Facility for detecting intruders and suspect callers in a computer installation and a security system including such a facility
First Claim
1. A facility for detecting at least one of intrusions and suspect users, in a computer installation, making use of surveillance data streams relating to the behavior of the computer installation in operation and to the actions of the users of said installation, said data streams being generated in the installation, the facility comprising:
- a first system which models, based on said computer installation and its users and their respective behaviors, a target as a symbolic representation using a semantic network, by employing previously acquired knowledge and rules;
a second system which compares said target with normal behavior expected for the same conditions as modelled by behavior rules and security rules contained in a knowledge data base of said second system, and which infers therefrom either an anomaly object in the event that at least one of the behavior rules is violated, or an intrusion object or an intrusion hypothesis object in the event that at least one of the security rules is violated;
a third system which interprets the anomaly and intrusion objects by implementing said previously acquired rules and knowledge used by said first system so as to generate, reinforce, or confirm a corresponding intrusion hypotheses;
a fourth system which correlates and compares said intrusion hypotheses and intrusions by implementing said previously acquired rules and knowledge used by said first system in order to relate various intrusion hypotheses and/or intrusions, and to infer new intrusion hypotheses and/or intrusions therefrom;
a communication system which cooperates with the first through fourth systems to provide the various data items that said first through fourth systems produce relating to behavior, anomalies, intrusion hypotheses, and intrusions;
an abstract-investigator which constructs an image representing behavior of said target modeled by said first system and performs investigations in data bases and a fact base of the facility and also in the computer installation;
an analyzer-checker, coupled to said abstract-investigator, which receives image data representing said image from said abstract-investigator, analyzes said data to interpret behavior of the computer installation and its users with reference to said target to detect anomalies, and outputs anomaly data indicative thereof; and
a suspicion and reaction manager, coupled to said analyzer-checker, which analyzes said anomaly data, received from said analyzer-checker, to interpret the detected anomalies and intrusions, identify the users actually responsible for anomalies and intrusions, attribute a degree of suspicion to at least one of said users so as to trigger corresponding messages for transmission via a human-machine interface, and optionally trigger restraint measures applicable to the computer installation via said human-machine interface.
4 Assignments
0 Petitions
Accused Products
Abstract
A facility for detecting intrusions and suspect users in a computer installation, and a security system incorporating such a facility that makes use of surveillance data relating to the operation of the installation. The facility includes elements for modelling the computer installation, its users, and their respective behavior with the help of a semantic network; elements for comparing the modellized behavior of the system and of its users relative to modellized normal behavior; elements for interpreting observed anomalies in terms of intrusions and of intrusion hypothesis; elements for interpreting observed intrusion hypotheses and intrusions in order to indicate them and enable restraint actions to be prepared. Elements are provided to evaluate the degree of suspicion of users. The elements co-operate with one another for the purpose of providing information.
-
Citations
17 Claims
-
1. A facility for detecting at least one of intrusions and suspect users, in a computer installation, making use of surveillance data streams relating to the behavior of the computer installation in operation and to the actions of the users of said installation, said data streams being generated in the installation, the facility comprising:
-
a first system which models, based on said computer installation and its users and their respective behaviors, a target as a symbolic representation using a semantic network, by employing previously acquired knowledge and rules; a second system which compares said target with normal behavior expected for the same conditions as modelled by behavior rules and security rules contained in a knowledge data base of said second system, and which infers therefrom either an anomaly object in the event that at least one of the behavior rules is violated, or an intrusion object or an intrusion hypothesis object in the event that at least one of the security rules is violated; a third system which interprets the anomaly and intrusion objects by implementing said previously acquired rules and knowledge used by said first system so as to generate, reinforce, or confirm a corresponding intrusion hypotheses; a fourth system which correlates and compares said intrusion hypotheses and intrusions by implementing said previously acquired rules and knowledge used by said first system in order to relate various intrusion hypotheses and/or intrusions, and to infer new intrusion hypotheses and/or intrusions therefrom; a communication system which cooperates with the first through fourth systems to provide the various data items that said first through fourth systems produce relating to behavior, anomalies, intrusion hypotheses, and intrusions; an abstract-investigator which constructs an image representing behavior of said target modeled by said first system and performs investigations in data bases and a fact base of the facility and also in the computer installation; an analyzer-checker, coupled to said abstract-investigator, which receives image data representing said image from said abstract-investigator, analyzes said data to interpret behavior of the computer installation and its users with reference to said target to detect anomalies, and outputs anomaly data indicative thereof; and a suspicion and reaction manager, coupled to said analyzer-checker, which analyzes said anomaly data, received from said analyzer-checker, to interpret the detected anomalies and intrusions, identify the users actually responsible for anomalies and intrusions, attribute a degree of suspicion to at least one of said users so as to trigger corresponding messages for transmission via a human-machine interface, and optionally trigger restraint measures applicable to the computer installation via said human-machine interface. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A security system for a computer installation making use of streams of surveillance data relating to the behavior of the installation in operation and the actions of the users of said installation, said system comprising:
-
a set of sensors included in software of the computer installation for indicating actions and events that take place at the level of said software and results of measurements, optionally on demand; monitors which convert data picked up by the sensors into a stream of surveillance data, said data corresponding to respective actions, events, or measurements; and a facility, coupled to said sensors, for detecting at least one of intrusions and suspect users, in a computer installation, making use of said streams of surveillance data relating to the behavior of the computer installation in operation and to the actions of the users of said installation, said data streams being generated in the installation, the facility comprising; a first system which models, based on said computer installation and its users and their respective behaviors, a target as a symbolic representation using a semantic network, by making use of previously acquired knowledge and rules; a second system which compares said target with normal behavior expected for the same conditions as modelled by behavior rules and security rules contained in a knowledge data base of said second system, and which infers therefrom either an anomaly object in the event that at least one of the behavior rules is violated, or an intrusion object or an intrusion hypothesis object in the event that at least one of the security rules is violated; a third system which interprets the anomaly and intrusion objects by implementing said previously acquired rules and knowledge used by said first system so as to generate, reinforce, or confirm a corresponding intrusion hypotheses; a fourth system which correlates and compares said intrusion hypotheses and intrusions by implementing said previously acquired rules and knowledge used by said first and third systems in order to associate various intrusion hypotheses and/or intrusions, and to infer new intrusion hypotheses and/or intrusions therefrom; a communication system which cooperates with the first through fourth systems to provide the various data items that said first through fourth systems produce relating to behavior, anomalies, intrusion hypotheses, and intrusions; an abstract-investigator which constructs an image representing behavior of said target modeled by said first system and performs investigations in data bases and a fact base of the facility and also in the computer installation; an analyzer-checker, coupled to said abstract-investigator, which receives image data representing said image from said abstractor-investigator, analyzes said data to interpret behavior of the computer installation and its users with reference to said target to detect anomalies, and outputs anomaly data indicative thereof; and a suspicion and reaction manager, coupled to said analyzer-checker, which analzes said anomaly data, received from said analyzer-checker, to interpret the detected anomalies and intrusions, identify the users actually responsible for anomalies and intrusions, attribute a degree of suspicion to at least one of said users so as to trigger corresponding messages for transmission via a human-machine interface, and optionally trigger restraint measures applicable to the computer installation via said human-machine interface. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
-
Specification