Intrusion detection system

US 20060161982A1
Filed: 01/18/2005
Published: 07/20/2006
Est. Priority Date: 01/18/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method of protecting a computer against attacks, said method comprising the steps of:

a) monitoring application requests for resources;

b) selectively virtualizing requested said resources; and

c) granting a requesting application access to virtualized said resources.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intrusion detection system (IDS), method of protecting computers against intrusions and program product therefor. The IDS determines which applications are to run in native environment (NE) and places the remaining applications in a sandbox. Some of the applications in sandboxes may be placed in a personalized virtual environment (PVE) in the sandbox. Upon detecting an attempted attack, a dynamic honeypot may be started for an application in a sandbox and not in a PVE. A virtualized copy of system resources may be created for each application in a sandbox and provided to the corresponding application in the respective sandbox.

137 Citations

30 Claims

1. A method of protecting a computer against attacks, said method comprising the steps of:
- a) monitoring application requests for resources;
  
  b) selectively virtualizing requested said resources; and
  
  c) granting a requesting application access to virtualized said resources.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. A method of protecting a computer as in claim 1, the step (a) of monitoring said application requests comprises:
    - i) determining whether said requesting application is operating in a sandbox; and
      
      ii) creating a virtual copy of said requested resources for a selected said requesting application determined to be operating in a sandbox, access to said virtualized resources being granted within said sandbox.
  - 3. A method of protecting a computer as in claim 1, wherein the step (b) of selectively virtualizing comprises determining whether said requested resources have been previously virtualized, access being granted to previously virtualized said requested resources.
  - 4. A method of protecting a computer as in claim 1, wherein the step (b) of selectively virtualizing comprises the steps of:
    - i) determining whether a defined plan calls for virtualizing said requested resources; and
      
      , whenever said defined plan calls for virtualizing, ii) creating a virtual image of said requested resources responsive to said defined plan.
  - 5. A method of protecting a computer as in claim 4, wherein for each said defined plan that does not call for virtualizing said requested resources, the step (b) of selectively virtualizing further comprises the steps of:
    - iii) determining whether said request violates sandbox boundaries; and
      
      iv) granting access to said requested resources for a determination that said request does not violate said sandbox boundaries.
  - 6. A method of protecting a computer as in claim 5, wherein said defined plan is a personalized virtual environment (PVE) plan and when a plurality of PVE plans may be selected, one of said plurality of PVE plans is selected responsive to operating parameters.
  - 7. A method of protecting a computer as in claim 6, wherein said operating parameters comprise:
    - the identity of said requesting application;
      
      environmental parameters;
      
      application attributes;
      
      an intended usage for said requesting application; and
      
      the identity of a computer system running said requesting application.
  - 8. A method of protecting a computer as in claim 4, wherein for said requesting application determined operating in other than a personalized virtual environment, said method further comprising before the step (b) of selectively virtualizing resources:
    - b1) constructing a honeypot; and
      
      b2) placing said requesting application in said honeypot, said requesting application being granted access to said virtualized resources in said honeypot.
  - 9. A method of protecting a computer as in claim 8, wherein said pre-defined plan is a pre-defined honeypot plan and when said pre-defined honeypot plan does not call for virtualizing said requested resources, the step (b) of selectively virtualizing further comprises the steps of:
    - iii) determining whether said request violates sandbox boundaries; and
      
      iv) granting access to said requested resources for a determination that said request does not violate said sandbox boundaries.
  - 10. A method of protecting a computer as in claim 9, wherein when a plurality of pre-defined honeypot plans may be selected, one of said plurality of pre-defined honeypot plans is selected responsive to operating parameters.
  - 11. A method of protecting a computer as in claim 10, wherein said operating parameters comprise:
    - environmental parameters;
      
      application attributes; and
      
      an intended usage for said requesting application.
  - 12. A method of protecting a computer as in claim 8, before the step (a) of monitoring applications, said method further comprising the steps of:
    - a1) determining whether an application should be placed in a sandbox;
      
      a2) erecting said sandbox; and
      
      a3) starting said application in said sandbox.
  - 13. A method of protecting a computer as in claim 12, wherein the step (a3) of starting said application comprises the steps of:
    - i) determining whether said application should be placed in a PVE;
      
      ii) building said PVE; and
      
      iii) starting said application in said PVE.

14. A computer system protected against external attacks, said computer system comprising:
- processing means for processing applications;
  
  an application interface interfacing said applications with system resources, said applications requesting system resources through said application interface;
  
  an intrusion detector monitoring application requests and identifying ones of said application requests as being potential attacks;
  
  a system resource virtualizer selectively virtualizing requested said system resources responsive to an identified potential attack; and
  
  means for granting access to virtualized said resources to a requesting one of said applications, said requesting one operating on said virtualized resources, said system resources being protected from said identified potential attack.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
- - 15. A computer system as in claim 14, further comprising:
    - sandbox storage storing at least one defined sandbox plan;
      
      personal virtualized environment (PVE) storage storing at least one defined PVE plan; and
      
      honeypot storage storing at least one defined honeypot plan.
  - 16. A computer system as in claim 15, wherein said intrusion detector erects a sandbox around selected starting said applications according to a stored said defined sandbox plan, unselected ones of said starting applications being started in native environment.
  - 17. A computer system as in claim 16, further comprising a virtual machine monitor (VMM) selectively building a virtual machine (VM) and a PVE inside said VM according to a stored said defined PVE plan, one of said selected starting applications starting in said PVE contained in said erected sandbox.
  - 18. A computer system as in claim 17, wherein said intrusion detector builds honeypots around selected suspected attacking applications according to stored defined honeypot plans.
  - 19. A computer system as in claim 18, wherein for each requesting application in one said PVE, said means for granting access selectively creates said virtualized resources in said one PVE and grants access to selectively created said virtualized resources in said PVE responsive to said stored defined PVE plan.
  - 20. A computer system as in claim 19, wherein said intrusion detector selectively denies access to system resources to ones of said requesting applications associated with request for resources violating sandbox boundaries.
  - 21. A computer system as in claim 19, wherein for each requesting application in one said honeypot, said means for granting selectively access creates said virtualized resources in said one honeypot and grants access to selectively created said virtualized resources in said honeypot responsive to said stored defined honeypot plan.
  - 22. A computer system as in claim 21, wherein said intrusion detector selectively denies access to system resources to ones of said requesting applications associated with request for resources violating sandbox boundaries.

23. A computer program product for protecting a computer system against external attacks, said computer program product comprising a computer usable medium having computer readable program code thereon, said computer readable program code comprising:
- computer readable program code means for an application interface interfacing running applications with system resources, said running applications requesting system resources through said application interface;
  
  computer readable program code means for monitoring application requests and identifying ones of said application requests as being potential attacks;
  
  computer readable program code means for selectively virtualizing requested said resources responsive to identified potential attacks; and
  
  computer readable program code means for granting access to virtualized said resources to a requesting one of said running applications, said requesting one operating on said virtualized resources, said system resources being protected from said identified potential attacks.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
- - 24. A computer program product as in claim 23, wherein said computer readable program code means for monitoring application requests comprises:
    - computer readable program code means for identifying starting applications as being susceptible to attacks;
      
      computer readable program code means for erecting intrusion detection around identified susceptible said applications;
      
      computer readable program code means for intercepting system calls from said identified susceptible applications and determining whether intercepted system calls indicate a potential attack; and
      
      computer readable program code means for selecting whether to virtualize resources for each indicated said potential attack.
  - 25. A computer program product as in claim 24, further comprising computer readable program code means for a virtual machine monitor (VMM) initiating virtual machines (VMs) in erected said intrusion detection, at least one said starting application being started in each initiated said virtual machines.
  - 26. A computer program product as in claim 25, wherein said VMM creates a personalized virtual environment (PVE) for each said at least one starting application.
  - 27. A computer program product as in claim 25, wherein said computer readable program code means for erecting intrusion detection around identified susceptible said applications comprises:
    - computer readable program code means for identifying starting applications as being susceptible to attacks;
      
      computer readable program code means for erecting a sandbox around identified said starting applications;
      
      computer readable program code means for intercepting system calls from said identified susceptible applications and determining whether intercepted system calls indicate a potential attack;
      
      computer readable program code means for selectively building a honeypot responsive to indicated potential attacks, selected ones of said identified susceptible applications being placed in honeypots; and
      
      computer readable program code means for selecting whether to virtualize resources for each indicated said potential attack, access being granted to virtualized said resources in a corresponding said sandbox.
  - 28. A computer program product as in claim 27, further comprising:
    - computer readable program code means for providing at least one defined sandbox plan, each said sandbox being erected responsive to one said at least one defined sandbox plan;
      
      computer readable program code means for providing at least one defined personal virtualized environment (PVE) plan, PVEs being selectively erected in one said sandbox responsive to one said at least one defined PVE plan; and
      
      computer readable program code means for providing at least one defined honeypot plan, honeypots being selectively erected in one said sandbox responsive to one said at least one defined honeypot plan.
  - 29. A computer program product as in claim 28, wherein said computer readable program code means for identifying starting applications starts ones of said starting applications in native environment, remaining said ones of said starting applications being identified as susceptible to attacks.
  - 30. A computer program product as in claim 28, wherein said computer readable program code means for detecting intrusions selectively denies access to system resources to ones of said requesting applications associated with request for resources violating sandbox boundaries.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Rao, Josyula R., Rohatgi, Pankaj, Chari, Suresh N., Cheng, Pau-Chen, Steiner, Michael

Application Number

US11/037,695
Publication Number

US 20060161982A1
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/53 by executing in a restricte...

G06F 21/554 involving event detection a...

Intrusion detection system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

137 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Intrusion detection system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

137 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links