Host-based systematic attack detection tool
First Claim
1. A method for detecting systematic attacks and unauthorized attempts to access a host computer, said host computer having an event list containing time-stamped records for each attempt to login or logon to the host computer, said records including user detail information such as a user name, said event list having an earliest event and a latest event with the time there between being a scan time, said method comprising the steps of:
- establishing a float period length having a finite time duration;
establishing a float period at an initial position, said float period having a start time and an end time, said end time being equal to said start time plus said float period length, wherein said start time is initially equal to a time stamp value of said earliest event in said event list;
counting a number of events in said event list which fall within said current float period;
responsive to said count exceeding a threshold, producing a violation message and jumping said float period by setting said start time to be equal to a time stamp value of an event in said event list immediately following said float period end time, otherwise advancing said float period by a single event by setting said start time to a time stamp value of an event in said event list immediately following said start time; and
iterating said steps of counting, producing a violation message and jumping said float period and single-event advancing of said float period until said float period end time exceeds a time stamp value of said latest event in said event list.
2 Assignments
0 Petitions
Accused Products
Abstract
A vulnerability checking tool for a host computer designed to examine security logs of attempted logins and revocations, to detect systematic attacks of a wide variety, and to generate a report file that can be examined for information concerning these types of events. Host computer files which contain data regarding attempted accesses and logins are used to create an event list based upon event criteria. The list is evaluated using a “floating period” time frame which advances by single event steps while no violation is detected within a particular floating period, and which advances by “jumps” when violations are detected in a time period so as to reduce the possibility of “over reporting” violations related to the same set of events.
-
Citations
15 Claims
-
1. A method for detecting systematic attacks and unauthorized attempts to access a host computer, said host computer having an event list containing time-stamped records for each attempt to login or logon to the host computer, said records including user detail information such as a user name, said event list having an earliest event and a latest event with the time there between being a scan time, said method comprising the steps of:
-
establishing a float period length having a finite time duration;
establishing a float period at an initial position, said float period having a start time and an end time, said end time being equal to said start time plus said float period length, wherein said start time is initially equal to a time stamp value of said earliest event in said event list;
counting a number of events in said event list which fall within said current float period;
responsive to said count exceeding a threshold, producing a violation message and jumping said float period by setting said start time to be equal to a time stamp value of an event in said event list immediately following said float period end time, otherwise advancing said float period by a single event by setting said start time to a time stamp value of an event in said event list immediately following said start time; and
iterating said steps of counting, producing a violation message and jumping said float period and single-event advancing of said float period until said float period end time exceeds a time stamp value of said latest event in said event list. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer readable medium encoded with software for detecting systematic attacks and unauthorized attempts to access a host computer, said host computer having an event list containing time-stamped records for each attempt to login or logon to the host computer, said records including user detail information such as a user name, said event list having an earliest event and a latest event with the time there between being a scan time, said causing said host computer to perform the steps of:
-
establishing a float period length having a finite time duration;
establishing a float period at an initial position, said float period having a start time and an end time, said end time being equal to said start time plus said float period length, wherein said start time is initially equal to a time stamp value of said earliest event in said event list;
counting a number of events in said event list which fall within said current float period;
responsive to said count exceeding a threshold, producing a violation message and jumping said float period by setting said start time to be equal to a time stamp value of an event in said event list immediately following said float period end time, otherwise advancing said float period by a single event by setting said start time to a time stamp value of an event in said event list immediately following said start time; and
iterating said steps of counting, producing a violation message and jumping said float period and single-event advancing of said float period until said float period end time exceeds a time stamp value of said latest event in said event list. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A system for detecting systematic attacks against a host computer by analyzing an event list of attempted log-ons and accesses, said event list having a plurality of events comprised of time stamps and user names, said event list having an earliest event and a latest event, said system comprising:
-
a float period manager for advancing a float period from an initial position to a plurality of subsequent positions, said initial position having a float period start time equivalent to said earliest event time stamp and a float period end time equal to said start time plus a float period length, said float period being adapted to jump the float period to a subsequent position such that said start time is equivalent to a time stamp of an immediately subsequent event following said end time, and also being adapted to advance said float period to a subsequent position by a single event such that said start time is equivalent to a time stamp of an immediately subsequent event following said start time;
an event counter for determining an event count within a given position of said float period; and
an evaluator for comparing said event count to a violation threshold, and responsive to said count exceeding said threshold, producing a violation message and causing said float period manager to jump said float period to a subsequent position, otherwise causing said float period manager to advance said float period by a single-event to a subsequent position, until said float period end time exceeds a time stamp of said latest event in the event list. - View Dependent Claims (12, 13, 14, 15)
-
Specification