System and method for intrusion decision-making in autonomic computing environments
First Claim
1. A method for detecting intrusions in a data processing system, the method comprising:
- receiving behavior information;
determining a score using a plurality of intrusion detection analysis approaches; and
determining whether the behavior information constitutes an intrusion based on the score.
1 Assignment
0 Petitions
Accused Products
Abstract
A mechanism is provided for performing intrusion decision-making using a plurality of approaches. Detection approaches may include, for example, signature-based, anomaly-based, scan-based, and danger theory approaches. When event information is received, each approach produces a result. A consensus of each result is then reached by using, for example, Bayesian Filtering. A corpus is kept for each approach. An intrusion corpus keeps combinations of the corpora for all of the approaches that constitute intrusions. A safe corpus keeps combinations of the corpora for all of the approaches that do not constitute an intrusion. The corpora for the approaches may be pre-defined according to security policies and the like. The intrusion corpus and the safe corpus may be trained using scores that are determined using the detection approaches.
-
Citations
23 Claims
-
1. A method for detecting intrusions in a data processing system, the method comprising:
-
receiving behavior information;
determining a score using a plurality of intrusion detection analysis approaches; and
determining whether the behavior information constitutes an intrusion based on the score. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A computer program product, in a computer readable medium, for detecting intrusions in a data processing system, the computer program product comprising:
-
instructions for receiving behavior information;
instructions for determining a score using a plurality of intrusion detection analysis approaches; and
instructions for determining whether the behavior information constitutes an intrusion based on the score. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. An apparatus for detecting intrusions in a data processing system, the apparatus comprising:
-
means for receiving behavior information;
means for determining a score using a plurality of intrusion detection analysis approaches; and
means for determining whether the behavior information constitutes an intrusion based on the score.
-
Specification