Methodology, system, and computer readable medium for detecting operating system exploitations
First Claim
1. A system for detecting an operating system exploitation which is of a type that renders a computer insecure, said system comprising:
- (a) a storage device;
(b) an output device; and
(c) a processor programmed to;
(1) monitor the operating system to ascertain an occurrence of anomalous activity resulting from operating system behavior which deviates from any one of a set of pre-determined operating system parameters, wherein each of said pre-determined operating system parameters corresponds to a dynamic characteristic associated with an unexploited said operating system; and
(2) generate output on said output device which is indicative of any said anomalous activity that is ascertained.
0 Assignments
0 Petitions
Accused Products
Abstract
A system, computerized method and computer-readable medium are provided for the detection of an operating system exploitation, such as a rootkit install. The operating system is monitored to ascertain an occurrence of anomalous activity resulting from operating system behavior which deviates from any one of a set of pre-determined operating system parameters. Each parameter corresponds to a dynamic characteristic associated with an unexploited operating system. Output can then be generated to indicate any anomalous activity that is ascertained. The computer-readable medium may comprise a loadable kernel module for detecting hidden patches, processes, files or other kernel modules.
-
Citations
21 Claims
-
1. A system for detecting an operating system exploitation which is of a type that renders a computer insecure, said system comprising:
-
(a) a storage device;
(b) an output device; and
(c) a processor programmed to;
(1) monitor the operating system to ascertain an occurrence of anomalous activity resulting from operating system behavior which deviates from any one of a set of pre-determined operating system parameters, wherein each of said pre-determined operating system parameters corresponds to a dynamic characteristic associated with an unexploited said operating system; and
(2) generate output on said output device which is indicative of any said anomalous activity that is ascertained. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system for detecting an operating system exploitation which is of a type that renders a computer insecure, said system comprising:
-
(a) storage means;
(b) output means;
(c) processing means for;
(1) monitoring the operating system to ascertain an occurrence of any anomalous activity resulting from behavior which deviates from any one of a set of pre-determined operating system parameters, wherein each of said pre-determined operating system parameters corresponds to a dynamic characteristic associated with an unexploited said operating system; and
(2) generating output on said output means which is indicative of any anomalous activity that is ascertained.
-
-
7. A computerized method for detecting exploitation of a computer operating system, comprising:
-
(a) establishing a set of operating system parameters, each corresponding to a dynamic characteristic associated with an unexploited operating system;
(b) monitoring the operating system to ascertain an occurrence of any anomalous activity resulting from behavior which deviates from any one of the set of operating system parameters; and
(c) generating output indicative of a detected exploitation upon ascertaining said anomalous activity. - View Dependent Claims (8, 9, 10)
-
-
11. A computerized method for detecting exploitation of a selected type of operating system, wherein the exploitation is one which renders a computer insecure, and whereby said method is capable of detecting said exploitation irrespective of whether the exploitation is signature-based and without a prior baseline view of the operating system, said method comprising:
monitoring the operating system to ascertain an occurrence of any anomalous activity resulting from behavior which deviates from any one of a set of operating system parameters, each operating system parameter corresponding to a dynamic characteristic associated with an unexploited operating system of the selected type. - View Dependent Claims (12, 13)
-
14. A computer-readable medium for use in detecting rootkit installations on a computer running an operating system, said computer-readable medium comprising a loadable kernel module having executable instructions for performing a method comprising:
monitoring the operating system to ascertain an occurrence of any anomalous activity resulting from behavior which deviates from any one of a set of dynamic operating system parameters, each operating system parameter corresponding to a dynamic characteristic associated with an unexploited operating system of the selected type. - View Dependent Claims (15, 16)
-
17. A computer-readable medium for use in detecting a rootkit exploitation of a computer running a Linux operating system, wherein said rootkit exploitation is of a type that renders the computer insecure, said computer-readable medium comprising:
(a) a loadable kernel module having executable instructions for performing a method comprising;
analyzing the operating system'"'"'s memory to detect an existence of any hidden kernel module;
analyzing the operating system'"'"'s system call table to detect an existence for any hidden patch thereto;
analyzing the computer to detect an existence of any hidden process; and
analyzing the computer to detect an existence of any hidden file. - View Dependent Claims (18, 19, 20, 21)
Specification