Method and system for detecting intrusion into and misuse of a data processing system
First Claim
1. A system for detecting intrusion into and misuse of a processing system, comprising:
- a process input mechanism for receiving a plurality of process relating inputs to processing system access;
a selectable misuse mechanism connected to said process input mechanism for receiving a plurality of selectable misuses from at least one controllable input source, said at least one controllable input source comprising one or more of a user input device, a processing system program, a processing system memory device, and a processing system storage device;
a misuse engine connected to said selectable misuse mechanism for receiving said plurality of process inputs from said process input mechanism and said plurality of selectable misuses from said selectable misuse mechanism, said misuse engine comprising a signature process mechanism for comparing and matching said process inputs to multiple misuses of said plurality of selectable misuses simultaneously; and
an output mechanism connected to said misuse engine for generating an output when said misuse engine locates a match between at least one of said plurality of process inputs and at least one of said plurality of selectable misuses, said output indicating an intrusion into or misuse of the processing system.
4 Assignments
0 Petitions
Accused Products
Abstract
A processing system intrusion and misuse detection system and method utilizes instructions for and steps of processing system inputs into events and processing the events with reference to a set of selectable misuses in a misuse engine to produce one or more misuse outputs. The system and method convert processing system generated inputs to events by establishing an event data structure that stores the event. The event data structure includes authentication information, subject information, and object information. Processing system audit trail records, system log file data, and system security state data are extracted from the processing system to form the event data structure. A signature data structure stores signatures that the misuse engine compares and matches to selectable misuses. The signature data structure includes an initial state for each selectable misuse, an end state for each selectable misuse, one or more sets of transition functions for each selectable misuse, and one or more states for each selectable misuse, which can include the end state or the initial state. Furthermore, a misuse output and an index are utilized so that for each selectable misuse element there is a mechanism for loading the signature data structure.
547 Citations
18 Claims
-
1. A system for detecting intrusion into and misuse of a processing system, comprising:
-
a process input mechanism for receiving a plurality of process relating inputs to processing system access; a selectable misuse mechanism connected to said process input mechanism for receiving a plurality of selectable misuses from at least one controllable input source, said at least one controllable input source comprising one or more of a user input device, a processing system program, a processing system memory device, and a processing system storage device; a misuse engine connected to said selectable misuse mechanism for receiving said plurality of process inputs from said process input mechanism and said plurality of selectable misuses from said selectable misuse mechanism, said misuse engine comprising a signature process mechanism for comparing and matching said process inputs to multiple misuses of said plurality of selectable misuses simultaneously; and an output mechanism connected to said misuse engine for generating an output when said misuse engine locates a match between at least one of said plurality of process inputs and at least one of said plurality of selectable misuses, said output indicating an intrusion into or misuse of the processing system. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system method for detecting intrusion into and misuse of a processing system, comprising the steps of:
-
receiving a plurality of process inputs relating to process system access using a process input mechanism; receiving a plurality of selectable misuses from at least on controllable input source using a selected misuse input mechanism, said controllable input source comprising one or more of a user input device, a processing system program, a processing system memory, and a processing system storage device; receiving said plurality of process inputs from said process input mechanism and said plurality of selectable misuses from said selectable misuse input mechanism using and providing as input said plurality of process inputs and said plurality of selectable misuses to a misuse engine connected to said misuse mechanism; comparing and matching said process inputs to multiple misuses of said plurality of selectable misuses simultaneously using a signature process mechanism within the misuse engine; and generating an output using an output mechanism when said misuse engine locates a match between at least one of said plurality process inputs and at least one said plurality of selectable misuses, said output indicating an intrusion into or misuse of the processing system. - View Dependent Claims (7, 8, 9, 10)
-
-
11. An improved data processing system having the ability to detect data processing system intrusion and misuse, comprising:
-
a processing system for processing instructions and data; a process input mechanism connected to said processing system for receiving a plurality of process inputs relating to access to said processing system; a selectable misuse input mechanism connected to said process input mechanism for receiving a plurality of selectable misuses from at least one controllable input source, said at least one controllable input source comprising one or more of a user input device, a processing system program, a processing system memory device, and a processing system storage device; a misuse engine connected to said selectable misuse input mechanism for receiving said plurality of process inputs from said process input mechanism and said plurality of selectable of misuses from said selectable misuse input mechanism, said misuse engine comprising a signature process mechanism for comparing and matching ones of said process inputs that relate to intrusions into or misuses of the processing system to multiple misuses of said plurality of selectable of misuses simultaneously; and an output mechanism connected to said misuse engine for generating an output when said misuse engine locates a match between at least one of said plurality of process inputs and at least one of said plurality of selectable misuses, said output indicating an intrusion into and misuse of the processing system. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A method for detecting intrusion into and misuse of a processing system, comprising:
-
a process input mechanism for receiving a plurality of process inputs relating to processing system access; a selectable misuse mechanism connected to said process input mechanism for receiving a plurality of selectable misuses from at least one controllable input source, said at least one controllable input source comprising a user input mechanism capable of presenting a user with a predefined list of selectable misuses, creating a set of selected misuses as a result of said user choosing from a predefined list and loading said selected misuses into said selectable misuse mechanisms; a misuse engine connected to said selectable misuse mechanism for receiving said plurality of process inputs from said process input mechanism in said selected misuses, said misuse engine comprising a signature process mechanism for comparing and matching said process inputs to multiple misuses of said selected misuses simultaneously; and an output mechanism connected to said misuse engine for generating an output when said misuse engine locates a match to at least one of said selected misuses, said output indicating an intrusion into a misuse of the processing system.
-
-
17. A system for detecting intrusion into a processing system and misuse of a processing system, comprising:
-
a process input mechanism for receiving a plurality of process inputs relating to processing system access; a selectable misuse mechanism connected to said process input mechanism for receiving a plurality of selectable misuses from at least one controllable input source, said at least one controllable input source comprising a load mechanism for automatically loading a predefined set of selected misuses into said selectable misuse mechanism; a misuse engine connected to said selectable misuse mechanism for receiving said plurality of process inputs from said process inputs mechanism and said predefined set of selected misuses from said selectable misuse input mechanism, said misuse engine comprising a signature process mechanism for comparing and matching said process inputs to multiple misuses of said predefined set of selectable misuses simultaneously; and an output mechanism connected to said misuse engine for generating an output when said misuse engine locates a match between at least one of said plurality of process inputs and at least one of said predefined set of selected misuses, said output indicating an intrusion into or misuse of the processing system.
-
-
18. A system for detecting intrusion into and misuse of a processing system, comprising:
-
a process input mechanism for receiving a plurality of process inputs relating to processing system access, said process input mechanism comprising an audit record processing mechanism for converting system audit trail records into a predefined set of process inputs relating to processing system access; a selectable misuse mechanism connected to said process input mechanism for receiving a plurality of selectable misuses from at least one controllable input source; a misuse engine connected to said selectable misuse mechanism for receiving said predefined set of process inputs relating to said audit trail records and said plurality of selectable misuses from said selectable misuse input mechanism, said misuse engine comprising a signature process mechanism for comparing and matching said predefined set of process inputs relating to said audit trail records to multiple misuses of said selectable misuses simultaneously; an output mechanism connected to said misuse engine for generating an output when said misuse engine locates a match between at least one of said predefined set of process inputs relating to said audit trail records and at least one of said plurality of selectable misuses, said output indicating an intrusion into or misuse of the processing system.
-
Specification