Intrusion detection method and system

US 20030014664A1
Filed: 06/26/2002
Published: 01/16/2003
Est. Priority Date: 06/29/2001
Status: Active Grant

First Claim

Patent Images

1. A method of detecting intrusions to a data system, said method comprising searching for at least one predefined pattern in a traffic stream, detecting a potential attack, if said at least one predefined pattern is found in the traffic stream, utilizing at least one pointer or part of it as said predefined pattern.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Intrusion detection system (IDS) according to the invention employs a pointer fingerprint method for detecting attempted or successful intrusions into an information system or network. In a pointer fingerprint method, the specific stream of bits searched from the traffic streams is a pointer or part of it that must be included in all working buffer overflow (bof) attacks. This makes it possible to detect also the previously unknown bof attacks.

115 Citations

13 Claims

1. A method of detecting intrusions to a data system, said method comprising searching for at least one predefined pattern in a traffic stream, detecting a potential attack, if said at least one predefined pattern is found in the traffic stream, utilizing at least one pointer or part of it as said predefined pattern.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. A method according to claim 1, wherein said at least one pointer comprises a stack pointer.
  - 3. A method according to claim 1, wherein said at least one pointer comprises a library of c (libc) function pointer or a pointer to a Global Offset Table (GOT).
  - 4. A method according to claim 1, 2 or 3, comprising determining the parts of said traffic which are not in accordance with a specific protocol used, searching for said at least one pointer or part of it in said determined part of said traffic.
  - 5. A method according to claim 1, 2 or 3, comprising searching for said at least one pointer or part of it only in specific types of data packets or data streams according a specific protocol which do not normally contain pointers.
  - 6. A method according to claim 1, 2 or 3, comprising searching for said at least one pointer or part of it in all traffic, if a pointer fingerprint is found, analyzing whether the presence of a pointer in the specific point in the traffic is allowed or not, and if the presence of the pointer is not allowed, an attack is assumed to be detected.

7. A method of detecting intrusions to a data system, said method comprising searching for at least one stack pointer or part of it in a traffic stream, detecting a potential attack, if said at least at least one stack pointer or part of it is found in the traffic stream.

8. A method of detecting intrusions to a data system, said method comprising searching for at least one predefined pattern in a traffic stream, said at least one predetermined pattern corresponding to at least one pointer or part of it selected among the following pointers:
- a stack pointer, a library of c (libc) function pointer, or a pointer to a Global Offset Table (GOT).

9. A computer-readable medium, containing a computer software which when executed in a computer causes the computer to execute a process comprising searching for at least one predefined pattern in a traffic stream, detecting a potential attack, if said at least one predefined pattern is found in the traffic stream, utilizing at least one pointer or part of it as said predefined pattern.

10. A computer-readable medium, containing a computer software which when executed in a computer causes the computer to execute a process comprising searching for at least one at least one stack pointer or part of it in a traffic stream, detecting a potential attack, if said at least one stack pointer is found in the traffic stream, utilizing at least one pointer or part of it as said predefined pattern.

11. An intrusion detection system, said system comprising means for searching for at least one predefined pattern in a traffic stream, means for detecting a potential attack, if said at least one predefined pattern is found in the traffic stream, wherein said at least one predefined pattern is at least one pointer or part of it.

12. An intrusion detection system, said system comprising means for searching for at least one predefined pattern in a traffic stream, means for detecting a potential attack, if said at least one predefined pattern is found in the traffic stream, wherein said at least one predefined pattern is at least one stack pointer or part of it.

13. An intrusion detection system, said system comprising means for searching for at least one predefined pattern in a traffic stream, means for detecting a potential attack, if said at least one predefined pattern is found in the traffic stream, wherein said at least one predetermined pattern corresponds to at least one pointer or part of it selected among the following pointers:
- a stack pointer, a library of c (libc) function pointer, or a pointer to a Global Offset Table (GOT).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint LLC
Original Assignee
Stonesoft Corporation
Inventors
Hentunen, Daavid

Granted Patent

US 7,260,843 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/200
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/1441 Countermeasures against mal...

Intrusion detection method and system

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

115 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Intrusion detection method and system

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

115 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links