Computer architecture for an intrusion detection system

US 20020083343A1
Filed: 06/12/2001
Published: 06/27/2002
Est. Priority Date: 06/12/2000
Status: Active Grant

First Claim

Patent Images

1. A computer architecture for an intrusion detection system, comprising:

a control agent to interface with a management system and to monitor system activity;

at least one data gathering component which gathers kernel audit data and syslog data;

at least one correlator to interpret and analyzes the kernel audit data and the syslog data using at least one detection template.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present application is directed to a host-based IDS on an HP-UX intrusion detection system that enhances local host-level security within the network. It should be understood that the present invention is also usable on, for example, Eglinux, solaris, aix windows 2000 operating systems. It does this by automatically monitoring each configured host system within the network for possible signs of unwanted and potentially damaging intrusions. If successful, such intrusions could lead to the loss of availability of key systems or could compromise system integrity.

241 Citations

22 Claims

1. A computer architecture for an intrusion detection system, comprising:
- a control agent to interface with a management system and to monitor system activity;
  
  at least one data gathering component which gathers kernel audit data and syslog data;
  
  at least one correlator to interpret and analyzes the kernel audit data and the syslog data using at least one detection template.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 20)
- - 2. The computer architecture of claim 1, wherein said intrusion detection system is host-based.
  - 3. The computer architecture of claim 1, wherein said detection templates are configured into surveillance groups and into surveillance schedules.
  - 4. The computer architecture of claim 1, wherein said management system includes a graphical user interface.
  - 5. The computer architecture of claim 4, further comprising a communication agent which encrypts information sent from said intrusion detection system to said management station.
  - 6. The computer architecture of claim 1, wherein there is low bandwidth connection between said control agent and each of said data gathering components and said at least one correlator and a high bandwidth connection between said control agent and each said data gathering component and said correlator.
  - 7. The computer architecture of claim 1, wherein said correlator uses a meta-description language.
  - 8. The computer architecture of claim 1, wherein said high bandwidth connection is used to send and receive memory-mapped files.
  - 9. The computer architecture of claim 1, wherein said data gathering component includes a kernel audit record component and a syslog component.
  - 10. The computer architecture of claim 9, wherein said data gathering component and said syslog component convert gathered data into an ASCII format.
  - 11. The computer architecture of claim 1, further comprising a notification log and a response script connected to said control agent.
  - 12. The computer architecture of claim 1, further comprising an installed bits file connected to said control agent.
  - 13. The computer architecture of claim 1, wherein the computer architecture uses one of eglinux, solaris and windows 2000 operating system.
  - 14. The computer architecture of claim 1, wherein the management system controls more than one control agent each residing on a different computer.
  - 15. The computer architecture of claim 1, wherein said at least one template is selected from the group including:
    - reading kernel records;
      
      reformatting each of the read kernel records into a different format;
      
      parsing the records and comparing the parsed records against one or more templates.
  - 16. The computer architecture of claim 1, wherein said control agent communicates with said management system across a secure communications link.
  - 17. The computer architecture of claim 1, wherein if the correlator detects an intrusion an alert will be sent to the management system and a potential intrusion alert record will be logged to a notification file.
  - 18. The computer architecture of claim 1, wherein said at lest one data gathering component includes a buffer.
  - 20. The computer architecture of claim 19, wherein the at least one template is selected from the group including:
    - a modification of files/directories template;
      
      a change to log files template;
      
      a SetUID files template;
      
      a creation of world-writables template;
      
      a repeated failed logins template;
      
      a repeated failed SU commands template;
      
      a race conditions attack template;
      
      a buffer overflow attacks template;
      
      a modification of another user'"'"'s file template;
      
      a monitor for the start of interactive sessions template; and
      
      a monitor logins/logouts template.

19. A computer architecture for detecting intrusions, comprising:
- reading means for reading kernel records;
  
  reformatting means for reformatting each of the read kernel records into a different format;
  
  parsing means for parsing the records and comparing the parsed records against one or more templates.

21. A computer system, comprising:
- a processor; and
  
  a memory coupled to said processor, the memory having stored therein sequences of instructions, which, when executed by said processor, causes said processor to perform the steps of;
  
  reading kernel records;
  
  reformatting each of the read kernel records into a different format;
  
  parsing the records and comparing the parsed records against one or more templates.

22. The computer system of claim 22, wherein the at lest one template is selected from the group including:
- a modification of files/directories template;
  
  a change to log files template;
  
  a SetUID files template;
  
  a creation of world-writables template;
  
  a repeated failed logins template;
  
  a repeated failed SU commands template;
  
  a race conditions attack template;
  
  a buffer overflow attacks template;
  
  a modification of another user'"'"'s file template;
  
  a monitor for the start of interactive sessions template; and
  
  a monitor logins/logouts template.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Kuperman, Benjamin, Crosbie, Mark, Shepley, Rosemarie, Frayman, Leonard L.

Granted Patent

US 7,007,301 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

G06F 21/552   involving long-term monitor...

Y10S 707/99953   Recoverability

Y10S 707/99956   File allocation

Computer architecture for an intrusion detection system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

241 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Computer architecture for an intrusion detection system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

241 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links