Host intrusion detection and isolation
First Claim
Patent Images
1. A method comprising:
- providing a host computer system having at least one network interface interfaced with a computer network;
operating the host computer system in a multi-user mode;
detecting an intrusion event using a system daemon; and
in response to detecting the intrusion event, isolating the at least one network interface from the computer network and taking the host computer system down to a single user state so that access to the host computer system is limited to physical access at the host computer system.
3 Assignments
0 Petitions
Accused Products
Abstract
A host computer system having at least one network interface interfaced with a computer network is operated in a multi-user mode. An intrusion event is detected using a system daemon. In response to detecting the intrusion event, the at least one network interface is isolated from the computer network and the host computer system taken down to a single user state so that access to the host computer system is limited to physical access at the host computer system.
-
Citations
27 Claims
-
1. A method comprising:
-
providing a host computer system having at least one network interface interfaced with a computer network;
operating the host computer system in a multi-user mode;
detecting an intrusion event using a system daemon; and
in response to detecting the intrusion event, isolating the at least one network interface from the computer network and taking the host computer system down to a single user state so that access to the host computer system is limited to physical access at the host computer system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 12, 13)
-
-
11. The method of claim I wherein said detecting the intrusion event comprises detecting an incorrect permission associated with a file in a file system of the host computer system.
-
14. A method comprising:
-
providing a host computer system having at least one network interface interfaced with a computer network;
operating the host computer system in a multi-user mode;
executing a JTRIP system daemon on the host computer system;
reading, by the JTRIP system daemon, a configuration file that indicates at least one file in a file system of the host computer system to be monitored for intrusion, wherein the configuration file comprises a first directive type that indicates a directory whose members are to be monitored for intrusion, a second directive type that indicates a file to be monitored for intrusion, and a third directive type that indicates another configuration file to be monitored for intrusion;
reading a valid MD5 signature for a monitored file from a database that is located on a second computer system isolated physically and programmatically from the host computer system;
detecting an intrusion event using the JTRIP system daemon by detecting that an MD5 signature of the monitored file differs from the valid MD5 signature; and
in response to detecting the intrusion event;
issuing an IFCONFIG down command to the at least one network interface to isolate the at least one network interface from the computer network;
issuing an INIT1 command to an operating system of the host computer system to take the host computer system down to a single user state; and
writing a log of the intrusion event to a log database that is not located on the second computer system.
-
-
15. A system comprising:
a host computer system having at least one network interface interfaced with a computer network, the host computer system to;
operate in a multi-user mode;
detect an intrusion event using a system daemon; and
in response to detecting the intrusion event, isolate the at least one network interface from the computer network and take the host computer system down to a single user state so that access to the host computer system is limited to physical access at the host computer system. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
Specification