INTRUSION DETECTION USING SYSTEM CALL MONITORS ON A BAYESIAN NETWORK
First Claim
1. An intrusion detection apparatus for use in a computer system having an operating system that employs system calls to effect control over computer system resources, comprising:
- a monitor system adapted to monitor predetermined system calls;
a data collection system coupled to said monitor system and operative to collect data reflective of system calls monitored by said monitor system;
a probabilistic intrusion detection analyzer coupled to said data collection system;
said probabilistic intrusion detection analyzer employing at least one trained model adapted to yield at least one likelihood score indicative of whether the system calls monitored by said monitor system were produced by a computer system whose security has been compromised.
1 Assignment
0 Petitions
Accused Products
Abstract
Selected system calls are monitored to generate frequency data that is input to a probabilistic intrusion detection analyzer which generates a likelihood score indicative of whether the system calls being monitored were produced by a computer system whose security has been compromised. A first Bayesian network is trained on data from a compromised system and a second Bayesian network is trained on data from a normal system. The probabilistic intrusion detection analyzer considers likelihood data from both Bayesian networks to generate the intrusion detection measure.
-
Citations
20 Claims
-
1. An intrusion detection apparatus for use in a computer system having an operating system that employs system calls to effect control over computer system resources, comprising:
-
a monitor system adapted to monitor predetermined system calls; a data collection system coupled to said monitor system and operative to collect data reflective of system calls monitored by said monitor system; a probabilistic intrusion detection analyzer coupled to said data collection system; said probabilistic intrusion detection analyzer employing at least one trained model adapted to yield at least one likelihood score indicative of whether the system calls monitored by said monitor system were produced by a computer system whose security has been compromised. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method of automatically detecting when the security of a computer system has been compromised, comprising the steps of:
-
monitoring predetermined system calls employed by the operating system of the computer; collecting and storing data from said monitoring step; processing said collected data using at least one trained model and using said model to generate at least one likelihood score indicative of whether the system calls being monitored were produced by a computer system whose security has been compromised; using said likelihood score to produce an intrusion detection measure. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification