System and method for using timestamps to detect attacks

US 20070157315A1
Filed: 02/27/2007
Published: 07/05/2007
Est. Priority Date: 08/30/1999
Status: Active Grant

First Claim

Patent Images

1. A system for detecting intrusions on a host, comprising:

a) a filesystem scanner configured to examine timestamps of files and directories in a filesystem; and

b) an analysis engine configured to compare timestamps of a directory and of files in the directory, and assign a suspicion value to the directory or file if the timestamps are inconsistent.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are disclosed for detecting intrusions in a host system on a network. The intrusion detection system comprises an analysis engine configured to use continuations and apply forward- and backward-chaining using rules. Also provided are sensors, which communicate with the analysis engine using a meta-protocol in which the data packet comprises a 4-tuple. A configuration discovery mechanism locates host system files and communicates the locations to the analysis engine. A file processing mechanism matches contents of a deleted file to a directory or filename, and a directory processing mechanism extracts deallocated directory entries from a directory, creating a partial ordering of the entries. A signature checking mechanism computes the signature of a file and compares it to previously computed signatures. A buffer overflow attack detector compares access times of commands and their associated files. The intrusion detection system further includes a mechanism for checking timestamps to identify and analyze forward and backward time steps in a log file.

Citations

9 Claims

1. A system for detecting intrusions on a host, comprising:
- a) a filesystem scanner configured to examine timestamps of files and directories in a filesystem; and
  
  b) an analysis engine configured to compare timestamps of a directory and of files in the directory, and assign a suspicion value to the directory or file if the timestamps are inconsistent.
- View Dependent Claims (2, 3)
- - 2. The system as recited in claim 1, wherein the analysis engine is configured to treat timestamps as inconsistent if the timestamp of the directory is later than the timestamp of any file in the directory.
  - 3. The system as recited in claim 1, further comprising an archival source, wherein the filesystem scanner is configured to examine timestamps of files and directories from the archival source, and the analysis engine is further configured to compare the timestamps from the archival source to the timestamps of the directory and files in the directory.

4. A method for detecting intrusions on a host, comprising:
- examining timestamps of files and directories in a filesystem;
  
  comparing timestamps of a directory and of files in the directory; and
  
  assigning a suspicion value to the directory or file if the timestamps are inconsistent.
- View Dependent Claims (5, 6)
- - 5. The method as recited in claim 4, further including treating timestamps as inconsistent if the timestamp of the directory is later than the timestamp of any file in the directory.
  - 6. The method as recited in claim 4, wherein examining includes examining timestamps of files and directories from an archival source, and comparing includes comparing the timestamps from the archival source to the timestamps of the directory and files in the directory.

7. A computer program product for detecting intrusions on a host, the computer program product being embodied in a computer readable medium and comprising computer instructions for:
- examining timestamps of files and directories in a filesystem;
  
  comparing timestamps of a directory and of files in the directory; and
  
  assigning a suspicion value to the directory or file if the timestamps are inconsistent.
- View Dependent Claims (8, 9)
- - 8. The computer program product as recited in claim 7, the computer program product further comprising computer instructions for treating timestamps as inconsistent if the timestamp of the directory is later than the timestamp of any file in the directory.
  - 9. The computer program product as recited in claim 7, wherein examining includes examining timestamps of files and directories from an archival source, and comparing includes comparing the timestamps from the archival source to the timestamps of the directory and files in the directory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Symantec Corporation (NortonLifeLock Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Moran, Douglas

Granted Patent

US 8,578,490 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/552   involving long-term monitor...

G06F 2221/2151   Time stamp

H04L 2463/121   Timestamp

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

System and method for using timestamps to detect attacks

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for using timestamps to detect attacks

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links