Computer architecture for an intrusion detection system
First Claim
Patent Images
1. A computer architecture for an intrusion detection system, comprising:
- a control agent to interface with a management system and to monitor system activity;
at least one data gathering component which gathers kernel audit data and syslog data;
at least one correlator to interpret and analyzes the kernel audit data and the syslog data using at least one detection template.
3 Assignments
0 Petitions
Accused Products
Abstract
The present application is directed to a host-based IDS on an HP-UX intrusion detection system that enhances local host-level security within the network. It should be understood that the present invention is also usable on, for example, Eglinux, solaris, aix windows 2000 operating systems. It does this by automatically monitoring each configured host system within the network for possible signs of unwanted and potentially damaging intrusions. If successful, such intrusions could lead to the loss of availability of key systems or could compromise system integrity.
241 Citations
22 Claims
-
1. A computer architecture for an intrusion detection system, comprising:
-
a control agent to interface with a management system and to monitor system activity;
at least one data gathering component which gathers kernel audit data and syslog data;
at least one correlator to interpret and analyzes the kernel audit data and the syslog data using at least one detection template. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 20)
-
-
19. A computer architecture for detecting intrusions, comprising:
-
reading means for reading kernel records;
reformatting means for reformatting each of the read kernel records into a different format;
parsing means for parsing the records and comparing the parsed records against one or more templates.
-
-
21. A computer system, comprising:
-
a processor; and
a memory coupled to said processor, the memory having stored therein sequences of instructions, which, when executed by said processor, causes said processor to perform the steps of;
reading kernel records;
reformatting each of the read kernel records into a different format;
parsing the records and comparing the parsed records against one or more templates.
-
-
22. The computer system of claim 22, wherein the at lest one template is selected from the group including:
-
a modification of files/directories template;
a change to log files template;
a SetUID files template;
a creation of world-writables template;
a repeated failed logins template;
a repeated failed SU commands template;
a race conditions attack template;
a buffer overflow attacks template;
a modification of another user'"'"'s file template;
a monitor for the start of interactive sessions template; and
a monitor logins/logouts template.
-
Specification