System and method for using timestamps to detect attacks
First Claim
1. A system for detecting intrusions on a host, comprising:
- a) a filesystem scanner configured to examine timestamps of files and directories in a filesystem; and
b) an analysis engine configured to compare timestamps of a directory and of files in the directory, and assign a suspicion value to the directory or file if the timestamps are inconsistent.
3 Assignments
0 Petitions
Accused Products
Abstract
A system and method are disclosed for detecting intrusions in a host system on a network. The intrusion detection system comprises an analysis engine configured to use continuations and apply forward- and backward-chaining using rules. Also provided are sensors, which communicate with the analysis engine using a meta-protocol in which the data packet comprises a 4-tuple. A configuration discovery mechanism locates host system files and communicates the locations to the analysis engine. A file processing mechanism matches contents of a deleted file to a directory or filename, and a directory processing mechanism extracts deallocated directory entries from a directory, creating a partial ordering of the entries. A signature checking mechanism computes the signature of a file and compares it to previously computed signatures. A buffer overflow attack detector compares access times of commands and their associated files. The intrusion detection system further includes a mechanism for checking timestamps to identify and analyze forward and backward time steps in a log file.
-
Citations
9 Claims
-
1. A system for detecting intrusions on a host, comprising:
-
a) a filesystem scanner configured to examine timestamps of files and directories in a filesystem; and
b) an analysis engine configured to compare timestamps of a directory and of files in the directory, and assign a suspicion value to the directory or file if the timestamps are inconsistent. - View Dependent Claims (2, 3)
-
-
4. A method for detecting intrusions on a host, comprising:
-
examining timestamps of files and directories in a filesystem;
comparing timestamps of a directory and of files in the directory; and
assigning a suspicion value to the directory or file if the timestamps are inconsistent. - View Dependent Claims (5, 6)
-
-
7. A computer program product for detecting intrusions on a host, the computer program product being embodied in a computer readable medium and comprising computer instructions for:
-
examining timestamps of files and directories in a filesystem;
comparing timestamps of a directory and of files in the directory; and
assigning a suspicion value to the directory or file if the timestamps are inconsistent. - View Dependent Claims (8, 9)
-
Specification