System and method for intrusion decision-making in autonomic computing environments

US 20050278178A1
Filed: 06/10/2004
Published: 12/15/2005
Est. Priority Date: 06/10/2004
Status: Abandoned Application

First Claim

Patent Images

1. A method for detecting intrusions in a data processing system, the method comprising:

receiving behavior information;

determining a score using a plurality of intrusion detection analysis approaches; and

determining whether the behavior information constitutes an intrusion based on the score.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A mechanism is provided for performing intrusion decision-making using a plurality of approaches. Detection approaches may include, for example, signature-based, anomaly-based, scan-based, and danger theory approaches. When event information is received, each approach produces a result. A consensus of each result is then reached by using, for example, Bayesian Filtering. A corpus is kept for each approach. An intrusion corpus keeps combinations of the corpora for all of the approaches that constitute intrusions. A safe corpus keeps combinations of the corpora for all of the approaches that do not constitute an intrusion. The corpora for the approaches may be pre-defined according to security policies and the like. The intrusion corpus and the safe corpus may be trained using scores that are determined using the detection approaches.

Citations

23 Claims

1. A method for detecting intrusions in a data processing system, the method comprising:
- receiving behavior information;
  
  determining a score using a plurality of intrusion detection analysis approaches; and
  
  determining whether the behavior information constitutes an intrusion based on the score.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein determining a score using a plurality of intrusion detection analysis approaches includes comparing the behavior information to a corpus for each intrusion detection analysis approach within the plurality of intrusion detection analysis approaches.
  - 3. The method of claim 1, further comprising:
    - if the behavior information constitutes an intrusion, training an intrusion corpus.
  - 4. The method of claim 3, further comprising:
    - if the behavior information does not constitute an intrusion, training a safe corpus.
  - 5. The method of claim 4, wherein the behavior information is first behavior information, the method further comprising:
    - receiving second behavior information;
      
      determining whether the second behavior information matches an entry in the intrusion corpus; and
      
      if the second behavior information matches an entry in the intrusion corpus, identifying the second behavior information as an intrusion.
  - 6. The method of claim 4, further comprising:
    - determining whether the second behavior information matches an entry in the safe corpus; and
      
      if the second behavior information matches an entry in the safe corpus, identifying the second behavior information as not constituting an intrusion.
  - 7. The method of claim 1, wherein the plurality of intrusion detection analysis approaches includes at least one of a signature-based approach, an anomaly-based approach, a scan-based approach, and a danger theory approach.
  - 8. The method of claim 1, wherein determining a score includes:
    - determining a result for each intrusion detection approach within the plurality of intrusion detection approaches based on the behavior information; and
      
      determining a consensus of each result to form a consensus score.
  - 9. The method of claim 8, wherein determining a consensus score includes performing filtering on the behavior information based on the result for each intrusion detection approach.
  - 10. The method of claim 9, wherein performing filtering includes using a multi-variant filtering technique.
  - 11. The method of claim 10, wherein the multi-variant filtering technique includes Bayesian filtering.
  - 12. The method of claim 8, wherein the consensus score is a ratio E:
    - F, where E is the likelihood that the behavior information constitutes an intrusion and F is the likelihood that the behavior information does not constitute an intrusion.

13. A computer program product, in a computer readable medium, for detecting intrusions in a data processing system, the computer program product comprising:
- instructions for receiving behavior information;
  
  instructions for determining a score using a plurality of intrusion detection analysis approaches; and
  
  instructions for determining whether the behavior information constitutes an intrusion based on the score.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 14. The computer program product of claim 13, wherein the instructions for determining a score using a plurality of intrusion detection analysis approaches include instructions for comparing the behavior information to a corpus for each intrusion detection analysis approach within the plurality of intrusion detection analysis approaches.
  - 15. The computer program product of claim 13, further comprising:
    - instructions for training an intrusion corpus if the behavior information constitutes an intrusion.
  - 16. The computer program product of claim 15, further comprising:
    - instructions for training a safe corpus if the behavior information does not constitute an intrusion.
  - 17. The computer program product of claim 16, wherein the behavior information is first behavior information, the computer program product further comprising:
    - instructions for receiving second behavior information;
      
      instructions for determining whether the second behavior information matches an entry in the intrusion corpus; and
      
      instructions for identifying the second behavior information as an intrusion if the second behavior information matches an entry in the intrusion corpus.
  - 18. The computer program product of claim 16, further comprising:
    - instructions for determining whether the second behavior information matches an entry in the safe corpus; and
      
      instructions for identifying the second behavior information as not constituting an intrusion if the second behavior information matches an entry in the safe corpus.
  - 19. The computer program product of claim 13, wherein the plurality of intrusion detection analysis approaches includes at least one of a signature-based approach, an anomaly-based approach, a scan-based approach, and a danger theory approach.
  - 20. The computer program product of claim 13, wherein the instructions for determining a score include:
    - instructions for determining a result for each intrusion detection approach within the plurality of intrusion detection approaches based on the behavior information; and
      
      instructions for determining a consensus of each result to form a consensus score.
  - 21. The computer program product of claim 20, wherein the instructions for determining a consensus score include instructions for performing filtering on the behavior information based on the result for each intrusion detection approach.
  - 22. The computer program product of claim 20, wherein the consensus score is a ratio E:
    - F, where E is the likelihood that the behavior information constitutes an intrusion and F is the likelihood that the behavior information does not constitute an intrusion.

23. An apparatus for detecting intrusions in a data processing system, the apparatus comprising:
- means for receiving behavior information;
  
  means for determining a score using a plurality of intrusion detection analysis approaches; and
  
  means for determining whether the behavior information constitutes an intrusion based on the score.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Simon, Kimberly DaShawn, Ratliff, Emily Jane, Girouard, Janice Marie

Application Number

US10/865,697
Publication Number

US 20050278178A1
Time in Patent Office

Days
Field of Search
US Class Current

704/270
CPC Class Codes

G06F 21/552 involving long-term monitor...

System and method for intrusion decision-making in autonomic computing environments

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for intrusion decision-making in autonomic computing environments

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links