Intrusion detection via high dimensional vector matching

US 20080120720A1
Filed: 11/17/2006
Published: 05/22/2008
Est. Priority Date: 11/17/2006
Status: Abandoned Application

First Claim

Patent Images

1. A method for detecting intrusions to a computing environment, comprising:

monitoring service requests in the computing environment over a defined period of time;

constructing a vector which represents the occurrence of different system calls; and

comparing the vector to a plurality of stored vectors, where each of the stored vectors represents system calls made in a potential intrusion.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided for detecting intrusions to a computing environment. The method includes: monitoring system calls made to an operating system during a defined period of time; evaluating the system calls made during the defined time period in relation to system calls made during known intrusions; and evaluating the temporal sequence in which system calls were made during the defined time period when the system calls made match the system calls made during a known intrusion. If a potential intrusion is detected at this stage, then a more complicated detection scheme may be performed by a second detection scheme. For instance, the second detection scheme may assess the temporal sequence in which the system calls were made and/or the system files accessed by the system calls.

Citations

22 Claims

1. A method for detecting intrusions to a computing environment, comprising:
- monitoring service requests in the computing environment over a defined period of time;
  
  constructing a vector which represents the occurrence of different system calls; and
  
  comparing the vector to a plurality of stored vectors, where each of the stored vectors represents system calls made in a potential intrusion.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 wherein constructing a vector further comprises constructing a one-dimensional array, where each element of the array is indicative of a particular type of system call defined in the computing environment.
  - 3. The method of claim 2 wherein each element of the array is one bit, such that the bit is set to one when the system call was made and otherwise the bit is set to zero.
  - 4. The method of claim 3 wherein comparing the vector further comprises performing a binary comparison between the vector and each of the stored vectors.
  - 5. The method of claim 3 further comprises defining a format for the vector where system calls which more commonly occur in potential intrusions are positioned in the more significant bits of the array.
  - 6. The method of claim 1 wherein constructing a vector and comparing the vector occur substantially contemporaneously with monitoring service requests.
  - 7. The method of claim 1 further comprises constructing a second vector which represents system calls and system files accessed by the system call.
  - 8. The method of claim 7 further comprises comparing the second vector to a plurality of stored secondary vectors when the vector matches one of the stored vectors, where each of the secondary vectors represents system calls and system files accessed by the system calls during known intrusions.
  - 9. The method of claim 7 further comprises constructing the second vector such that the system calls are sequenced in a temporal order.
  - 10. The method of claim 9 further comprises constructing the second vector such that each system call in the sequence is followed by the system file accessed by the system call.
  - 11. The method of claim 8 wherein comparing the second vector further comprises inputting the second vector into a maximum entropy classifier, where the plurality of stored secondary vectors serves as training data for the classifier.
  - 12. The method of claim 11 further comprises deriving an n-gram sequence from the second vector and inputting the n-gram sequence into the maximum entropy classifier.

13. A method for detecting intrusions to a computing environment, comprising:
- monitoring service requests in the computing environment over a defined period of time;
  
  constructing a vector which represents system calls and system files accessed by the system call during the defined time period; and
  
  comparing the constructed vector to a plurality of stored vectors, where each of the stored vectors represents system calls and system files accessed by the system calls during known intrusions.
- View Dependent Claims (14, 15, 16)
- - 14. The method of claim 13 further comprises constructing the vector such that the system calls are sequenced in a temporal order.
  - 15. The method of claim 13 further comprises constructing the vector such that each system call in the sequence is followed by the system file accessed by the system call.
  - 16. The method of claim 13 wherein comparing the second vector further comprises inputting the vector into a maximum entropy classifier.

17. A method for detecting intrusions to a computing environment, comprising:
- monitoring system calls made to an operating system during a defined period of time;
  
  evaluating the system calls made during the defined time period in relation to system calls made during known intrusions; and
  
  evaluating the temporal sequence in which system calls were made during the defined time period when the system calls made match the system calls made during a known intrusion.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The method of claim 17 further comprises constructing an array which represents the system calls made during the defined time period, where each element of the array corresponds to a particular system call defined in the computing environment, and comparing the array to a plurality of arrays which represent system calls made during known intrusions.
  - 19. The method of claim 17 further comprises constructing a secondary array which represents system calls and system files accessed by the system calls during the defined time period.
  - 20. The method of claim 19 further comprises constructing the secondary array such that the system calls are sequenced in a temporal order in which they were made.
  - 21. The method of claim 19 further comprises inputting the secondary array as a feature vector into a maximum entropy classifier.

22. An intrusion detection system, comprising:
- a first data store operable to store a plurality of vectors, where each vector represents system calls made in a potential intrusiona first stage detector having access to the first data store and operable to monitor system calls made to an operating system, the first stage detector further operable to construct an array which represents system calls made during a defined period of time and compare the array to the plurality of stored vectors to detect a potential intrusion;
  
  a second data store operable to store a plurality of secondary vectors, where each secondary vector represents a temporal order in which system calls are made in a potential intrusion; and
  
  a second stage detector having access to the second data store and operable to evaluate the temporal order system calls were made to the operating system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Matsushita Electric Industrial Company Limited (Panasonic Holdings Corporation)
Original Assignee
Matsushita Electric Industrial Company Limited (Panasonic Holdings Corporation)
Inventors
Johnson, Stephen, Weber, Daniel, Park, Il-Pyung, Guo, Jinhong

Application Number

US11/601,864
Publication Number

US 20080120720A1
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/552 involving long-term monitor...

Intrusion detection via high dimensional vector matching

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Intrusion detection via high dimensional vector matching

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links