Secure initialization of intrusion detection system

US 20050086500A1
Filed: 10/15/2003
Published: 04/21/2005
Est. Priority Date: 10/15/2003
Status: Active Grant

First Claim

Patent Images

1. A method in a computer system for detecting intrusions, the method comprising:

receiving a behavior profile associated with an application;

reading the behavior profile associated with the application;

monitoring execution of the application, according to the behavior profile;

if the behavior of the application does not conform to the behavior profile, issuing a message indicating that the application is not conforming to the behavior profile.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and computer readable medium for detecting intrusions is disclosed. The method on a computer includes receiving a behavior profile associated with an application and reading the behavior profile associated with the application. The method further includes monitoring execution of the application, according to the behavior profile. If the behavior of the application does not conform to the behavior profile, a message is issued indicating that the application is not conforming to the behavior profile. The behavior profile can be generated by a developer of the intrusion detection system, a developer of the application, and/or a third party developer. Additionally, the behavior profile is generated by executing the system on a reference computer system or by heuristic determination.

69 Citations

View as Search Results

22 Claims

1. A method in a computer system for detecting intrusions, the method comprising:
- receiving a behavior profile associated with an application;
  
  reading the behavior profile associated with the application;
  
  monitoring execution of the application, according to the behavior profile;
  
  if the behavior of the application does not conform to the behavior profile, issuing a message indicating that the application is not conforming to the behavior profile.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, where the application comprises any one of:
    - a software program running on a computer system;
      
      a computer network;
      
      a user interfacing with a computer system;
      
      a plurality of computer systems; and
      
      a distributed application.
  - 3. The method of claim 1, wherein the behavior profile is generated by at least one of:
    - a developer of the method;
      
      a developer of the application; and
      
      a third party developer.
  - 4. The method of claim 2, wherein the behavior profile is generated by any one of:
    - executing the system on a reference computer system;
      
      heuristic determination; and
      
      a combination of executing the system on a reference computer system and heuristic determination.
  - 5. The method of claim 1, wherein the behavior profile includes at least one of:
    - a list of system commands;
      
      a list of file permissions;
      
      a list of directory permissions;
      
      a list of network messages;
      
      a login attempt summary; and
      
      any measurable property of the system or application.
  - 6. The method of claim 1, wherein the behavior profile is cryptographically protected.
  - 7. The method of claim 6, wherein the behavior profile is at least one of:
    - encrypted; and
      
      digitally signed.
  - 8. The method of claim 1, further comprising:
    - if the behavior of the application does not conform to the behavior profile, generating a log file describing how the application is not conforming to the behavior profile.
  - 9. The method of claim 1, further comprising:
    - if the behavior of the application does not conform to the behavior profile, quitting the application that is not conforming to the behavior profile.
  - 10. The method of claim 1, further comprising:
    - if the behavior of the application does not conform to the behavior profile, prompting the user to determine whether to quit the application that is not conforming to the behavior profile.

11. A computer readable medium including computer instructions for detecting intrusions, the computer instructions including instructions for:
- receiving a behavior profile associated with an application;
  
  reading the behavior profile associated with the application;
  
  monitoring execution of the application, according to the behavior profile; and
  
  if the behavior of the application does not conform to the behavior profile, issuing a message indicating that the application is not conforming to the behavior profile.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The computer readable medium claim 11, where the application comprises any one of:
    - a software program running on a computer system;
      
      a computer network;
      
      a user interfacing with a computer system;
      
      a plurality of computer systems; and
      
      a distributed application.
  - 13. The computer readable medium of claim 12, wherein the behavior profile is generated by at least one of:
    - a developer of the method;
      
      a developer of the application; and
      
      a third party developer.
  - 14. The computer readable medium of claim 11, wherein the behavior profile is generated by any one of:
    - executing the system on a reference computer system;
      
      heuristic determination; and
      
      a combination of executing the system on a reference computer system and heuristic determination.
  - 15. The computer readable medium of claim 11, wherein the behavior profile includes at least one of:
    - a list of system commands;
      
      a list of file permissions;
      
      a list of directory permissions;
      
      a list of network messages;
      
      a login attempt summary; and
      
      any measurable property of the system or application.
  - 16. The computer readable medium of claim 11, wherein the behavior profile is cryptographically protected.
  - 17. The computer readable medium of claim 16, wherein the behavior profile is at least one of:
    - encrypted; and
      
      digitally signed.
  - 18. The computer readable medium of claim 11, further comprising:
    - if the behavior of the application does not conform to the behavior profile, generating a log file describing how the application is not conforming to the behavior profile.
  - 19. The computer readable medium of claim 11, further comprising:
    - if the behavior of the application does not conform to the behavior profile, quitting the application that is not conforming to the behavior profile.
  - 20. The computer readable medium of claim 11, further comprising:
    - if the behavior of the application does not conform to the behavior profile, prompting the user to determine whether to quit the application that is not conforming to the behavior profile.

21. A computer system for detecting intrusions, comprising:
- a first memory for storing an application;
  
  a second memory for storing a behavior profile associated with the application;
  
  a monitor, communicatively coupled with the first memory and the second memory, for monitoring execution of the application, according to the behavior profile;
  
  a warning module, communicatively coupled with the monitor, for issuing a message indicating that the application is not conforming to the behavior profile.
- View Dependent Claims (22)
- - 22. The computer system of claim 21, wherein the behavior profile is predefined when stored in the second memory, and wherein the behavior profile is generated by at least one of:
    - a developer of software for the monitor;
      
      a developer of the application; and
      
      a third party developer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
International Business Machines Corporation
Inventors
Albornoz, Jordi A.

Granted Patent

US 7,464,158 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/188
CPC Class Codes

G06F 21/316   by observing the pattern of...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

Secure initialization of intrusion detection system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

69 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Secure initialization of intrusion detection system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

69 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links