System and method for host and network based intrusion detection and response
First Claim
Patent Images
1. A method of detecting intrusions using a host-based intrusion system, comprising:
- reading kernel records;
reformatting each of the read kernel records into a different format;
parsing the records and comparing the parsed records against one or more templates.
2 Assignments
0 Petitions
Accused Products
Abstract
The present application is directed to a host-based IDS on an HP-UX intrusion detection system that enhances local host-level security within the network. It should be understood that the present invention is also usable on, for example, Eglinux, solaris, aix windows 2000 operating systems. It does this by automatically monitoring each configured host system within the network for possible signs of unwanted and potentially damaging intrusions. If successful, such intrusions could lead to the loss of availability of key systems or could compromise system integrity.
-
Citations
48 Claims
-
1. A method of detecting intrusions using a host-based intrusion system, comprising:
-
reading kernel records;
reformatting each of the read kernel records into a different format;
parsing the records and comparing the parsed records against one or more templates. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
-
-
29. A method of detecting changes to critical files/directories, comprising:
-
monitoring a predetermined set of files for modifications;
monitoring a predetermined set of directories for modifications;
generating an alert for each occurrence of a modification of a monitored file; and
generating an alert for each occurrence of a modification of a monitored directory.
-
-
44. A method of detecting changes to log files, comprising:
monitoring a user defined list of files for attempts to modify any of the files in any way other than appending. - View Dependent Claims (45, 48)
-
46. A method of detecting intrusions, comprising:
-
monitoring repeated failed login attempts; and
generating an alert if a predetermined threshold is exceeded.
-
-
47. A method of detecting a race condition attack, comprising:
-
monitoring file accesses that a privileged program performs; and
generating an alert if an inode for a file reference appears to have unexpectedly changed.
-
Specification