Intrusion detection method and system
First Claim
1. A method of detecting intrusions to a data system, said method comprising searching for at least one predefined pattern in a traffic stream, detecting a potential attack, if said at least one predefined pattern is found in the traffic stream, utilizing at least one pointer or part of it as said predefined pattern.
9 Assignments
0 Petitions
Accused Products
Abstract
Intrusion detection system (IDS) according to the invention employs a pointer fingerprint method for detecting attempted or successful intrusions into an information system or network. In a pointer fingerprint method, the specific stream of bits searched from the traffic streams is a pointer or part of it that must be included in all working buffer overflow (bof) attacks. This makes it possible to detect also the previously unknown bof attacks.
115 Citations
13 Claims
-
1. A method of detecting intrusions to a data system, said method comprising
searching for at least one predefined pattern in a traffic stream, detecting a potential attack, if said at least one predefined pattern is found in the traffic stream, utilizing at least one pointer or part of it as said predefined pattern.
-
7. A method of detecting intrusions to a data system, said method comprising
searching for at least one stack pointer or part of it in a traffic stream, detecting a potential attack, if said at least at least one stack pointer or part of it is found in the traffic stream.
-
8. A method of detecting intrusions to a data system, said method comprising
searching for at least one predefined pattern in a traffic stream, said at least one predetermined pattern corresponding to at least one pointer or part of it selected among the following pointers: - a stack pointer, a library of c (libc) function pointer, or a pointer to a Global Offset Table (GOT).
-
9. A computer-readable medium, containing a computer software which when executed in a computer causes the computer to execute a process comprising
searching for at least one predefined pattern in a traffic stream, detecting a potential attack, if said at least one predefined pattern is found in the traffic stream, utilizing at least one pointer or part of it as said predefined pattern.
-
10. A computer-readable medium, containing a computer software which when executed in a computer causes the computer to execute a process comprising
searching for at least one at least one stack pointer or part of it in a traffic stream, detecting a potential attack, if said at least one stack pointer is found in the traffic stream, utilizing at least one pointer or part of it as said predefined pattern.
-
11. An intrusion detection system, said system comprising
means for searching for at least one predefined pattern in a traffic stream, means for detecting a potential attack, if said at least one predefined pattern is found in the traffic stream, wherein said at least one predefined pattern is at least one pointer or part of it.
-
12. An intrusion detection system, said system comprising
means for searching for at least one predefined pattern in a traffic stream, means for detecting a potential attack, if said at least one predefined pattern is found in the traffic stream, wherein said at least one predefined pattern is at least one stack pointer or part of it.
-
13. An intrusion detection system, said system comprising
means for searching for at least one predefined pattern in a traffic stream, means for detecting a potential attack, if said at least one predefined pattern is found in the traffic stream, wherein said at least one predetermined pattern corresponds to at least one pointer or part of it selected among the following pointers: - a stack pointer, a library of c (libc) function pointer, or a pointer to a Global Offset Table (GOT).
Specification