Intrusion detection via high dimensional vector matching
First Claim
1. A method for detecting intrusions to a computing environment, comprising:
- monitoring service requests in the computing environment over a defined period of time;
constructing a vector which represents the occurrence of different system calls; and
comparing the vector to a plurality of stored vectors, where each of the stored vectors represents system calls made in a potential intrusion.
1 Assignment
0 Petitions
Accused Products
Abstract
A method is provided for detecting intrusions to a computing environment. The method includes: monitoring system calls made to an operating system during a defined period of time; evaluating the system calls made during the defined time period in relation to system calls made during known intrusions; and evaluating the temporal sequence in which system calls were made during the defined time period when the system calls made match the system calls made during a known intrusion. If a potential intrusion is detected at this stage, then a more complicated detection scheme may be performed by a second detection scheme. For instance, the second detection scheme may assess the temporal sequence in which the system calls were made and/or the system files accessed by the system calls.
-
Citations
22 Claims
-
1. A method for detecting intrusions to a computing environment, comprising:
-
monitoring service requests in the computing environment over a defined period of time; constructing a vector which represents the occurrence of different system calls; and comparing the vector to a plurality of stored vectors, where each of the stored vectors represents system calls made in a potential intrusion. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method for detecting intrusions to a computing environment, comprising:
-
monitoring service requests in the computing environment over a defined period of time; constructing a vector which represents system calls and system files accessed by the system call during the defined time period; and comparing the constructed vector to a plurality of stored vectors, where each of the stored vectors represents system calls and system files accessed by the system calls during known intrusions. - View Dependent Claims (14, 15, 16)
-
-
17. A method for detecting intrusions to a computing environment, comprising:
-
monitoring system calls made to an operating system during a defined period of time; evaluating the system calls made during the defined time period in relation to system calls made during known intrusions; and evaluating the temporal sequence in which system calls were made during the defined time period when the system calls made match the system calls made during a known intrusion. - View Dependent Claims (18, 19, 20, 21)
-
-
22. An intrusion detection system, comprising:
-
a first data store operable to store a plurality of vectors, where each vector represents system calls made in a potential intrusion a first stage detector having access to the first data store and operable to monitor system calls made to an operating system, the first stage detector further operable to construct an array which represents system calls made during a defined period of time and compare the array to the plurality of stored vectors to detect a potential intrusion; a second data store operable to store a plurality of secondary vectors, where each secondary vector represents a temporal order in which system calls are made in a potential intrusion; and a second stage detector having access to the second data store and operable to evaluate the temporal order system calls were made to the operating system.
-
Specification