Intrusion Detection
First Claim
1. A method for detecting intrusion in a host via a monitoring daemon operating in conjunction with a configuration file defining data entities to be monitored, said method as implemented in said host comprising the steps of:
- a. monitoring said data entities via comparing a locally stored copy of a digital signature associated with each data entity against a corresponding digital signature stored in a first remote database; and
b. upon identifying a mismatch in compared digital signatures, issuing an instruction to record an entry in a log file located in a second remote database, said entry identifying a possible intrusion in said host.
3 Assignments
0 Petitions
Accused Products
Abstract
A system daemon starts through normal system startup procedures and reads its configuration file to determine which data entities (e.g., directories and files) are to be monitored. The monitoring includes a valid MD5 signature, correct permissions, ownership of the file, and an existence of the file. If any modification are made to the data entities, then the system daemon generates an alarm (intended for the administrator of the host) that an intrusion has taken place. Once an intrusion is detected, then the isolating steps or commands are issued in a real-time continuous manner to protect the host system from attack or intrusion.
48 Citations
24 Claims
-
1. A method for detecting intrusion in a host via a monitoring daemon operating in conjunction with a configuration file defining data entities to be monitored, said method as implemented in said host comprising the steps of:
-
a. monitoring said data entities via comparing a locally stored copy of a digital signature associated with each data entity against a corresponding digital signature stored in a first remote database; and
b. upon identifying a mismatch in compared digital signatures, issuing an instruction to record an entry in a log file located in a second remote database, said entry identifying a possible intrusion in said host. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system to detect intrusion comprising:
-
a. a host running a monitoring daemon working in conjunction with a configuration file, said configuration file identifying files and directories to be monitored in said host and said host communicating with external networks via one or more network interfaces, said monitoring daemon dynamically monitoring said files and directories identified by said configuration file by comparing a locally stored digital signature corresponding to each file or directory against a remotely stored corresponding digital signature;
b. a digital signature database remote from said host storing said digital signatures associated with files and directories identified by said configuration file; and
c. a log database remote from said host recording entries corresponding to mismatches between a digital signature stored in said host and a corresponding digital signature in said digital signature database. - View Dependent Claims (11, 12, 13, 14)
-
-
15. An article of manufacture comprising a computer usable medium having computer readable program code embed therein to detect intrusion in a host via a monitoring daemon operating in conjunction with a configuration file defining data entities to be monitored, said medium comprising:
-
a. computer readable program code monitoring said data entities via comparing a locally stored copy of a digital signature associated with each data entity against a corresponding digital signature stored in a first remote database; and
b. upon identifying a mismatch in compared digital signatures, computer readable program code issuing an instruction to record an entry in a log file located in a second remote database, said entry identifying a possible intrusion in said host. - View Dependent Claims (16, 17)
-
-
18. An intrusion detection and isolation method implemented using a monitoring daemon in a host, said host having one or more network interfaces to communicate over one or more networks, said method comprising the steps of:
-
a. reading a configuration file to identify data entities to be monitored on a host;
b. for each data entity to be monitored, extracting a digital signature from said host;
c. for each data entity to be monitored, querying a remote digital signature database via said one or more network interfaces and requesting a digital signature corresponding to said digital signature extracted from said host;
d. for each data entity to be monitored, receiving said corresponding digital signature from said remote digital signature database;
e. matching digital signature received from said remote digital signature database with digital signature extracted at said host;
f. upon identifying a mismatch, transmitting an instruction to a remote log database via said one or more network interfaces, said instruction executed in said remote log database to record an entry in a log file indicating a possible intrusion in said host; and
g. performing any one of, or a combination of, the following steps;
(i) issuing a command to bring down said one or more network interfaces to isolate said host;
or(ii) issuing a command to an operating system of host to bring said host to a single user state. - View Dependent Claims (19, 20, 21, 22, 23, 24)
-
Specification