System and method for analyzing filesystems to detect intrusions
First Claim
1. A system for detecting intrusions on a host, comprising:
- a) a sensor configured to collect information directly from a filesystem, the filesystem being associated with the host and including directories having allocated and deallocated directory entries; and
b) a directory processing mechanism configured to extract the deallocated entries and create a partial ordering of the entries, wherein each of the deallocated entries is associated with a deleted file and the partial ordering comprises an indication of the relative order in which the deallocated entries were created.
8 Assignments
0 Petitions
Accused Products
Abstract
A system and method are disclosed for detecting intrusions in a host system on a network. The intrusion detection system comprises an analysis engine configured to use continuations and apply forward- and backward-chaining using rules. Also provided are sensors, which communicate with the analysis engine using a meta-protocol in which the data packet comprises a 4-tuple. A configuration discovery mechanism locates host system files and communicates the locations to the analysis engine. A file processing mechanism matches contents of a deleted file to a directory or filename, and a directory processing mechanism extracts deallocated directory entries from a directory, creating a partial ordering of the entries. A signature checking mechanism computes the signature of a file and compares it to previously computed signatures. A buffer overflow attack detector compares access times of commands and their associated files. The intrusion detection system further includes a mechanism for checking timestamps to identify and analyze forward and backward time steps in a log file.
-
Citations
15 Claims
-
1. A system for detecting intrusions on a host, comprising:
-
a) a sensor configured to collect information directly from a filesystem, the filesystem being associated with the host and including directories having allocated and deallocated directory entries; and
b) a directory processing mechanism configured to extract the deallocated entries and create a partial ordering of the entries, wherein each of the deallocated entries is associated with a deleted file and the partial ordering comprises an indication of the relative order in which the deallocated entries were created. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system for detecting intrusions on a host, comprising:
-
a) a sensor configured to collect information directly from a filesystem directory associated with the host; and
b) a file processing mechanism configured to match contents of a deleted file to a directory and filename in the filesystem;
wherein the file processing mechanism is configured to use temporal information in matching the contents to a directory and filename. - View Dependent Claims (12, 13)
-
-
14. A method for detecting intrusions on a host, comprising the steps of:
-
a) collecting information directly from a filesystem associated with the host, the filesystem including directories having allocated and deallocated directory entries;
b) extracting the deallocated entries; and
c) creating a partial ordering of the entries;
wherein each of the deallocated entries is associated with a deleted file and the partial ordering comprises an indication of the relative order in which the deallocated entries were created.
-
-
15. A computer program product for detecting intrusions on a host, the computer program product being embodied in a computer readable medium having machine readable code embodied therein for performing the steps of:
-
a) collecting information directly from a filesystem associated with the host, the filesystem including directories having allocated and deallocated directory entries;
b) extracting the deallocated entries; and
c) creating a partial ordering of the entries;
wherein each of the deallocated entries is associated with a deleted file and the partial ordering comprises an indication of the relative order in which the deallocated entries were created.
-
Specification