System and method for using login correlations to detect intrusions
Patent 7085936 Issued on August 1, 2006. Estimated Expiration Date: August 30, 2020. Estimated Expiration Date is calculated based on simple USPTO term provisions. It does not account for terminal disclaimers, term adjustments, failure to pay maintenance fees, or other factors which might affect the term of a patent.
A system and method are disclosed for detecting intrusions in a host system on a network. The intrusion detection system comprises an analysis engine configured to use continuations and apply forward- and backward-chaining using rules. Also provided are sensors, which communicate with the analysis engine using a meta-protocol in which the data packet comprises a 4-tuple. A configuration discovery mechanism locates host system files and communicates the locations to the analysis engine. A file processing mechanism matches contents of a deleted file to a directory or filename, and a directory processing mechanism extracts deallocated directory entries from a directory, creating a partial ordering of the entries. A signature checking mechanism computes the signature of a file and compares it to previously computed signatures. A buffer overflow attack detector compares access times of commands and their associated files. The intrusion detection system further includes a mechanism for checking timestamps to identify and analyze forward and backward time steps in a log file.
Other References
Frisch, “Essential System Administration,” 1995, pp. 250 and 262-265.
Rebecca Bace, Introduction to Intrusion Detection Assesment, no date, for System and Network Security Management.
Gene H. Kim and Eugene H. Spafford, Writing, Supporting and Evaluating Tripwire: A Publically Available Security Tool, Mar. 12, 1994, Purdue Technical Report; Purdue University.
Douglas B. Moran et al., Derbi: Diagnosis, Explanation and Recovery From Break-Ins, no date, Artificial Intelligence Center SRI International.
Mabry Tyson, Ph.D., Explaining and Recovering From Computer Break-Ins, Jan. 12, 2001, SRI International.
Aleph One, Smashing the Stack for fun and Profit, no date, vol. Seven, Issue Forty-Nine; File 14 of 16 of BugTraq, r00t, and Underground.Org.
Donald C. Latham, Department of Defense Trusted Computer System Evaluation Criteria, Dec. 1985, Department of Defense Standard.
James P. Anderson Co., Computer Security Threat Monitoring and Surveillance, Feb. 26, 1980, Contract 79F296400.
Teresa F. Hunt et al., A Real-Time Intrusion-Detection Expert System (IDES), Feb. 28, 1992, SRI International Project 6784.
Lawrence Halme, Teresa Lunt, and J. Van Horne, Automated Analysis of Computer System Audit Trails for Security Purposes. Proceedings of the National Computer Security Conference, Washington, D.C., 1986.
Teresa Lunt, Automated Audit Trail Analysis and Intrusion Detection: A Survey. Proceedings of the Eleventh National Computer Security Conference, Washington, D.C., Oct. 1988.
Teresa F. Lunt, Ann Tamaru, Fred Gilham, R. Jagannathan, Peter G. Neumann, Caveh Jalali, IDES: A Progress Report. Proceedings of the Sixth Annual Computer Security Applications Conference, Tucson, AZ, Dec. 1990.
August 30, 2020. Estimated Expiration Date is calculated based on simple USPTO term provisions. It does not account for terminal disclaimers, term adjustments, failure to pay maintenance fees, or other factors which might affect the term of a patent.
