Method and device for detecting computer intrusion

US 20040064732A1
Filed: 06/17/2003
Published: 04/01/2004
Est. Priority Date: 06/17/2002
Status: Active Grant

First Claim

Patent Images

1. A method for computer intrusion detection on a computer system including a target server accessible by a client and administered by a system administrator capable of authorizing attempts to execute software on the target server, a client and a monitoring server coupled to the target server, the method comprising the steps of:

running on the target server monitored latent software performing a latent software function upon successful completion;

receiving an attempt to execute monitored latent software on the target server from the client; and

determining at the monitoring server whether the attempt to execute the monitored latent software by the client is authorized.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and device for detecting intrusion on a computer system utilizes a target server running software that is executed for a client only upon receiving authorization from a monitoring server to execute the software. When an attempt to execute software on the target server by a client is not authorized, monitoring server notifies the system administrator of the unauthorized attempt.

48 Citations

View as Search Results

29 Claims

1. A method for computer intrusion detection on a computer system including a target server accessible by a client and administered by a system administrator capable of authorizing attempts to execute software on the target server, a client and a monitoring server coupled to the target server, the method comprising the steps of:
- running on the target server monitored latent software performing a latent software function upon successful completion;
  
  receiving an attempt to execute monitored latent software on the target server from the client; and
  
  determining at the monitoring server whether the attempt to execute the monitored latent software by the client is authorized.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 24, 25)
- - 2. The method of claim 1 further comprises the step of successfully completing execution of the monitored software on the target server when the attempt to execute the monitored latent software is authorized and wherein the determining step includes the step of determining authorization prior to successful completion of the monitored latent software.
  - 3. The method of claim 1 further comprising the step of aborting the execution of the monitored latent software prior to successful completion when the attempt to execute the monitored latent software is not authorized.
  - 4. The method of claim 1 further comprising the step of sending a message to the system administrator when the attempt to execute the monitored latent software is not authorized.
  - 5. The method of claim 1 wherein the determining step includes the step of accessing authorization data resident on the monitoring server.
  - 6. The method of claim 5 further comprising the step of creating and storing authorization data on the monitoring server.
  - 7. The method of claim 6 wherein the creating and storing step includes storing the authorization data into a database resident on the monitoring server.
  - 8. The method of claim 4 wherein the monitored latent software includes an implementing routine for performing the latent software function and a nested authorization subroutine for determining if the attempt to access the monitored latent software is authorized.
  - 9. The method of claim 8 wherein the implementing subroutine is resident entirely on the target server and the authorization subroutine includes a portion resident on the target server and a portion resident on the monitoring server.
  - 10. The method of claim 9 wherein the portion of the authorization subroutine on the target server queries the monitoring server and the monitoring server responds to the query during the determination step.
  - 11. The method of claim 10 wherein the query and response are secure.
  - 12. The method of claim 10 including the step of signing the response.
  - 13. The method of claim 10 including the step of signing the query.
  - 14. The method of claim 11 including the step of encrypting the query.
  - 15. The method of claim 10 including the step of signing and encrypting the query and response.
  - 16. The method of claim 1 wherein the running monitored latent software step includes the steps of running a monitored command implemented using a wrapper for a system command on the target server and altering the file system of the target server to load the wrapper in a former location of the system command and relocate the system command to another location.
  - 17. The method of claim 1 and further comprising the step of running active software on the target server and successfully completing execution of the active software upon receiving an attempt to execute the active software from the client.
  - 18. The method of claim 1 wherein the determining step includes the step of setting a time interval on the target server when the attempt to execute the monitored latent software is authorized and authorizing at the target server future attempts prior to the expiration of the time interval to execute monitored latent software by the client.
  - 24. The method of claim 15 wherein the determining step includes the step of sending a query from the target server to the monitoring server containing the client name of the attempting client and the time of the attempt.
  - 25. The method of claim 24 wherein the sending the query step includes the step of encrypting the query.

19. On a computer system including a target server accessible by a plurality of clients and administered by a system administrator capable of authorizing attempts to execute software on the target server by a client and a monitoring server coupled to the target server but not directly accessible by clients, a method of detecting intrusion comprising the steps of:
- distinguishing between active software and latent software resident on the target server;
  
  permitting execution of the active software on the target server by each of the plurality of clients;
  
  authorizing a client of the plurality of clients to attempt to execute latent software on the target server thereby defining an authorized client;
  
  receiving an attempt to execute latent software on the target server from a client of the plurality of clients thereby defining an attempting client;
  
  determining at the monitoring server whether the attempting client is the authorized client prior to completely executing the latent software on the target server; and
  
  completing execution of the latent software when the attempting client is the authorized client.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The method of claim 19 further comprising the step of aborting the execution of the monitored latent software prior to completion when the attempting client is not the authorized client.
  - 21. The method of claim 19 further comprising the step of sending a message to the system administrator when the attempting client is not the authorized client.
  - 22. The method of claim 21 wherein the target server and monitoring server are on a network.
  - 23. The method of claim 19 further comprising the step of storing data on the monitoring server regarding the authorized client including a client name and a time interval during which the authorization is valid.

26. A computer system administered by a system administrator and accessible by a client on an external network comprising:
- a target server coupled to the external network and configured to receive connections from the client and to receive requests from the client to execute software thereon;
  
  an interface with the system administrator;
  
  a monitoring server coupled to the target server but not directly accessible on the external network by the client, the monitoring server having authorization data resident thereon and administration software accessible through the interface for administering the authorization data;
  
  said target server including software resident thereon including an authorization subroutine for sending a query to the monitoring server indicating that the client is requesting to execute the software and receiving a response from the monitoring server indicating that the client is authorized to execute the software prior to successfully completing execution of the software for the client; and
  
  said monitoring server including a subroutine thereon for receiving the query from the target machine, accessing the authorization data to determine whether the client is authorized to execute the software on the target machine, sending a response to the target machine indicating that the client is authorized to execute the software or the client is not authorized to execute the software, and sending a message through the interface to the system administrator if the client is not authorized to execute the software.
- View Dependent Claims (27, 28, 29)
- - 27. The computer system of claim 26 wherein the interface includes a gateway to a messaging device.
  - 28. The computer system of claim 26 wherein the interface includes an administrator PC coupled to the monitoring server.
  - 29. The computer system of claim 26 wherein the target computer includes a file system having a standard location for a system command and a hidden location and wherein the system command is stored at the hidden location and a wrapper is stored at the standard location, said wrapper including the authorization subroutine and a call to the system command at the hidden location.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Corporation (AT&T, Inc.)
Original Assignee
AT&T Corporation (AT&T, Inc.)
Inventors
Hall, Robert J.

Granted Patent

US 7,797,744 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 63/1441 Countermeasures against mal...

Method and device for detecting computer intrusion

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

48 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Method and device for detecting computer intrusion

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

48 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links