Method and system for detecting intrusion into and misuse of a data processing system

US 5,557,742 A
Filed: 03/07/1994
Issued: 09/17/1996
Est. Priority Date: 03/07/1994
Status: Expired due to Term

First Claim

Patent Images

1. A system for detecting intrusion into and misuse of a processing system, comprising:

a process input mechanism for receiving a plurality of process relating inputs to processing system access;

a selectable misuse mechanism connected to said process input mechanism for receiving a plurality of selectable misuses from at least one controllable input source, said at least one controllable input source comprising one or more of a user input device, a processing system program, a processing system memory device, and a processing system storage device;

a misuse engine connected to said selectable misuse mechanism for receiving said plurality of process inputs from said process input mechanism and said plurality of selectable misuses from said selectable misuse mechanism, said misuse engine comprising a signature process mechanism for comparing and matching said process inputs to multiple misuses of said plurality of selectable misuses simultaneously; and

an output mechanism connected to said misuse engine for generating an output when said misuse engine locates a match between at least one of said plurality of process inputs and at least one of said plurality of selectable misuses, said output indicating an intrusion into or misuse of the processing system.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A processing system intrusion and misuse detection system and method utilizes instructions for and steps of processing system inputs into events and processing the events with reference to a set of selectable misuses in a misuse engine to produce one or more misuse outputs. The system and method convert processing system generated inputs to events by establishing an event data structure that stores the event. The event data structure includes authentication information, subject information, and object information. Processing system audit trail records, system log file data, and system security state data are extracted from the processing system to form the event data structure. A signature data structure stores signatures that the misuse engine compares and matches to selectable misuses. The signature data structure includes an initial state for each selectable misuse, an end state for each selectable misuse, one or more sets of transition functions for each selectable misuse, and one or more states for each selectable misuse, which can include the end state or the initial state. Furthermore, a misuse output and an index are utilized so that for each selectable misuse element there is a mechanism for loading the signature data structure.

547 Citations

18 Claims

1. A system for detecting intrusion into and misuse of a processing system, comprising:
- a process input mechanism for receiving a plurality of process relating inputs to processing system access;
  
  a selectable misuse mechanism connected to said process input mechanism for receiving a plurality of selectable misuses from at least one controllable input source, said at least one controllable input source comprising one or more of a user input device, a processing system program, a processing system memory device, and a processing system storage device;
  
  a misuse engine connected to said selectable misuse mechanism for receiving said plurality of process inputs from said process input mechanism and said plurality of selectable misuses from said selectable misuse mechanism, said misuse engine comprising a signature process mechanism for comparing and matching said process inputs to multiple misuses of said plurality of selectable misuses simultaneously; and
  
  an output mechanism connected to said misuse engine for generating an output when said misuse engine locates a match between at least one of said plurality of process inputs and at least one of said plurality of selectable misuses, said output indicating an intrusion into or misuse of the processing system.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1, wherein said process input mechanism further comprises a receiving mechanism for receiving said plurality of process inputs from one or more of a security state data source, a log file data source, and an audit trail records source.
  - 3. The system of claim 1, wherein said misuse engine further comprises a conversion mechanism for converting each of said plurality of process inputs into an event having a predetermined event data structure, said predetermined event data structure comprising an authentication information module, a subject information module, and an object information module.
  - 4. The system of claim 3, wherein said signature process mechanism of said misuse engine further comprises a signature data structure forming mechanism for forming a signature data structure, said data structure for mapping between said event data structure and at least one of said plurality of selectable of misuses.
  - 5. The system of claim 4, wherein said signature data structure comprises:
    - an initial state for each of said plurality of misuses;
      
      at least one transition function for describing a sequence of actions derived from events representing a component of a processing system misuse or intrusion;
      
      at least one state for representing a sequence of said at least one transition functions resulting in a completed component of said processing system misuse or intrusion;
      
      an end state representing the culmination of the said at least one transition function and said at least one state in an actual processing system misuse or intrusion; and
      
      a trigger in said signature process mechanism so that as said signature process mechanism receives said event data structure and compares it to the signature data structure state the transition function is triggered when said event data structure matches said signature data structure state.

6. A system method for detecting intrusion into and misuse of a processing system, comprising the steps of:
- receiving a plurality of process inputs relating to process system access using a process input mechanism;
  
  receiving a plurality of selectable misuses from at least on controllable input source using a selected misuse input mechanism, said controllable input source comprising one or more of a user input device, a processing system program, a processing system memory, and a processing system storage device;
  
  receiving said plurality of process inputs from said process input mechanism and said plurality of selectable misuses from said selectable misuse input mechanism using and providing as input said plurality of process inputs and said plurality of selectable misuses to a misuse engine connected to said misuse mechanism;
  
  comparing and matching said process inputs to multiple misuses of said plurality of selectable misuses simultaneously using a signature process mechanism within the misuse engine; and
  
  generating an output using an output mechanism when said misuse engine locates a match between at least one of said plurality process inputs and at least one said plurality of selectable misuses, said output indicating an intrusion into or misuse of the processing system.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The method of claim 6, further comprising the step of receiving said plurality of process inputs in said process input mechanism from one or more of a security state data source, a log file data source, and an audit trail record source.
  - 8. The method of claim 6, further comprising the step of converting each of said plurality of process inputs into an event having a predetermined event data structure within said misuse engine, said event data structure comprising an authentication information module, a subject module, and an object information module.
  - 9. The method of claim 8, further comprising the step of forming a signature data structure in the signature process mechanism for mapping between said event data structure and at least one of said plurality of selectable misuses.
  - 10. The method of claim 9, wherein said signature data structure forming step further comprises the steps of:
    - relating an initial state to at least one of said plurality of selectable misuses;
      
      describing a sequence of actions representing a processing system misuse or intrusion using at least one transition function;
      
      representing elements in the sequence of elements resulting in a processing system misuse or intrusion using at least one state; and
      
      representing the last state occurring prior to performing said output generating step using an end state within said signature data structure.

11. An improved data processing system having the ability to detect data processing system intrusion and misuse, comprising:
- a processing system for processing instructions and data;
  
  a process input mechanism connected to said processing system for receiving a plurality of process inputs relating to access to said processing system;
  
  a selectable misuse input mechanism connected to said process input mechanism for receiving a plurality of selectable misuses from at least one controllable input source, said at least one controllable input source comprising one or more of a user input device, a processing system program, a processing system memory device, and a processing system storage device;
  
  a misuse engine connected to said selectable misuse input mechanism for receiving said plurality of process inputs from said process input mechanism and said plurality of selectable of misuses from said selectable misuse input mechanism, said misuse engine comprising a signature process mechanism for comparing and matching ones of said process inputs that relate to intrusions into or misuses of the processing system to multiple misuses of said plurality of selectable of misuses simultaneously; and
  
  an output mechanism connected to said misuse engine for generating an output when said misuse engine locates a match between at least one of said plurality of process inputs and at least one of said plurality of selectable misuses, said output indicating an intrusion into and misuse of the processing system.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The improved processing system of claim 11, wherein said process input mechanism further comprises a receiving mechanism for receiving said plurality of process input from one or more of a security state data source, a log file data source, and an audit trail records source.
  - 13. The improved processing system of claim 11, wherein said misuse engine further comprises a conversion mechanism for converting each of said plurality of process inputs into an event having a predetermined event data structure, said event data structure comprising an authentication information module, a subject information module, and an object information module.
  - 14. The improved data processing system of claim 13, wherein said signature process mechanism comprises a mechanism for forming a signature data structure, said data structure for mapping between said event data structure and at least one of said selectable of misuses.
  - 15. The improved processing system of claim 14, wherein said signature data structure further comprises:
    - at least one transition function for describing a sequence of actions derived from events representing a component of a processing system misuse or intrusion;
      
      at least one state for representing a sequence of said at least one transition functions resulting in a completed component of said processing system misuse or intrusion; and
      
      an end state representing the culmination of the said at least one transition function and said at least one state in an actual processing system misuse or intrusion.

16. A method for detecting intrusion into and misuse of a processing system, comprising:
- a process input mechanism for receiving a plurality of process inputs relating to processing system access;
  
  a selectable misuse mechanism connected to said process input mechanism for receiving a plurality of selectable misuses from at least one controllable input source, said at least one controllable input source comprising a user input mechanism capable of presenting a user with a predefined list of selectable misuses, creating a set of selected misuses as a result of said user choosing from a predefined list and loading said selected misuses into said selectable misuse mechanisms;
  
  a misuse engine connected to said selectable misuse mechanism for receiving said plurality of process inputs from said process input mechanism in said selected misuses, said misuse engine comprising a signature process mechanism for comparing and matching said process inputs to multiple misuses of said selected misuses simultaneously; and
  
  an output mechanism connected to said misuse engine for generating an output when said misuse engine locates a match to at least one of said selected misuses, said output indicating an intrusion into a misuse of the processing system.

17. A system for detecting intrusion into a processing system and misuse of a processing system, comprising:
- a process input mechanism for receiving a plurality of process inputs relating to processing system access;
  
  a selectable misuse mechanism connected to said process input mechanism for receiving a plurality of selectable misuses from at least one controllable input source, said at least one controllable input source comprising a load mechanism for automatically loading a predefined set of selected misuses into said selectable misuse mechanism;
  
  a misuse engine connected to said selectable misuse mechanism for receiving said plurality of process inputs from said process inputs mechanism and said predefined set of selected misuses from said selectable misuse input mechanism, said misuse engine comprising a signature process mechanism for comparing and matching said process inputs to multiple misuses of said predefined set of selectable misuses simultaneously; and
  
  an output mechanism connected to said misuse engine for generating an output when said misuse engine locates a match between at least one of said plurality of process inputs and at least one of said predefined set of selected misuses, said output indicating an intrusion into or misuse of the processing system.

18. A system for detecting intrusion into and misuse of a processing system, comprising:
- a process input mechanism for receiving a plurality of process inputs relating to processing system access, said process input mechanism comprising an audit record processing mechanism for converting system audit trail records into a predefined set of process inputs relating to processing system access;
  
  a selectable misuse mechanism connected to said process input mechanism for receiving a plurality of selectable misuses from at least one controllable input source;
  
  a misuse engine connected to said selectable misuse mechanism for receiving said predefined set of process inputs relating to said audit trail records and said plurality of selectable misuses from said selectable misuse input mechanism, said misuse engine comprising a signature process mechanism for comparing and matching said predefined set of process inputs relating to said audit trail records to multiple misuses of said selectable misuses simultaneously;
  
  an output mechanism connected to said misuse engine for generating an output when said misuse engine locates a match between at least one of said predefined set of process inputs relating to said audit trail records and at least one of said plurality of selectable misuses, said output indicating an intrusion into or misuse of the processing system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, Inc. (McAfee, LLC)
Original Assignee
Haystack Labs Incorporated (McAfee, LLC)
Inventors
Smaha, Stephen E., Snapp, Steven R.
Primary Examiner(s)
Beausoliel, Jr., Robert W.
Assistant Examiner(s)
CHUNG, PHUNG M

Application Number

US08/208,019
Time in Patent Office

925 Days
Field of Search

395/575, 395/185.01, 371/15.1, 371/25.1, 371/24, 371/67.1, 371/22.4, 371/22.1
US Class Current

726/22
CPC Class Codes

G06F 11/3476   Data logging G06F11/14, G06...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

Method and system for detecting intrusion into and misuse of a data processing system

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

547 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for detecting intrusion into and misuse of a data processing system

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

547 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links