System and method for using timestamps to detect attacks
원문보기
IPC분류정보
국가/구분
United States(US) Patent
등록
국제특허분류(IPC7판)
G06F-011/30
G06F-015/00
G06F-017/30
출원번호
US-0712260
(2007-02-27)
등록번호
US-8578490
(2013-11-05)
발명자
/ 주소
Moran, Douglas B.
출원인 / 주소
Symantec Corporation
대리인 / 주소
Wilmer Cutler Pickering Hale and Dorr LLP
인용정보
피인용 횟수 :
2인용 특허 :
166
초록▼
A system and method are disclosed for detecting intrusions in a host system on a network. The intrusion detection system comprises an analysis engine configured to use continuations and apply forward- and backward-chaining using rules. Also provided are sensors, which communicate with the analysis e
A system and method are disclosed for detecting intrusions in a host system on a network. The intrusion detection system comprises an analysis engine configured to use continuations and apply forward- and backward-chaining using rules. Also provided are sensors, which communicate with the analysis engine using a meta-protocol in which the data packet comprises a 4-tuple. A configuration discovery mechanism locates host system files and communicates the locations to the analysis engine. A file processing mechanism matches contents of a deleted file to a directory or filename, and a directory processing mechanism extracts deallocated directory entries from a directory, creating a partial ordering of the entries. A signature checking mechanism computes the signature of a file and compares it to previously computed signatures. A buffer overflow attack detector compares access times of commands and their associated files. The intrusion detection system further includes a mechanism for checking timestamps to identify and analyze forward and backward time steps in a log file.
대표청구항▼
1. A system for detecting intrusions on a host, comprising: a) a filesystem scanner, including at least one computer processor, configured to examine timestamps and signatures of files and directories in a filesystem; b) an analysis engine configured to compare timestamps and signatures of a directo
1. A system for detecting intrusions on a host, comprising: a) a filesystem scanner, including at least one computer processor, configured to examine timestamps and signatures of files and directories in a filesystem; b) an analysis engine configured to compare timestamps and signatures of a directory of the filesystem and of files in the directory, and assign a weighted value out of a plurality of weighted values to the directory or at least one file of the files in the directory if the timestamps and signatures are inconsistent, and scan for inconsistencies between an entry in a log file and expected information of the filesystem, wherein the inconsistencies comprise an action recorded in the log file and a corresponding action not indicated in a corresponding filesytem file, wherein the weighted value is indicative of an attack; wherein the filesystem scanner is configured to examine timestamps and signatures of files and directories from a backup dump as an archival source of the directory of the filesystem and the files in the directory and to recover timestamp and signature information from the backup dump without restoring backup dump data to the filesystem, wherein the filesystem scanner is further configured to recover timestamp and signature information from a plurality of dump formats without restoring backup dump data to the filesystem, and wherein the analysis engine is further configured to compare the timestamps and signatures from the archival source to the timestamps and signatures of the directory and files in the directory. 2. The system as recited in claim 1, wherein the analysis engine is configured to treat timestamps as inconsistent if the timestamp of the directory is later than the timestamp of any file in the directory. 3. The system of claim 1, wherein the analysis engine is further configured to scan for inconsistencies between entries of a log file. 4. The system of claim 1, wherein the entry in the log file comprises a user login entry and the expected file system information comprises a login start up file. 5. The system of claim 1, wherein the analysis engine is further configured to scan for inconsistencies between an file system timestamp and an expected entry in a log file. 6. The system of claim 5, wherein the file system timestamp comprises an access time by a user account and the expected entry in the log file comprises a user login entry. 7. The system of claim 1, wherein the analysis engine is further configured to scan a log file for allocated and unused space. 8. A method for detecting intrusions on a host, comprising: examining timestamps and signatures of files and directories in a filesystem; comparing, using an analysis engine, timestamps and signatures of a directory of the filesystem and of files in the directory; assigning weighted value out of a plurality of values to the directory or at least one file of the files in the directory if the timestamps and signatures are inconsistent, wherein the weighted value is indicative of an attack; and scanning for inconsistencies between an entry in a log file and expected file system information, wherein the inconsistencies comprise an action recorded in the log file and a corresponding action not indicated in a corresponding filesystem file; wherein the scanning comprises examining timestamps and signatures of files and directories from a backup dump as an archival source of the directory of the filesystem and the files in the directory and recovering timestamp and signature information from the backup dump without restoring backup dump data to the filesystem, wherein the scanning is further configured to recover timestamp and signature information from a plurality of dump formats without restoring backup dump data to the filesystem, and wherein the analysis engine is configured to compare the timestamps and signatures from the archival source to the timestamps and signatures of the directory and files in the directory. 9. The method as recited in claim 8, further including treating timestamps as inconsistent if the timestamp of the directory is later than the timestamp of any file in the directory. 10. The method as recited in claim 8, wherein examining includes examining timestamps of files and directories from an archival source, and comparing includes comparing the timestamps from the archival source to the timestamps of the directory and files in the directory. 11. The method of claim 8, wherein the entry in the log file comprises a user login entry and the expected file system information comprises a login start up file. 12. The method of claim 8, further comprising: scanning for inconsistencies between an file system timestamp and an expected entry in a log file. 13. The method of claim 12, wherein the file system timestamp comprises an access time by a user account and the expected entry in the log file comprises a user login entry. 14. A computer program product for detecting intrusions on a host, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for: examining timestamps and signatures of files and directories in a filesystem; comparing timestamps and signatures of a directory of the filesystem and of files in the directory; assigning a weighted value out of a plurality of values to the directory or at least one file of the files in the directory if the timestamps and signatures are inconsistent, wherein the weighted value is indicative of an attack; and scanning for inconsistencies between an entry in a log file and expected file system information, wherein the inconsistencies comprise an action recorded in the log file and a corresponding action not indicated in a corresponding filesystem file; wherein the examining includes examining timestamps and signatures of files and directories from a backup dump as an archival source of the directory of the filesystem and the files in the directory and recovering timestamp and signature information from the backup dump without restoring backup dump data to the filesystem, wherein the examining is further configured to recover timestamp and signature information from a plurality of dump formats without restoring backup dump data to the filesystem, and wherein the comparing comprises comparing the timestamps and signatures from the archival source to the timestamps and signatures of the directory and files in the directory. 15. The computer program product as recited in claim 14, the computer program product further comprising computer instructions for treating timestamps as inconsistent if the timestamp of the directory is later than the timestamp of any file in the directory.
연구과제 타임라인
LOADING...
LOADING...
LOADING...
LOADING...
LOADING...
이 특허에 인용된 특허 (166)
Seaman Michael J., Active topology maintenance in reconfiguring bridged local area networks with state transition with forgetting interval.
Thuraisingham Bhavani Marienne (Lexington MA) Ford William Rose Barlett (Billerica MA), Apparatus and method for the detection of security violations in multilevel secure databases.
Sandage David A. (Forest Grove OR) Stanley James C. (Portland OR) Hunt Stewart W. (Portland OR) Kunz Arland D. (Beaverton OR), Architecture for implementing PCMCIA card services under the windows operating system in enhanced mode.
Jackowski Steven J. ; Thomas Christopher N., Client-side application-classifier gathering network-traffic statistics and application and user names using extensible-service provider plugin for policy-based network control.
Grohoski Gregory F. (Cedar Park TX) Mitchell Oscar R. (Pflugerville TX) Nguyen Tung M. (Menlo Park CA) Rim Yongjae (Cedar Park TX), Crossbar switch apparatus and protocol.
Farber David A. ; Lachman Ronald D., Data processing system using substantially unique identifiers to identify data items, whereby identical data items hav.
Dunphy William E. (Westminster CO) Halladay Steven M. (Louisville CO) Moy Michael E. (Lafayette CO) Munro Frederick G. (Broomfield CO), Data storage and protection system.
Hecht Matthew S. (Potomac MD) Johri Abhai (Gaithersburg MD) Wei Tsung T. (Gaithersburg MD) Steves Douglas H. (Austin TX), Distributed security auditing subsystem for an operating system.
Leblang David B. (Wayland MA) Allen Larry W. (Cambridge MA) Chase ; Jr. Robert P. (Newton MA) Douros Bryan P. (Framingham MA) Jabs David E. (Sudbury MA) McLean ; Jr. Gordon D. (Brookline MA) Minard D, Dynamic software version auditor which monitors a process to provide a list of objects that are accessed.
Lermuzeaux Jean-Marc (St Michel sur Orge FRX) Emery Thierry (St Germain les Arpajon FRX) Gonthier Patrice (Antony FRX), Facility for detecting intruders and suspect callers in a computer installation and a security system including such a f.
Ruth Bergman ; Muriel Medard, Fault isolation for communication networks for isolating the source of faults comprising attacks, failures, and other network propagating errors.
Eshel Marc M. (Tarrytown NY) Hunt Guerney D. H. (Ithaca NY) Jones Donald N. (Vestal NY) Meyer Christopher (Vestal NY) Schwartz Frederick A. (Binghamton NY), File manager for files shared by heterogeneous clients.
Ault Donald F. (Hyde Park NY) Petersen David B. (Wappingers Falls NY) Redding Ian G. (Winchester GBX) Schmandt Stephen J. (Tokyo JPX), Method and apparatus for cross-partition control in a partitioned process environment.
Lyon Thomas ; Newman Peter ; Minshall Greg ; Hinden Robert ; Liaw Fong Ching ; Hoffman Eric, Method and apparatus for dynamically shifting between routing and switching packets in a transmission network.
Lyon Thomas ; Newman Peter ; Minshall Greg ; Hinden Robert ; Liaw Fong Ching ; Hoffman Eric ; Huston Lawrence B. ; Roberson William A., Method and apparatus for dynamically shifting between routing and switching packets in a transmission network.
Lu Gin-Pao ; Jordan Hank ; Chu Paul, Method and apparatus for re-assigning network addresses to network servers by re-configuring a client host connected thereto.
Antognini James J. (White Plains NY) Cubert Robert Michael (Sacramento CA) Gladney Henry Martin (Saratoga CA) Hildebrand ; Jr. David Burns (San Jose CA) Horne Steven Fletcher (Auburn CA) Schmiedeskam, Method and means for providing access to a library of digitized documents and images.
Howard Steven Kenneth ; Martin David Charles ; Plutowski Mark Earl Paul, Method and system for emulating web site traffic to identify web site usage patterns.
Nessett Danny M. ; Grabelsky David ; Borella Michael S. ; Sidhu Ikhlaq S., Method and system for locating network services with distributed network address translation.
Eric David O'Brien ; James Robert Tryon, Jr., Modular framework for configuring action sets for use in dynamically processing network events in a distributed computing environment.
Witkowski, Michael L.; Mayer, Dale J.; Walker, William J.; Roller, Kirk D.; Hareski, Patricia E.; Kotzur, Gary B., Network communication device including bonded ports for increased bandwidth.
Pascucci Gregory A. (Waukesha WI) Rasmussen David E. (Wales WI) Decious Gaylon M. (Milwaukee WI) Garbe James R. (Greenfield WI) Hyzer Susan M. (Brown Deer WI) Woest Karen L. (Wauwatosa WI) Vairavan V, Networked facilities management system with time stamp comparison for data base updates.
Spinney Barry A. (Wayland MA) Simcoe Robert J. (Westboro MA) Thomas Robert E. (Hudson MA) Varghese George (Bradford MA), Packet format in hub for packet data communications system.
Force Gordon (San Jose CA) Davis Timothy D. (Arlington TX) Duncan Richard L. (Bedford TX) Norcross Thomas M. (Arlington TX) Shay Michael J. (Arlington TX) Short Timothy A. (Duncanville TX), Programmable distributed personal security.
Caronni Germano,CHX ; Skrenta Rich ; Markson Tom ; Aziz Ashar,PKX, Scheme to allow two computers on a network to upgrade from a non-secured to a secured session.
Bean Robert G. (Colorado Springs CO) Beckman Michael E. (Colorado Springs CO) Rubinson Barry L. (Colorado Springs CO) Gardner Edward A. (Colorado Springs CO) Sergeant O. Winston (Colorado Springs CO), Secondary storage facility employing serial communications between drive and controller.
Brown Paul J. (16 Carmen Dr. Poughkeepsie NY 12603) Elliott Joseph C. (29 Larchmont Dr. Hopewell Junction NY 12533) Franaszek Peter A. (Pine Tree Dr. Katonah NY 10536) Hoppe Karl H. (R.D. 1 ; Box 30B, Switch and its protocol for making dynamic connections.
Tajalli Homayoon (Ellicott City MD) Badger Mark L. (Rockville MD) Dalva David I. (Rockville MD) Walker Stephen T. (Glenwood MD), System and method for controlling the use of a computer.
Srisuresh Pyda ; Willens Steven M., System and method for network address translation as an external service in the access server of a service provider.
Osborne, Anthony Charles; Leidl, Bruce Robert; Eschelbeck, Gerhard; Villa, Andrea Emilio, System and method for providing a network host decoy using a pseudo network protocol stack implementation.
Zenchelsky Daniel N. ; Dutta Partha P. ; London Thomas B. ; Vrsalovic Dalibor F. ; Siil Karl Andres, System and method for providing peer level access control on a network.
Boebert, William E.; Rogers, Clyde O.; Andreas, Glenn; Hammond, Scott W.; Gooderum, Mark P., System and method for providing secure internetwork services via an assured pipeline.
Eschelbeck, Gerhard; Schlemmer, Andreas; Blaimschein, Peter, System and process for brokering a plurality of security applications using a modular framework in a distributed computing environment.
Bertin Olivier (Nice FRX) Chobert Jean-Paul (Carros FRX) Pruvost Alain (Valauris FRX), System for managing topology of a network in spanning tree data structure by maintaining link table and parent table in.
Bonnell David N. (Houston TX) Tatarinov Kirill L. (Bellaire TX) Picard Martin W. (Bellaire TX), System for monitoring and managing computer resources and applications across a distributed computing environment using.
Cotner Curt Lee ; Pickel James Willis, System, method and program for enabling a client to reconnect to a same server in a network of computer systems after the server has moved to a different network address.
Ginter Karl L. ; Shear Victor H. ; Spahn Francis J. ; Van Wie David M., Systems and methods for secure transaction management and electronic rights protection.
Wellard Ronald George,CAX ; Papineau Mario Rosaire Joseph,CAX ; Hamel Pierre-Antoine Bertrand Nicolas,CAX ; Onsy Sammy John,CAX, Topology verification process for controlling a personal communication services system.
Miller Arnold (Bellevue WA) Neeman Yuval (Bellevue WA) Contorer Aaron M. (Kirkland WA) Misra Pradyumna K. (Issaquah WA) Seaman Michael R. C. (Kirkland WA) Rubin Darryl E. (Redmond WA), Unification of directory service with file system services.
Newton Farrell ; Williams Gareth, User identification and authentication system using ultra long identification keys and ultra large databases of identif.
Beardsley Brent C. (Tucson AZ) Brailey Allen C. (Tucson AZ) Leung Peter L. H. (Tucson AZ), Using time stamps to correlate data processing event times in connected data processing units.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.