System and method for state transition intrusion detection
First Claim
1. A state transition intrusion detection system comprising:
- a storage including means adapted for storing executable code defining transitions between a plurality of states of an associated device;
the storage including means adapted for storing an encrypted state table representative of acceptable state transitions defined in the executable code;
monitoring means adapted for monitoring transitions between the plurality of states during execution of the code;
comparison means adapted for comparing monitored state transitions to the state table; and
means adapted for generating an output representative of an unacceptable state transition in accordance with an output of the comparison means.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for state transition intrusion detection is provided. The system and method employ a state transition file, containing a listing or table of all available state transitions associated with a given operation. A log file is then generated using state transition data gathered during the performance of a given operation. Depending upon the instructions present in the state transition file, one or more state transitions in the log file are digitally signed. To determine if an intrusion has occurred, the log file is analyzed, state transition by state transition. This analysis is accomplished by comparing the signatures associated with the state transitions in the log file with those signatures contained in the state transition file, thereby detecting any erroneous signatures. Each operation capable of being performed is accounted for in the state transition file such that all available state transitions associated with the operation are stored in the file. The type of operation represented in the log file is then determined and the transitions contained in the log file are compared to those transitions associated with the operation type in the state transition file. Any missing state transitions denote tampering or modification of the log file, indicating an intrusion, whereupon an administrator is notified.
-
Citations
20 Claims
-
1. A state transition intrusion detection system comprising:
-
a storage including means adapted for storing executable code defining transitions between a plurality of states of an associated device; the storage including means adapted for storing an encrypted state table representative of acceptable state transitions defined in the executable code; monitoring means adapted for monitoring transitions between the plurality of states during execution of the code; comparison means adapted for comparing monitored state transitions to the state table; and means adapted for generating an output representative of an unacceptable state transition in accordance with an output of the comparison means. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A state transition intrusion detection method comprising the steps of:
-
storing executable code defining transitions between a plurality of states of an associated device; storing an encrypted state table representative of acceptable state transitions defined in the executable code; monitoring transitions between the plurality of states during execution of the code; comparing monitored state transitions to the state table; and generating an output representative of an unacceptable state transition in accordance with an output of the comparison of the monitored state transitions. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer-implemented method for state transition intrusion detection comprising the steps of:
-
storing executable code defining transitions between a plurality of states of an associated device; storing an encrypted state table representative of acceptable state transitions defined in the executable code; monitoring transitions between the plurality of states during execution of the code; comparing monitored state transitions to the state table; and generating an output representative of an unacceptable state transition in accordance with an output of the comparison of the monitored state transitions. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification