INTRUSION DETECTION USING SYSTEM CALL MONITORS ON A BAYESIAN NETWORK

US 20080201778A1
Filed: 02/21/2007
Published: 08/21/2008
Est. Priority Date: 02/21/2007
Status: Abandoned Application

First Claim

Patent Images

1. An intrusion detection apparatus for use in a computer system having an operating system that employs system calls to effect control over computer system resources, comprising:

a monitor system adapted to monitor predetermined system calls;

a data collection system coupled to said monitor system and operative to collect data reflective of system calls monitored by said monitor system;

a probabilistic intrusion detection analyzer coupled to said data collection system;

said probabilistic intrusion detection analyzer employing at least one trained model adapted to yield at least one likelihood score indicative of whether the system calls monitored by said monitor system were produced by a computer system whose security has been compromised.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Selected system calls are monitored to generate frequency data that is input to a probabilistic intrusion detection analyzer which generates a likelihood score indicative of whether the system calls being monitored were produced by a computer system whose security has been compromised. A first Bayesian network is trained on data from a compromised system and a second Bayesian network is trained on data from a normal system. The probabilistic intrusion detection analyzer considers likelihood data from both Bayesian networks to generate the intrusion detection measure.

261 Citations

20 Claims

1. An intrusion detection apparatus for use in a computer system having an operating system that employs system calls to effect control over computer system resources, comprising:
- a monitor system adapted to monitor predetermined system calls;
  
  a data collection system coupled to said monitor system and operative to collect data reflective of system calls monitored by said monitor system;
  
  a probabilistic intrusion detection analyzer coupled to said data collection system;
  
  said probabilistic intrusion detection analyzer employing at least one trained model adapted to yield at least one likelihood score indicative of whether the system calls monitored by said monitor system were produced by a computer system whose security has been compromised.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The intrusion detection apparatus of claim 1 wherein said monitor system employs at least one software hook introduced into the path of an operating system call that carries said system call within the operating system.
  - 3. The intrusion detection apparatus of claim 1 wherein said monitor system is adapted to monitor a plurality of different types of system calls.
  - 4. The intrusion detection apparatus of claim 3 wherein said different types of system calls correspond to system calls associated with behavior of a computer system whose security has been compromised.
  - 5. The intrusion detection apparatus of claim 1 wherein said data collection system collects data reflective of the occurrence frequency of system calls during a predetermined time window.
  - 6. The intrusion detection apparatus of claim 5 wherein said data collection system collects occurrence frequency data for a plurality of different types of system calls.
  - 7. The intrusion detection apparatus of claim 6 wherein said data collection system applies weights to said occurrence frequency data to emphasize occurrence frequency data associated with selected ones of said different types of system calls.
  - 8. The intrusion detection apparatus of claim 1 wherein said probabilistic intrusion detection analyzer employs:
    - a first model trained on a first dataset developed from a computer system whose security has been compromised; and
      
      a second model trained on a second dataset developed from a computer system whose security has not been compromised.
  - 9. The intrusion detection apparatus of claim 1 wherein said trained model includes a Bayesian network.
  - 10. The intrusion detection apparatus of claim 8 wherein said first and second datasets are developed from log files generated by the operating system.

11. A method of automatically detecting when the security of a computer system has been compromised, comprising the steps of:
- monitoring predetermined system calls employed by the operating system of the computer;
  
  collecting and storing data from said monitoring step;
  
  processing said collected data using at least one trained model and using said model to generate at least one likelihood score indicative of whether the system calls being monitored were produced by a computer system whose security has been compromised;
  
  using said likelihood score to produce an intrusion detection measure.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11 wherein said monitoring step is performed by placing at least one software hook into the path of an operating system call that carries said system call within the operating system and monitoring inter-process communications arriving at said software hook.
  - 13. The method of claim 11 wherein said monitoring step is performed by monitoring a plurality of different types of system calls.
  - 14. The method of claim 11 wherein said monitoring step is performed by monitoring a plurality of different types of system calls corresponding to system calls associated with behavior of a computer system whose security has been compromised.
  - 15. The method of claim 11 wherein said collecting step includes collecting data reflective of the occurrence frequency of system calls during a predetermined time window.
  - 16. The method of claim 15 wherein said collecting step further comprises collecting frequency data for a plurality of different types of system calls.
  - 17. The method of claim 15 wherein said collecting step further comprises applying weights to said frequency data to emphasize occurrence frequency data associated with selected ones of said different types of system calls.
  - 18. The method of claim 11 wherein said processing step uses a first model trained on a first dataset developed from a computer system whose security has been compromised;
    - anda second model trained on a second dataset developed from a computer system whose security has not been compromised.
  - 19. The method of claim 11 wherein said trained model includes a Bayesian network.
  - 20. The method of claim 18 further comprising training said first and second datasets using log files generated by the operating system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Matsushita Electric Industrial Company Limited (Panasonic Holdings Corporation)
Original Assignee
Matsushita Electric Industrial Company Limited (Panasonic Holdings Corporation)
Inventors
Johnson, Stephen L., Guo, Jinhong

Application Number

US11/677,059
Publication Number

US 20080201778A1
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/552 involving long-term monitor...

G06F 2221/2151 Time stamp

INTRUSION DETECTION USING SYSTEM CALL MONITORS ON A BAYESIAN NETWORK

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

261 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

INTRUSION DETECTION USING SYSTEM CALL MONITORS ON A BAYESIAN NETWORK

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

261 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links