System and method for detecting buffer overflow attacks
First Claim
1. A system for detecting intrusions on a host, comprising:
- a) a database of commands and files accessed by the commands, including dependencies encoded as classes of objects; and
b) an analysis engine configured to compare an access time of a first command with access and modification times of files expected to be accessed by the first command and identify the first command as suspicious if the files expected to be accessed by the first command were not in fact accessed.
6 Assignments
0 Petitions
Accused Products
Abstract
A system and method are disclosed for detecting intrusions in a host system on a network. The intrusion detection system comprises an analysis engine configured to use continuations and apply forward- and backward-chaining using rules. Also provided are sensors, which communicate with the analysis engine using a meta-protocol in which the data packet comprises a 4-tuple. A configuration discovery mechanism locates host system files and communicates the locations to the analysis engine. A file processing mechanism matches contents of a deleted file to a directory or filename, and a directory processing mechanism extracts deallocated directory entries from a directory, creating a partial ordering of the entries. A signature checking mechanism computes the signature of a file and compares it to previously computed signatures. A buffer overflow attack detector compares access times of commands and their associated files. The intrusion detection system further includes a mechanism for checking timestamps to identify and analyze forward and backward time steps in a log file.
176 Citations
18 Claims
-
1. A system for detecting intrusions on a host, comprising:
-
a) a database of commands and files accessed by the commands, including dependencies encoded as classes of objects; and
b) an analysis engine configured to compare an access time of a first command with access and modification times of files expected to be accessed by the first command and identify the first command as suspicious if the files expected to be accessed by the first command were not in fact accessed. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A method for detecting intrusions on a host, comprising the steps of:
-
a) providing a database of commands and files accessed by the commands b) encoding dependencies as classes of objects in the database;
c) comparing an access time of a first command with access and modification times of files expected to be accessed by the first command; and
d) identifying the first command as suspicious if the files expected to be accessed by the first command were not in fact accessed.
-
-
18. A computer program product for detecting intrusions on a host, the computer program product being embodied in a computer readable medium having machine readable code embodied therein for performing the steps of:
-
a) providing a database of commands and files accessed by the commands b) encoding dependencies as classes of objects in the database;
c) comparing an access time of a first command with access and modification times of files expected to be accessed by the first command;
d) identifying the first command as suspicious if the files expected to be accessed by the first command were not in fact accessed.
-
Specification