Method and system for detecting intrusive anomalous use of a software system using multiple detection algorithms
First Claim
1. A method of detecting an intrusion into a target software system, comprising:
- instrumenting the target software system to generate behavior data representing a current observation or observation aggregate;
processing the current observation or observation aggregate through a first level detection algorithm that provides a first, provisional indication of a possible intrusion;
determining whether an intrusion has occurred or whether the current observation or observation aggregate warrants a second level examination; and
if a result of executing the first level detection algorithm indicates that the current observation or observation aggregate warrants a second level examination, processing the current observation or observation aggregate through at least one or more second level detection algorithms to provide a second, more definite indication of a possible intrusion.
5 Assignments
0 Petitions
Accused Products
Abstract
A method of detecting an intrusion into (or an anomaly in a behavior of) a target software system begins by instrumenting the target software system to generate behavior data representing a current observation or observation aggregate. The method then determines whether the current observation or observation aggregate warrants a second level examination; preferably, this determination is made by processing the current observation or observation aggregate through a first level detection algorithm that provides a first, provisional indication of a possible intrusion. If a result of executing the first level detection algorithm indicates that the current observation or observation aggregate warrants a second level examination, the method continues by processing the current observation or observation aggregate through at least one or more second level detection algorithms to provide a second, more definite, fine grain indication of a possible intrusion. The observation aggregates used by the first and second level detection algorithms may be the same or different. The first and second level detection algorithms may be executed in the same or different systems, machines or processors. The target software system operation may be suspended as the current observation or observation aggregate is processed through the one or more second level detection algorithms. A given action (e.g., sending an alert, logging the event, activating a countermeasure, or the like) may be taken if the result of the second level examination indicates a possible intrusion. Multiple algorithms may be executed together within a single examination level, with the individual results then analyzed to obtain a composite result or output indicative of intrusive or anomalous behavior.
-
Citations
38 Claims
-
1. A method of detecting an intrusion into a target software system, comprising:
-
instrumenting the target software system to generate behavior data representing a current observation or observation aggregate;
processing the current observation or observation aggregate through a first level detection algorithm that provides a first, provisional indication of a possible intrusion;
determining whether an intrusion has occurred or whether the current observation or observation aggregate warrants a second level examination; and
if a result of executing the first level detection algorithm indicates that the current observation or observation aggregate warrants a second level examination, processing the current observation or observation aggregate through at least one or more second level detection algorithms to provide a second, more definite indication of a possible intrusion. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A method of detecting an anomaly in a behavior of a target software system, comprising:
-
instrumenting the target software system to generate behavior data representing a current observation or observation aggregate;
determining whether the current observation or observation aggregate warrants a second level examination by processing the current observation or observation aggregate through a set of one or more first level detection algorithms to provides a first provisional indication of a possible anomaly; and
if a result of executing the set of one or more first level detection algorithms indicates that the current observation or observation aggregate warrants a second level examination, processing the current observation or observation aggregate through at least one or more second level detection algorithms to provide a second, more definite indication of a possible anomaly. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A method of detecting an intrusion into a target software system comprises a kernel mode and a user mode, comprising:
-
instrumenting the target software system to generate behavior data representing a current observation or observation aggregate;
in first level examination, determining whether the current observation or observation aggregate warrants a second level examination by processing, in a sequential manner, the current observation or observation aggregate through a set of first level detection algorithms executing in the kernel mode and that provides a first indication of a possible intrusion;
if a result of the first level examination indicates that the current observation or observation aggregate warrants a second level examination, processing the current observation or observation aggregate through at least one or more second level detection algorithms executing in the user mode to provide a second indication of a possible intrusion; and
as a result of the second level examination, taking a given action. - View Dependent Claims (28, 29, 30)
-
-
31. A method of detecting an intrusion into a target software system that has been instrumented to generate behavior data representing a current observation or observation aggregate, comprising:
-
determining whether the current observation or observation aggregate warrants a second level examination by processing the current observation or observation aggregate through a first level detection algorithm executing that provides a first indication of a possible intrusion; and
if a result of executing the at least first level detection algorithm indicates that the current observation or observation aggregate warrants a second level examination, processing the current observation or observation aggregate through a second level detection algorithm to provide a second indication of a possible intrusion;
wherein, as compared to the second level detection algorithm, the first level detection algorithm has greater computational efficiency. - View Dependent Claims (32, 33)
-
-
34. In a software system that has been instrumented to generate behavior data representing a current observation or observation aggregate, comprising:
an intrusion detection mechanism, comprising;
first level detection code executable in a processor to determine whether the current observation or observation aggregate represents a possible intrusion;
second level detection code, executable in a processor in response to a determination by the first level detection code that a possible intrusion is occurring, to attempt to verify occurrence of the possible intrusion; and
code executable in a processor and that outputs a given indication upon a determination by the second level detection code that the possible intrusion has occurred.
-
35. A method of detecting intrusive or anomalous behavior associated with a target software system that has been instrumented to generate behavior data representing a current observation or observation aggregate, comprising:
-
at a given examination level within a hierarchical set of one or more examination levels, determining whether the current observation or observation aggregate is indicative of intrusive or anomalous behavior using a set of two or more algorithms executed in parallel or in sequence to produce a given output;
taking a given action in response to the given output. - View Dependent Claims (36, 37, 38)
-
Specification