Automatically generating valid behavior specifications for intrusion detection

US 20020138755A1
Filed: 02/06/2001
Published: 09/26/2002
Est. Priority Date: 02/06/2001
Status: Active Grant

First Claim

Patent Images

1. A method for automatically generating a valid behavior specification for use in an intrusion detection system for a computer system, comprising:

receiving an exemplary set of system calls that includes positive examples of valid system calls, and possibly negative examples of invalid system calls; and

automatically constructing the valid behavior specification from the exemplary set of system calls by selecting a set of rules covering valid system calls;

wherein the set of rules covers all positive examples in the exemplary set of system calls without covering negative examples;

wherein selecting a rule for the valid behavior specification involves using an objective function that seeks to maximize the number of positive examples covered by the rule while seeking to minimize the number of possible system calls covered by the rule.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of the present invention provides a system that automatically generates a valid behavior specification for use in an intrusion detection system for a computer system. The system operates by receiving an exemplary set of system calls that includes positive examples of valid system calls, and possibly negative examples of invalid system calls. The system automatically constructs the valid behavior specification from the exemplary set of system calls by selecting a set of rules covering valid system calls. This set of rules is selected to cover all positive examples in the exemplary set of system calls without covering negative examples. Moreover, the process of selecting a rule for the valid behavior specification involves using an objective function that seeks to maximize the number of positive examples covered by the rule while seeking to minimize the number of possible system calls covered by the rule. In one embodiment of the present invention, the system additionally monitors an executing program. During this monitoring process, the system receives a system call generated by the executing program. The system next determines whether the system call is covered by a rule from within the valid behavior specification. If not, the system generates and indication that the system call is invalid.

126 Citations

24 Claims

1. A method for automatically generating a valid behavior specification for use in an intrusion detection system for a computer system, comprising:
- receiving an exemplary set of system calls that includes positive examples of valid system calls, and possibly negative examples of invalid system calls; and
  
  automatically constructing the valid behavior specification from the exemplary set of system calls by selecting a set of rules covering valid system calls;
  
  wherein the set of rules covers all positive examples in the exemplary set of system calls without covering negative examples;
  
  wherein selecting a rule for the valid behavior specification involves using an objective function that seeks to maximize the number of positive examples covered by the rule while seeking to minimize the number of possible system calls covered by the rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the objective function additionally seeks to minimize the number of privileged system calls covered by the rule.
  - 3. The method of claim 1, wherein the objective function additionally seeks to minimize a length of the rule.
  - 4. The method of claim 1, wherein the method further comprises monitoring an executing program by:
    - receiving a system call generated by the executing program;
      
      determining whether the system call is covered by a rule from within the valid behavior specification; and
      
      if the system call is not covered by a rule from within the valid behavior specification, indicating that the system call is invalid.
  - 5. The method of claim 1, further comprising producing the exemplary set of system calls by running an exemplary program and recording system calls generated by the exemplary program.
  - 6. The method of claim 1, where the exemplary set of system calls includes calls to functions implemented by an operating system of the computer system.
  - 7. The method of claim 1, wherein the set of rules includes at least one Horn clause.
  - 8. The method of claim 7, wherein selecting a rule for the valid behavior specification involves:
    - selecting a positive example from the exemplary set of system calls;
      
      constructing a Horn clause for the positive example by iterating through a subsumption lattice, starting from a most general possible clause and proceeding to a most specific clause for the positive example, and selecting a Horn clause that maximizes the objective function without covering any negative examples;
      
      adding the Horn clause to the set of rules in the valid behavior specification; and
      
      removing other positive examples covered by the Horn clause from the exemplary set of system calls, so subsequently selected Horn clauses do not have to cover the other positive examples.

9. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for automatically generating a valid behavior specification for use in an intrusion detection system for a computer system, the method comprising:
- receiving an exemplary set of system calls that includes positive examples of valid system calls, and possibly negative examples of invalid system calls; and
  
  automatically constructing the valid behavior specification from the exemplary set of system calls by selecting a set of rules covering valid system calls;
  
  wherein the set of rules covers all positive examples in the exemplary set of system calls without covering negative examples;
  
  wherein selecting a rule for the valid behavior specification involves using an objective function that seeks to maximize the number of positive examples covered by the rule while seeking to minimize the number of possible system calls covered by the rule.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 18, 19, 20, 21, 22, 23, 24)
- - 10. The computer-readable storage medium of claim 9, wherein the objective function additionally seeks to minimize the number of privileged system calls covered by the rule.
  - 11. The computer-readable storage medium of claim 9, wherein the objective function additionally seeks to minimize a length of the rule.
  - 12. The computer-readable storage medium of claim 9, wherein the method further comprises monitoring an executing program by:
    - receiving a system call generated by the executing program;
      
      determining whether the system call is covered by a rule from within the valid behavior specification; and
      
      if the system call is not covered by a rule from within the valid behavior specification, indicating that the system call is invalid.
  - 13. The computer-readable storage medium of claim 9, wherein the method further comprises producing the exemplary set of system calls by running an exemplary program and recording system calls generated by the exemplary program.
  - 14. The computer-readable storage medium of claim 9, where the exemplary set of system calls includes calls to functions implemented by an operating system of the computer system.
  - 15. The computer-readable storage medium of claim 9, wherein the set of rules includes at least one Horn clause.
  - 16. The computer-readable storage medium of claim 15, wherein selecting a rule for the valid behavior specification involves:
    - selecting a positive example from the exemplary set of system calls;
      
      constructing a Horn clause for the positive example by iterating through a subsumption lattice, starting from a most general possible clause and proceeding to a most specific clause for the positive example, and selecting a Horn clause that maximizes the objective function without covering any negative examples;
      
      adding the Horn clause to the set of rules in the valid behavior specification; and
      
      removing other positive examples covered by the Horn clause from the exemplary set of system calls, so subsequently selected Horn clauses do not have to cover the other positive examples.
  - 18. The apparatus of claim 17, wherein the objective function additionally seeks to minimize the number of privileged system calls covered by the rule.
  - 19. The apparatus of claim 17, wherein the objective function additionally seeks to minimize a length of the rule.
  - 20. The apparatus of claim 17, wherein the apparatus further comprises a program monitoring mechanism that is configured to:
    - receive a system call generated by an executing program;
      
      determine whether the system call is covered by a rule from within the valid behavior specification; and
      
      to indicate that the system call is invalid, if the system call is not covered by a rule from within the valid behavior specification.
  - 21. The apparatus of claim 17, further comprising a trace generation mechanism that is configured to produce the exemplary set of system calls by running an exemplary program and recording system calls generated by the exemplary program.
  - 22. The apparatus of claim 17, where the exemplary set of system calls includes calls to functions implemented by an operating system of the computer system.
  - 23. The apparatus of claim 17, wherein the set of rules includes at least one Horn clause.
  - 24. The apparatus of claim 23, wherein in selecting a rule for the valid behavior specification, the specification construction mechanism is configured to:
    - select a positive example from the exemplary set of system calls;
      
      construct a Horn clause for the positive example by iterating through a subsumption lattice, starting from a most general possible clause and proceeding to a most specific clause for the positive example, and selecting a Horn clause that maximizes the objective function without covering any negative examples;
      
      add the Horn clause to the set of rules in the valid behavior specification; and
      
      to remove other positive examples covered by the Horn clause from the exemplary set of system calls, so subsequently selected Horn clauses do not have to cover the other positive examples.

17. An apparatus that is configured to automatically generate a valid behavior specification for use in an intrusion detection system for a computer system, comprising:
- a receiving mechanism that is configured to receive an exemplary set of system calls that includes positive examples of valid system calls, and possibly negative examples of invalid system calls; and
  
  a specification construction mechanism that is configured to automatically construct the valid behavior specification from the exemplary set of system calls by selecting a set of rules covering valid system calls;
  
  wherein the set of rules covers all positive examples in the exemplary set of system calls without covering negative examples;
  
  wherein the specification construction mechanism is configured to select a rule for the valid behavior specification by using an objective function that seeks to maximize the number of positive examples covered by the rule while seeking to minimize the number of possible system calls covered by the rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Ko, Cheuk W.

Granted Patent

US 6,983,380 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

G06F 21/552 involving long-term monitor...

Automatically generating valid behavior specifications for intrusion detection

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

126 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Automatically generating valid behavior specifications for intrusion detection

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

126 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links