SYSTEM AND METHODS FOR ADAPTIVE MODEL GENERATION FOR DETECTING INTRUSION IN COMPUTER SYSTEMS
First Claim
1. A system for detecting intrusions in the operation of a computer system comprising:
- (a) a plurality of sensors, each sensor configured to gather information regarding the operation of the computer system, to format the information in a data record, and to transmit the data record;
(b) one or more databases configured to receive the data record from the sensor, to store the data record, and to store an intrusion detection model;
(c) a detection model generator configured to request training data from a plurality of data records from the one or more databases, said training data comprising data from at least two sensors, to generate the intrusion detection model based on said training data from a plurality of data records, and to transmit the intrusion detection model to the one or more databases;
(d) a data analysis engine configured to request data records from the one or more databases and to perform a data processing function on the data records;
(e) the detection model generator further configured to update the intrusion detection model in real-time;
(f) a detection model distributor configured to receive said intrusion detection model from the one or more databases and to transmit the detection model to at least one detector; and
(g) one or more detectors configured to receive a data record from the sensor and to determine in real-time whether said data record corresponds to an attack based on said intrusion detection model.
0 Assignments
0 Petitions
Accused Products
Abstract
A system and methods for detecting intrusions in the operation of a computer system comprises a sensor configured to gather information regarding the operation of the computer system, to format the information in a data record having a predetermined format, and to transmit the data in the predetermined data format. A data warehouse is configured to receive the data record from the sensor in the predetermined data format and to store the data in a SQL database. A detection model generator is configured to request data records from the data warehouse in the predetermined data format, to generate an intrusion detection model based on said data records, and to transmit the intrusion detection model to the data warehouse according to the predetermined data format. A detector is configured to receive a data record in the predetermined data format from the sensor and to classify the data record in real-time as one of normal operation and an attack based on said intrusion detection model. A data analysis engine is configured to request data records from the data warehouse according to the predetermined data format and to perform a data processing function on the data records.
-
Citations
28 Claims
-
1. A system for detecting intrusions in the operation of a computer system comprising:
-
(a) a plurality of sensors, each sensor configured to gather information regarding the operation of the computer system, to format the information in a data record, and to transmit the data record; (b) one or more databases configured to receive the data record from the sensor, to store the data record, and to store an intrusion detection model; (c) a detection model generator configured to request training data from a plurality of data records from the one or more databases, said training data comprising data from at least two sensors, to generate the intrusion detection model based on said training data from a plurality of data records, and to transmit the intrusion detection model to the one or more databases; (d) a data analysis engine configured to request data records from the one or more databases and to perform a data processing function on the data records; (e) the detection model generator further configured to update the intrusion detection model in real-time; (f) a detection model distributor configured to receive said intrusion detection model from the one or more databases and to transmit the detection model to at least one detector; and (g) one or more detectors configured to receive a data record from the sensor and to determine in real-time whether said data record corresponds to an attack based on said intrusion detection model. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A method for detecting intrusions in the operation of a computer system comprising:
-
(a) gathering information regarding the operation of the computer system at a plurality of sensors and formatting the information from each sensor into a data record; (b) transmitting the data record to one or more databases, and storing the data record in the one or more databases; (c) generating an intrusion detection model comprising requesting training data from a plurality of data records from the one or more databases, said training data comprising data collected from at least two sensors, transmitting the intrusion detection model to the one or more databases, and storing the intrusion detection model at the one or more databases; (d) requesting a data record from the one or more databases and performing a data processing function on the data record; and (e) updating the intrusion detection model in real-time; (f) transmitting the intrusion detection model from a detection model distributor to at least one detector. (d) determining in real-time whether a data record corresponds to an attack based on the intrusion detection model comprising receiving the data record from the sensor. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
Specification