Method and device for detecting computer intrusion
First Claim
1. A method for computer intrusion detection on a computer system including a target server accessible by a client and administered by a system administrator capable of authorizing attempts to execute software on the target server, a client and a monitoring server coupled to the target server, the method comprising the steps of:
- running on the target server monitored latent software performing a latent software function upon successful completion;
receiving an attempt to execute monitored latent software on the target server from the client; and
determining at the monitoring server whether the attempt to execute the monitored latent software by the client is authorized.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and device for detecting intrusion on a computer system utilizes a target server running software that is executed for a client only upon receiving authorization from a monitoring server to execute the software. When an attempt to execute software on the target server by a client is not authorized, monitoring server notifies the system administrator of the unauthorized attempt.
-
Citations
29 Claims
-
1. A method for computer intrusion detection on a computer system including a target server accessible by a client and administered by a system administrator capable of authorizing attempts to execute software on the target server, a client and a monitoring server coupled to the target server, the method comprising the steps of:
-
running on the target server monitored latent software performing a latent software function upon successful completion;
receiving an attempt to execute monitored latent software on the target server from the client; and
determining at the monitoring server whether the attempt to execute the monitored latent software by the client is authorized. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 24, 25)
-
-
19. On a computer system including a target server accessible by a plurality of clients and administered by a system administrator capable of authorizing attempts to execute software on the target server by a client and a monitoring server coupled to the target server but not directly accessible by clients, a method of detecting intrusion comprising the steps of:
-
distinguishing between active software and latent software resident on the target server;
permitting execution of the active software on the target server by each of the plurality of clients;
authorizing a client of the plurality of clients to attempt to execute latent software on the target server thereby defining an authorized client;
receiving an attempt to execute latent software on the target server from a client of the plurality of clients thereby defining an attempting client;
determining at the monitoring server whether the attempting client is the authorized client prior to completely executing the latent software on the target server; and
completing execution of the latent software when the attempting client is the authorized client. - View Dependent Claims (20, 21, 22, 23)
-
-
26. A computer system administered by a system administrator and accessible by a client on an external network comprising:
-
a target server coupled to the external network and configured to receive connections from the client and to receive requests from the client to execute software thereon;
an interface with the system administrator;
a monitoring server coupled to the target server but not directly accessible on the external network by the client, the monitoring server having authorization data resident thereon and administration software accessible through the interface for administering the authorization data;
said target server including software resident thereon including an authorization subroutine for sending a query to the monitoring server indicating that the client is requesting to execute the software and receiving a response from the monitoring server indicating that the client is authorized to execute the software prior to successfully completing execution of the software for the client; and
said monitoring server including a subroutine thereon for receiving the query from the target machine, accessing the authorization data to determine whether the client is authorized to execute the software on the target machine, sending a response to the target machine indicating that the client is authorized to execute the software or the client is not authorized to execute the software, and sending a message through the interface to the system administrator if the client is not authorized to execute the software. - View Dependent Claims (27, 28, 29)
-
Specification