Facility for detecting intruders and suspect callers in a computer installation and a security system including such a facility

US 5,621,889 A
Filed: 06/08/1994
Issued: 04/15/1997
Est. Priority Date: 06/09/1993
Status: Expired due to Term

First Claim

Patent Images

1. A facility for detecting at least one of intrusions and suspect users, in a computer installation, making use of surveillance data streams relating to the behavior of the computer installation in operation and to the actions of the users of said installation, said data streams being generated in the installation, the facility comprising:

a first system which models, based on said computer installation and its users and their respective behaviors, a target as a symbolic representation using a semantic network, by employing previously acquired knowledge and rules;

a second system which compares said target with normal behavior expected for the same conditions as modelled by behavior rules and security rules contained in a knowledge data base of said second system, and which infers therefrom either an anomaly object in the event that at least one of the behavior rules is violated, or an intrusion object or an intrusion hypothesis object in the event that at least one of the security rules is violated;

a third system which interprets the anomaly and intrusion objects by implementing said previously acquired rules and knowledge used by said first system so as to generate, reinforce, or confirm a corresponding intrusion hypotheses;

a fourth system which correlates and compares said intrusion hypotheses and intrusions by implementing said previously acquired rules and knowledge used by said first system in order to relate various intrusion hypotheses and/or intrusions, and to infer new intrusion hypotheses and/or intrusions therefrom;

a communication system which cooperates with the first through fourth systems to provide the various data items that said first through fourth systems produce relating to behavior, anomalies, intrusion hypotheses, and intrusions;

an abstract-investigator which constructs an image representing behavior of said target modeled by said first system and performs investigations in data bases and a fact base of the facility and also in the computer installation;

an analyzer-checker, coupled to said abstract-investigator, which receives image data representing said image from said abstract-investigator, analyzes said data to interpret behavior of the computer installation and its users with reference to said target to detect anomalies, and outputs anomaly data indicative thereof; and

a suspicion and reaction manager, coupled to said analyzer-checker, which analyzes said anomaly data, received from said analyzer-checker, to interpret the detected anomalies and intrusions, identify the users actually responsible for anomalies and intrusions, attribute a degree of suspicion to at least one of said users so as to trigger corresponding messages for transmission via a human-machine interface, and optionally trigger restraint measures applicable to the computer installation via said human-machine interface.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A facility for detecting intrusions and suspect users in a computer installation, and a security system incorporating such a facility that makes use of surveillance data relating to the operation of the installation. The facility includes elements for modelling the computer installation, its users, and their respective behavior with the help of a semantic network; elements for comparing the modellized behavior of the system and of its users relative to modellized normal behavior; elements for interpreting observed anomalies in terms of intrusions and of intrusion hypothesis; elements for interpreting observed intrusion hypotheses and intrusions in order to indicate them and enable restraint actions to be prepared. Elements are provided to evaluate the degree of suspicion of users. The elements co-operate with one another for the purpose of providing information.

Citations

17 Claims

1. A facility for detecting at least one of intrusions and suspect users, in a computer installation, making use of surveillance data streams relating to the behavior of the computer installation in operation and to the actions of the users of said installation, said data streams being generated in the installation, the facility comprising:
- a first system which models, based on said computer installation and its users and their respective behaviors, a target as a symbolic representation using a semantic network, by employing previously acquired knowledge and rules;
  
  a second system which compares said target with normal behavior expected for the same conditions as modelled by behavior rules and security rules contained in a knowledge data base of said second system, and which infers therefrom either an anomaly object in the event that at least one of the behavior rules is violated, or an intrusion object or an intrusion hypothesis object in the event that at least one of the security rules is violated;
  
  a third system which interprets the anomaly and intrusion objects by implementing said previously acquired rules and knowledge used by said first system so as to generate, reinforce, or confirm a corresponding intrusion hypotheses;
  
  a fourth system which correlates and compares said intrusion hypotheses and intrusions by implementing said previously acquired rules and knowledge used by said first system in order to relate various intrusion hypotheses and/or intrusions, and to infer new intrusion hypotheses and/or intrusions therefrom;
  
  a communication system which cooperates with the first through fourth systems to provide the various data items that said first through fourth systems produce relating to behavior, anomalies, intrusion hypotheses, and intrusions;
  
  an abstract-investigator which constructs an image representing behavior of said target modeled by said first system and performs investigations in data bases and a fact base of the facility and also in the computer installation;
  
  an analyzer-checker, coupled to said abstract-investigator, which receives image data representing said image from said abstract-investigator, analyzes said data to interpret behavior of the computer installation and its users with reference to said target to detect anomalies, and outputs anomaly data indicative thereof; and
  
  a suspicion and reaction manager, coupled to said analyzer-checker, which analyzes said anomaly data, received from said analyzer-checker, to interpret the detected anomalies and intrusions, identify the users actually responsible for anomalies and intrusions, attribute a degree of suspicion to at least one of said users so as to trigger corresponding messages for transmission via a human-machine interface, and optionally trigger restraint measures applicable to the computer installation via said human-machine interface.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A facility as claimed in claim 1, further comprising a fifth system which uses said previously acquired knowledge to identify users who are actually responsible for anomalies, intrusion hypotheses, and intrusions as established by the second, third, and/or fourth systems, to evaluate a corresponding degree of suspicion, and to indicate, in co-operation with the first through fourth systems and via the communication system, which users are responsible.
  - 3. A facility as claimed in claim 1, wherein said first through fourth systems are each are constituted by expert systems that share a common inference engine, operating with forward chaining, said engine being used in association with as many knowledge bases as there are expert systems.
  - 4. A facility as claimed in claim 1, wherein said abstractor-investigator comprises:
    - an audit abstractor responsible for creating a time and space image of a state and behavior of said target modelled by said first system and interprets on demand data that results from investigation of said state and behavior of said target;
      
      an audit investigator which searches data in a central audit data base of the facility and acquires surveillance data on demand about the computer installation; and
      
      a behavior investigator which searches for data for the analyzer-checker and for the suspicion and reaction manager in the data and fact bases of the facility in association with the audit investigator which it controls.
  - 5. A facility as claimed in claim 1, further comprising an analyzer-checker which associates a plurality of modules for analyzing the behavior of said target with a plurality of modules for checking the behavior of said target.
  - 6. A facility as claimed in claim 5, wherein the analyzer modules comprises modules that perform cognitive analysis on the behavior of users, and modules that perform analysis of the operational behavior of the computer installation.
  - 7. A facility as claimed in claim 5, wherein the modules for analyzing behavior comprise a profile checker responsible for checking compliance of behavior as determined by observation with an archived profile, an attack identifier responsible for looking for similarity between determined behavior and known attack scenarios, and two policy checkers, one being a security checker suitable for determining failure to comply with security rules stored in a security policy data base in order to trigger indicating of an intrusion to the suspicion and reaction manager in the event of non-compliance, and the other one being a behavior policy checker suitable for determining non-compliance with behavior rules stored in a behavior policy data base in order to trigger, as appropriate, the indication of an anomaly or of an intrusion to the suspicion and reaction manager.
  - 8. A facility as claimed in claim 1, wherein the suspicion and reaction manager includes a device which interprets the indicated anomalies and intrusions, a device which determines users suspected of being implied in the anomalies, intrusion hypotheses, and intrusions, and also determines a suspicion level which is consequently applied to said suspects, and a device which triggers alarm procedures and prepares restraint measures for access by a person in charge of security via the human-machine interface of the facility.

9. A security system for a computer installation making use of streams of surveillance data relating to the behavior of the installation in operation and the actions of the users of said installation, said system comprising:
- a set of sensors included in software of the computer installation for indicating actions and events that take place at the level of said software and results of measurements, optionally on demand;
  
  monitors which convert data picked up by the sensors into a stream of surveillance data, said data corresponding to respective actions, events, or measurements; and
  
  a facility, coupled to said sensors, for detecting at least one of intrusions and suspect users, in a computer installation, making use of said streams of surveillance data relating to the behavior of the computer installation in operation and to the actions of the users of said installation, said data streams being generated in the installation, the facility comprising;
  
  a first system which models, based on said computer installation and its users and their respective behaviors, a target as a symbolic representation using a semantic network, by making use of previously acquired knowledge and rules;
  
  a second system which compares said target with normal behavior expected for the same conditions as modelled by behavior rules and security rules contained in a knowledge data base of said second system, and which infers therefrom either an anomaly object in the event that at least one of the behavior rules is violated, or an intrusion object or an intrusion hypothesis object in the event that at least one of the security rules is violated;
  
  a third system which interprets the anomaly and intrusion objects by implementing said previously acquired rules and knowledge used by said first system so as to generate, reinforce, or confirm a corresponding intrusion hypotheses;
  
  a fourth system which correlates and compares said intrusion hypotheses and intrusions by implementing said previously acquired rules and knowledge used by said first and third systems in order to associate various intrusion hypotheses and/or intrusions, and to infer new intrusion hypotheses and/or intrusions therefrom;
  
  a communication system which cooperates with the first through fourth systems to provide the various data items that said first through fourth systems produce relating to behavior, anomalies, intrusion hypotheses, and intrusions;
  
  an abstract-investigator which constructs an image representing behavior of said target modeled by said first system and performs investigations in data bases and a fact base of the facility and also in the computer installation;
  
  an analyzer-checker, coupled to said abstract-investigator, which receives image data representing said image from said abstractor-investigator, analyzes said data to interpret behavior of the computer installation and its users with reference to said target to detect anomalies, and outputs anomaly data indicative thereof; and
  
  a suspicion and reaction manager, coupled to said analyzer-checker, which analzes said anomaly data, received from said analyzer-checker, to interpret the detected anomalies and intrusions, identify the users actually responsible for anomalies and intrusions, attribute a degree of suspicion to at least one of said users so as to trigger corresponding messages for transmission via a human-machine interface, and optionally trigger restraint measures applicable to the computer installation via said human-machine interface.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. A security system as claimed in claim 9, further including a set of effectors of a processor or agent type included in said software of the computer installation which implements restraint measures in the computer installation in order to counter attempts at intrusion aimed at said computer installation, said effectors being controlled from a suspicion and reaction manager in said facility via monitors associated with said facility and machines in the computer installation.
  - 11. A facility as claimed in claim 9, further comprising a fifth system which uses said previously acquired knowledge to identify users who are actually responsible for anomalies, intrusion hypotheses, and intrusions as established by the second, third, and/or fourth systems, to evaluate a corresponding degree of suspicion, and to indicate which users are responsible in co-operation with the first through fourth systems and via the communication system.
  - 12. A facility as claimed in claim 9, wherein said first through fourth systems are each are constituted by expert systems that share a common inference engine, operating with forward chaining, said engine being used in association with as many knowledge bases as there are expert systems.
  - 13. A facility as claimed in claim 9, wherein said abstractor-investigator comprises:
    - an audit abstractor responsible for creating a time and space image of a state and behavior of said target and interprets on demand data that results from investigation of said state and behavior of said target;
      
      an audit investigator which searches data in a central audit data base of the facility and acquires surveillance data on demand about the computer installation; and
      
      a behavior investigator which searches for data for the analyzer-checker and for the suspicion and reaction manager in said data and fact bases of the facility in association with the audit investigator which it controls.
  - 14. A facility as claimed in claim 9, further comprising an analyzer-checker which associates a plurality of modules for analyzing the behavior of said target with a plurality of modules for checking the behavior of said target.
  - 15. A facility as claimed in claim 14, wherein the analyzer modules comprises modules that perform cognitive analysis on the behavior of users, and modules that perform analysis of the operational behavior of the computer installation.
  - 16. A facility as claimed in claim 14, wherein the modules for analyzing behavior comprise a profile checker responsible for checking compliance of behavior as determined by observation with an archived profile, an attack identifier responsible for looking for similarity between determined behavior and known attack scenarios, and two policy checkers, one being a security checker suitable for determining failure to comply with security rules stored in a security policy data base in order to trigger indicating of an intrusion to the suspicion and reaction manager in the event of non-compliance, and the other one being a behavior policy checker suitable for determining non-compliance with behavior rules stored in a behavior policy data base in order to trigger, as appropriate, the indication of an anomaly or of an intrusion to the suspicion and reaction manager.
  - 17. A facility as claimed in claim 9, wherein the suspicion and reaction manager includes a device which interprets the indicated anomalies and intrusions, a device which determines users suspected of being implied in the anomalies, intrusion hypotheses, and intrusions, and also determines a suspicion level which is consequently applied to said suspects, and a device which triggers alarm procedures and prepares restraint measures for access by a person in charge of security via the human-machine interface of the facility.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alcatel SA (Nokia Corporation)
Original Assignee
Alcatel Alsthom Compagnie Generale d'Electricite (Nokia Corporation)
Inventors
Gonthier, Patrice, Emery, Thierry, Lermuzeaux, Jean-Marc
Primary Examiner(s)
Beausoliel, Jr., Robert W.
Assistant Examiner(s)
Palys, Joseph E.

Application Number

US08/257,052
Time in Patent Office

1,042 Days
Field of Search

395/375, 395/183.01, 395/183.03, 395/186, 395/187.01, 395/183.02, 395/183.13, 395/2.82, 395/53, 371/15.1
US Class Current

726/22
CPC Class Codes

G06F 21/55 Detecting local intrusion o...

G06F 2221/2101 Auditing as a secondary aspect

Facility for detecting intruders and suspect callers in a computer installation and a security system including such a facility

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Facility for detecting intruders and suspect callers in a computer installation and a security system including such a facility

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links