured to use the scores to select a goal to be pursued. 7. The system as recited in claim 6, wherein the rules are configured to enable the system to detect an intrusion after occurrence of the intrusion. 8. The system as recited in claim 7, wherein the rules are configured to cause the analysis engine to correlate and evaluate facts from a plurality of sources of facts. 9. The system as recited in claim 8, wherein the plurality of sources comprises primary, secondary, and indirect sources of facts. 10. The system as recited in claim 8, wherein the rules are further configured to cause the analysis to collect, correlate, and evaluate facts related to all phases of an attack. 11. The system as recited in claim 2, wherein the analysis engine is configured to correlate and evaluate incomplete facts to detect attacks with missing or forged facts. 12. The system as recited in claim 1, further comprising a user interface, wherein the analysis engine is configured to provide the user interface with an analysis based on the facts and rules, and provide the user interface with information relating to the analysis. 13. The system as recited in claim 12, wherein the analysis engine is further configured to provide background information relating to the analysis. 14. A method as in claim 1, wherein the subdivision of rules is organized into a set of graphs. 15. A method as in claim 14, wherein information associated with connections in the set of graphs are used at least in part to schedule the processing of a goal. 16. A method implemented on a computer for detecting intrusions on a host, comprising the steps of: a) providing a source of rules and a source of facts; b) forward-and backward-chaining using facts from the source of facts and rules from the source of rules by: (i) using forward chaining to generate one or more inferences: (ii) determining which, if any, of the inferences matches a sub-goal associated with a rule from the source of rules; (iii) with respect to each inference that matches a sub-goal, applying backward chaining from that sub-goal's potential parents into other sub-goals; and (iv) for each sub-goal reached either by forward or backward chaining, determining whether the sub-goal indicates an intrusion has taken place, wherein continuations are used to schedule the processing of a goal based at least in part on whether the data required to continue processing the goal is available and based at least in part on a subdivision of rules into segments which each become a rule. 17. A computer program product for detecting intrusions on a host, the computer program product being embodied in a tangible computer readable medium having machine readable code embodied therein for performing the steps of: a) providing a source of rules and a source of facts; b) forward-and backward-chaining using facts from the source of facts and rules from the source of rules by: (i) using forward chaining to generate one or more inferences: (ii) determining which, if any, of the inferences matches a sub-goal associated with a rule from the source of rules; (iii) with respect to each inference that matches a sub-goal, applying backward chaining from that sub-goal's potential parents into other sub-goals; and (iv) for each sub-goal reached either by forward or backward chaining, determining whether the sub-goal indicates an intrusion has taken place, wherein continuations are used to schedule the processing of a goal based at least in part on whether the data required to continue processing the goal is available and based at least in part on a subdivision of rules into segments which each become a rule.
연구과제 타임라인
LOADING...
LOADING...
LOADING...
LOADING...
LOADING...
이 특허에 인용된 특허 (20)
Thuraisingham Bhavani Marienne (Lexington MA) Ford William Rose Barlett (Billerica MA), Apparatus and method for the detection of security violations in multilevel secure databases.
Farber David A. ; Lachman Ronald D., Data processing system using substantially unique identifiers to identify data items, whereby identical data items hav.
Dunphy William E. (Westminster CO) Halladay Steven M. (Louisville CO) Moy Michael E. (Lafayette CO) Munro Frederick G. (Broomfield CO), Data storage and protection system.
Leblang David B. (Wayland MA) Allen Larry W. (Cambridge MA) Chase ; Jr. Robert P. (Newton MA) Douros Bryan P. (Framingham MA) Jabs David E. (Sudbury MA) McLean ; Jr. Gordon D. (Brookline MA) Minard D, Dynamic software version auditor which monitors a process to provide a list of objects that are accessed.
Lermuzeaux Jean-Marc (St Michel sur Orge FRX) Emery Thierry (St Germain les Arpajon FRX) Gonthier Patrice (Antony FRX), Facility for detecting intruders and suspect callers in a computer installation and a security system including such a f.
Miller Arnold (Bellevue WA) Neeman Yuval (Bellevue WA) Contorer Aaron M. (Kirkland WA) Misra Pradyumna K. (Issaquah WA) Seaman Michael R. C. (Kirkland WA) Rubin Darryl E. (Redmond WA), Unification of directory service with file system services.
Biran, Giora; Hagleitner, Christoph; Heil, Timothy H.; Hoover, Russell D.; Van Lunteren, Jan, Algorithm engine for use in a pattern matching accelerator.
Bardsley,Jeffrey Scott; Brock,Ashley Anderson; Kim,Nathaniel Wook; Lingafelt,Charles Steven, Limiting the output of alerts generated by an intrusion detection sensor during a denial of service attack.
Khader, Aslam; Harper, Jeffrey Todd; York, Halstead Winship, Method and system for authoring multiple application versions based on audience qualifiers.
Khader, Aslam; Harper, Jeffrey Todd; York, Halstead Winship, Method for application authoring employing a child application template derived from a master application template.
Khader, Aslam; Harper, Jeffery Todd; York, Halstead Winship, Method for distributing a certified application employing a pre-certified master application template.
Khader, Aslam; Harper, Jeffrey Todd; York, Halstead Winship, Method for distributing a certified application employing a pre-certified master application template.
Bonjour, Servane; Dousson, Christophe; Nguyen, Mai Trang Thi, Method for managing decisions, method for constructing a decision tree, central manager, intermediate manager, terminal and corresponding computer program products.
Cohen, Alexander J.; Jung, Edward K. Y.; Levien, Royce A.; Lord, Robert W.; Malamud, Mark A.; Mangione-Smith, William Henry; Rinaldo, Jr., John D.; Tegreene, Clarence T., Receiving an indication of a security breach of a protected set of files.
Brawn,John Melvin; Norman,Andrew Patrick; Dalton,Chris Ralph; Griffin,Jonathan, Signal level propagation mechanism for distribution of a payload to vulnerable systems.
Cohen, Alexander J.; Jung, Edward K.Y.; Levien, Royce A.; Lord, Robert W.; Malamud, Mark A.; Mangione-Smith, William Henry; Rinaldo, Jr., John D.; Tegreene, Clarence T., Signaling a security breach of a protected set of files.
Paek, Seung Hyun; Park, In Sung; Lee, Eun Young; Yun, Joo Beom; Sohn, Ki Wook; Choi, Seok Jin, System for an engine for forecasting cyber threats and method for forecasting cyber threats using the system.
Chen, Danny Yen-Fu; Cox, David A.; Kinstler, Sheryl S.; Morgan, Fabian F., System method, and computer readable media for identifying a user-initiated log file record in a log file.
Morgan, Fabian F.; Kinstler, Sheryl S.; Cox, David A.; Chen, Danny Yen-Fu, System, method, and computer readable media for identifying a log file record in a log file.
Chen, Danny Yen-Fu; Cox, David A.; Kinstler, Sheryl S.; Morgan, Fabian F., System, method, and computer readable media for identifying a user-initiated log file record in a log file.
Chen, Danny Yen-Fu; Cox, David A.; Kinstler, Sheryl S.; Morgan, Fabian F., System, method, and computer readable media for identifying a user-initiated log file record in a log file.
Chen, Danny Yen-Fu; Cox, David A.; Kinstler, Sheryl S.; Morgan, Fabian F., System, method, and computer readable media for identifying a user-initiated log file record in a log file.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.