Intrusion detection system
First Claim
1. A network-independent, host-based computer implemented method for detecting intruders in a host computer, the method comprising the steps of:
- a. at the host computer, detecting an unauthorized user attempting to enter into the host computer by comparing actions of the user to a dynamically built profile for the user, and if the action is out of range of the user profile, notifying a control function at the host computer;
b. at the host computer, detecting events that indicate an unauthorized entry into the host computer has occurred and if an event occurs that indicates unauthorized entry, notifying a control function; and
c. executing an action in response to the event by the control function.
5 Assignments
0 Petitions
Accused Products
Abstract
A computer-implemented intrusion detection system and method that monitors a computer system in real-time for activity indicative of attempted or actual access by unauthorized persons or computers. The system detects unauthorized users attempting to enter into a computer system by comparing user behavior to a user profile, detects events that indicate an unauthorized entry into the computer system, notifies a control function about the unauthorized users and events that indicate unauthorized entry into the computer system and has a control function that automatically takes action in response to the event. The user profiles are dynamically constructed for each computer user when the computer user first attempts to log into the computer system and upon subsequent logins, the user'"'"'s profile is dynamically updated. By comparing user behavior to the dynamically built user profile, false alarms are reduced. The system also includes a log auditing function, a port scan detector and a session monitor function.
-
Citations
31 Claims
-
1. A network-independent, host-based computer implemented method for detecting intruders in a host computer, the method comprising the steps of:
-
a. at the host computer, detecting an unauthorized user attempting to enter into the host computer by comparing actions of the user to a dynamically built profile for the user, and if the action is out of range of the user profile, notifying a control function at the host computer;
b. at the host computer, detecting events that indicate an unauthorized entry into the host computer has occurred and if an event occurs that indicates unauthorized entry, notifying a control function; and
c. executing an action in response to the event by the control function. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
a. at the host computer, dynamically constructing a user profile for each computer user when the computer user first attempts to log into the host computer;
b. at the host computer, dynamically updating the user profile for the user for each attempt by the user to log into the system after the first attempt; and
c. updating the user profile when the user logs out of the host computer.
-
-
3. The method of claim 1 further comprising dynamically monitoring host computer log files for events that indicate an unauthorized attempted entry into the host computer.
-
4. The method of claim 3 wherein the dynamically monitoring host computer log files comprises:
-
a. at the host computer, comparing the system log files to events to ignore and ignoring the event if the system log file indicates a match with the event to ignore; and
b. at the host computers, comparing the system log files to events known to indicate an unauthorized entry into the computer system and notifying a control function about the unauthorized entry;
c. automatically executing a specific action in response to the event by the control function.
-
-
5. The method of claim 1 further comprising:
-
a. at the host computer, dynamically monitoring user actions after the user has logged into a computer system for unauthorized access by the user to system information, and if unauthorized access occurs, notifying a control function about the unauthorized access and automatically executing a specific action in response to the event by the control function; and
b. at the host computer, dynamically monitoring user actions after the user has logged into a computer system for corruption of system information by the user and if corruption of system information occurs, notifying a control function that corruption of system information and automatically executing a specific action in response by the control function.
-
-
6. The method of claim 1 further comprising:
-
a. at the host computer, scanning network ports to determine if a user has connected to more than a selected number of network ports;
b. if the user has exceeded the selected number of network ports, at the host computer, notifying the control function and automatically executing a specific action in response to the event by the control function.
-
-
7. The method of claim 6 wherein the selected number of network ports is set by the system administrator.
-
8. The method of claim 1 wherein the detecting events that indicate an unauthorized entry into the host computer comprises:
-
a. at the host computer, detecting anomalous events when a user logs out of the computer system comprising;
i. monitoring a user'"'"'s file history to determine if the user'"'"'s file history has been altered;
ii. monitoring computer system files to determine if a modification has been made that indicates an unauthorized intrusion into the computer system;
iii. monitoring a user'"'"'s computer files to determine if a modification has been made that indicates an unauthorized intrusion into the computer system;
iv. determining if a program has been left running that should have stopped running when the user logs out of the computer system; and
b. if an anomalous event has been detected;
i. notifying a control function about the anomalous event; and
ii. allowing the control function to take user specified action in response to the anomalous event.
-
-
9. The method of claim 1 wherein the detecting unauthorized users comprises:
-
a. if the user has attempted to log in from a computer that is not allowed access to the host computer, notifying the control function about the attempted login; and
b. allowing the control function to take action in response.
-
-
10. The method of claim 1 wherein the detecting unauthorized users comprises:
-
a. if the user attempts to log into the host computer and has an active login, at the host computer checking to determine if the user is allowed to have more than one login active simultaneously, and if not notifying a control function about the attempted login; and
b. at the host computer, automatically executing a specific action in response to the event by the control function.
-
-
11. The method of claim 2 wherein the dynamically constructed user profile for each computer user comprises storing user name, login terminal, time of creation of initial user profile, time of user'"'"'s first login, time history of the user'"'"'s logins, time periods that the user is allowed to log into the system and total number of logins for the computer user.
-
12. The method of claim 11 wherein the user profile is stored in a user profile database.
-
13. The method of claim 11 wherein the dynamically updating the user profile for the user comprises, for each user, entering the current login time, login terminal, updating the time history of the user'"'"'s login and incrementing the total number of logins.
-
14. The method of claim 11 wherein the detecting unauthorized users comprises if the user has attempted to log in at a time different from the time periods that the user is allowed to log into the computer system, notifying the control function about the attempted login and allowing the control function to take user specified action in response.
-
15. The method of claim 1 further comprising:
-
a. at the host computer, dynamically constructing a list of active users logged into the host computer; and
b. at the host computer, dynamically updating the list of active users when a user logs into the host computer and logs out of the host computer.
-
-
16. The method of claim 15 wherein the list of active users comprises user name, user terminal and time of user login.
-
17. The method of claim 1 wherein the control function comprises:
-
a. storing information about unauthorized users and events that indicate an unauthorized entry into the host computer;
b. taking action in response to the unauthorized users and events, the action is selected from the group consisting of;
i. logging the information in a local controller;
ii. sending the information to a network controller;
iii. disabling the unauthorized user'"'"'s account;
iv. blocking access to the host computer for the user;
v. notifying a system administrator; and
vi. ignoring the unauthorized user and unauthorized entry.
-
-
18. The method of claim 17 wherein the action taken is defined by the system administrator prior to initialization of the host computer.
-
19. The method of claim 1 wherein the control function is located in the host computer where the unauthorized user and unauthorized entry occurred.
-
20. The method of claim 19 further comprising the control function in the host computer sends information about unauthorized users and events to a central computer connected to the host computer.
-
21. The method of claim 1 wherein the control function is located in a central computer connected to the host computer.
-
22. The method according to claim 21 further comprising multiple host computers connected to the central computer.
-
23. The method of claim 22 wherein the control function in the central computer comprises:
-
a. performing centralized analysis of unauthorized users and events;
b. performing correlation of unauthorized users and events from the multiple host computers;
c. alerting a central computer system administrator; and
d. sending the analysis and correlation results to the multiple host computers.
-
-
24. The method of claim 1 further comprising:
-
a. for each user, continuously monitoring user activity for a threat to the host computer; and
b. the continuously monitoring comprises analyzing user command entries and comparing the entries to known threat events and known attack patterns indicating a computer intrusion and if a match occurs, notifying the control function and allowing the control function to take action in response.
-
-
25. The method of claim 24 further comprising continuously monitoring the host computer process accounting records and comparing the entries to known threat events and known attack patterns indicating a computer intrusion and if a match occurs, notifying the control function and allowing the control function to take action in response.
-
26. The method of claim 24 further comprising continuously monitoring commands entered by the user and comparing the commands to known threat events and known attack patterns indicating a computer intrusion and if a match occurs, notifying the control function and allowing the control function to take action in response.
-
27. The method of claim 1 further comprising continuously monitoring network port activity and comparing the activity to known threat events and known attack patterns indicating a computer intrusion and if a match occurs, notifying the control function and allowing the control function to take in response.
-
28. The method of claim 22 wherein the action taken is selected from the group consisting of logging the event, removing the user from the host computer and executing a selected command.
-
29. Computer executable software code stored on a computer readable medium, the code for a network-independent, host-based computer implemented method for detecting intruders in a host computer, comprising:
-
a. code for detecting an unauthorized user attempting to enter into the host computer by comparing actions of the user to a dynamically built profile for the user, and if the action is out of range of the user profile, notifying a control function;
b. code for detecting events that indicate an unauthorized entry into the host computer has occurred by comparing and if an event occurs that indicates unauthorized entry, notifying a control function; and
c. code for automatically executing a specific action in response to the event by the control function. - View Dependent Claims (30)
a. code for dynamically constructing a user profile for each computer user when the computer user first attempts to log into the host computer;
b. code for dynamically updating the user profile for the user for each attempt by the user to log into the host computer after the first attempt; and
c. code for updating the user profile when the user logs out of the host computer.
-
-
31. A computer-readable medium having computer-executable software code stored thereon, the code for a network-independent, host-based computer implemented method for detecting intruders in a host computer, comprising:
-
a. code for detecting an unauthorized user attempting to enter into a host computer by comparing actions of the user to a dynamically built profile for the user, and if the action is out of range of the user profile, notifying a control function;
b. code for detecting events that indicate an unauthorized entry into the host computer has occurred by comparing and if an event occurs that indicates unauthorized entry, notifying a control function; and
c. code for automatically executing a specific action in response to the event by the control function.
-
Specification