System and methods for detecting intrusions in a computer system by monitoring operating system registry accesses
First Claim
1. A method for detecting intrusions in the operation of a computer system comprising:
- (a) gathering features from records of normal processes that access the file system of the computer;
(b) generating a probabilistic model of normal computer system usage based on occurrences of the features and determining the likelihood of observing an event that was not observed during the gathering of features from the records of normal processes; and
(c) analyzing features from a record of a process that accesses the file system to detect deviations from normal computer system usage to determine whether the access to the file system is an anomaly.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for detecting intrusions in the operation of a computer system is disclosed which comprises gathering features from records of normal processes that access the files system of the computer, such as the Windows registry, and generating a probabilistic model of normal computer system usage based on occurrences of said features. The features of a record of a process that accesses the Windows registry are analyzed to determine whether said access to the Windows registry is an anomaly. A system is disclosed, comprising a registry auditing module configured to gather records regarding processes that access the Windows registry; a model generator configured to generate a probabilistic model of normal computer system usage based on records of a plurality of processes that access the Windows registry and that are indicative of normal computer system usage; and a model comparator configured to determine whether the access of the Windows registry is an anomaly.
-
Citations
11 Claims
-
1. A method for detecting intrusions in the operation of a computer system comprising:
-
(a) gathering features from records of normal processes that access the file system of the computer; (b) generating a probabilistic model of normal computer system usage based on occurrences of the features and determining the likelihood of observing an event that was not observed during the gathering of features from the records of normal processes; and (c) analyzing features from a record of a process that accesses the file system to detect deviations from normal computer system usage to determine whether the access to the file system is an anomaly. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
Specification