Pattern-oriented intrusion-detection system and method
First Claim
1. A method for detecting intrusion patterns in a secure computer system having a Central Processing Unit and a data storage memory, the method comprising the steps of:
- (1) performing an access operation on one or more components of the computer system;
(2) inputting a first protection graph into an intrusion detection system, said first protection graph including direct and indirect relations between subjects and objects;
(3) applying a set of model rules to said first protection graph and said access operation to generate a second protection graph;
(4) comparing said second protection graph with a set of intrusion patterns to generate an exception condition, said exception condition indicative of whether there has been an intrusion; and
(5) indicating the existence of an intrusion based on said exception condition.
1 Assignment
0 Petitions
Accused Products
Abstract
The present invention provides a pattern-oriented intrusion detection system and method that defines patterns of intrusion based on object privilege and information flow in secure computer systems to detect actual intrusion occurrences. This approach has the advantage of detecting context-dependent intrusions such as those caused by inadvertent execution of foreign programs containing viruses or Trojan Horses and also those caused by unintended use of foreign input data. The present invention can track both information and privilege flows within a system, and has the ability to uniformly define various types of intrusion patterns. Operational security problems can lead to intrusion in secure computer systems. With this approach, explicitly defined types of intrusion patterns due to operational security problems can be detected.
-
Citations
49 Claims
-
1. A method for detecting intrusion patterns in a secure computer system having a Central Processing Unit and a data storage memory, the method comprising the steps of:
-
(1) performing an access operation on one or more components of the computer system; (2) inputting a first protection graph into an intrusion detection system, said first protection graph including direct and indirect relations between subjects and objects; (3) applying a set of model rules to said first protection graph and said access operation to generate a second protection graph; (4) comparing said second protection graph with a set of intrusion patterns to generate an exception condition, said exception condition indicative of whether there has been an intrusion; and (5) indicating the existence of an intrusion based on said exception condition. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. In a secure computer system having a central processing unit and a data storage memory, and intrusion detection system for detecting intrusion patterns and unauthorized access, comprising:
-
(1) means for performing an access operation on one or more components of the computer system; (2) means for inputting a first protection graph into an intrusion detection system, said first protection graph including direct and indirect relations between subjects and objects; (3) means for applying a set of model rules to said first protection graph and said access operation to generate a second protection graph; (4) means for comparing said second protection graph with a set of instruction patterns to generate an exception condition, said exception condition indicative of whether there has been an intrusion; and (5) means for indicating the existence of an intrusion based on said exception condition. - View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47)
-
-
48. A method for detecting intrusion patterns in a secure computer system, wherein the state of actions in the audit trail of the secure computer system are represented by a first protection graph that includes direct and indirect relations between subjects and objects, the method comprising the steps of:
-
(1) performing an access operation on one or more components of the computer system; (2) generating a second protection graph from the first protection graph and said access operation by applying a set of model rules, wherein said second protection graph represents the present state of action in the audit trail in the secure computer system; (3) comparing said second protection graph with a set of intrusion patterns to generate an exception condition; and (4) indicating the existence of an intrusion based on said exception condition.
-
-
49. A system for detecting intrusion patterns in a secure computer system, wherein the state of actions in the audit trail of the secure computer system are represented by a first protection graph that includes direct and indirect relations between subjects and objects comprising:
-
(1) a secure computer system comprising a central processing unit and a data storage memory, wherein the operation of said secure computer system is controlled by an operating system, said secure computer system further having means for performing an access operation on one or more components of said secure computer system; (2) an intrusion detection system operating concurrently with said operating system, said intrusion detection system comprising, (a) means for applying a set of model rules to the first protection graph and said access operation to generate a second protection graph, wherein said second protection graph is stored in said data storage memory; (b) means for comparing said second protection graph with a set of intrusion patterns stored in said data storage memory to generate an exception condition, said exception condition indicative of whether there has been an intrusion; and (c) means for indicating the existence of an intrusion based on said exception conditions.
-
Specification