Method and system for detecting intrusion into and misuse of a data processing system
First Claim
1. A method of providing early detection of a potential computer security threat, comprising:
- linking together multiple operating system audits into a first related grouping by analyzing and consolidating the system audits, each audit including information about activities on at least one operating system;
linking together multiple operating system audits into a second related grouping by analyzing and consolidating the system audits, each audit including information about activities on operating system;
first determining whether the multiple operating system audits in the first related grouping include activities meeting a first threshold;
second determining whether the multiple operating system audits in the second grouping include activities meeting a second threshold; and
if both the first threshold and the second threshold are met, then indicating that a first potential computer security threat exists.
3 Assignments
0 Petitions
Accused Products
Abstract
Disclosed is a Security Indications and Warning (SI&W) Engine usable in conjunction with an audit agent. The audit agent forwards normalized audits to the SI&W Engine. The SI&W Engine groups the normalized audits into related groupings. Gauges are used to count the number of occurrences of audited events. A statistical engine provides statistical representations of the number of events per user, per session and per node. A predetermined number of criteria are defined a particular gauge or gauge pair. There may be many criteria for a particular network. When a predetermined number of criteria within a criteria set are triggered, an indicator is triggered. More complex indicators can use combinations of lower level indicators to provide further indications of potential security threads. Thus, a hierarchical system of gauges, criteria and indicators is used to measure boundary violations and breaches of different barriers. Advantageously, because there are no predefined scenarios or profiles that must be performed by a potential misuser or intruder, the SI&W Engine of the present invention is capable of indicating that a potential security threat exists in near-real time.
302 Citations
27 Claims
-
1. A method of providing early detection of a potential computer security threat, comprising:
-
linking together multiple operating system audits into a first related grouping by analyzing and consolidating the system audits, each audit including information about activities on at least one operating system;
linking together multiple operating system audits into a second related grouping by analyzing and consolidating the system audits, each audit including information about activities on operating system;
first determining whether the multiple operating system audits in the first related grouping include activities meeting a first threshold;
second determining whether the multiple operating system audits in the second grouping include activities meeting a second threshold; and
if both the first threshold and the second threshold are met, then indicating that a first potential computer security threat exists. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. An article, comprising:
-
at least one sequence of machine executable instructions;
a medium bearing the executable instructions in machine readable form, wherein execution of the instructions by one or more processors causes the one or more processors to;
link together multiple operating system audits into a first related grouping by analyzing and consolidating the system audits, each audit including information about activities on at least one operating system;
link together multiple operating system audits into a second related grouping by analyzing and consolidating the system audits, each audit including information about activities on operating system;
first determine whether the multiple operating system audits in the first related grouping include activities meeting a first threshold;
second determine whether the multiple operating system audits in the second grouping include activities meeting a second threshold; and
if both the first threshold and the second threshold are met, then indicate that a first potential computer security threat exists.
-
-
19. A computer architecture, comprising:
-
linking means for linking together multiple operating system audits into a first related grouping by analyzing and consolidating the system audits, each audit including information about activities on at least one operating system;
linking means for linking together multiple operating system audits into a second related grouping by analyzing and consolidating the system audits, each audit including information about activities on operating system;
first determining means for determining whether the multiple operating system audits in the first related grouping include activities meeting a first threshold;
second determining means for determining whether the multiple operating system audits in the second grouping include activities meeting a second threshold; and
if both the first threshold and the second threshold are met, the means indicate that a first potential computer security threat exists.
-
-
20. A computer system, comprising:
-
a processor; and
amemory coupled to said processor, the memory having stored therein sequences of instructions, which, when executed by said processor, cause said processor to perform the steps of;
linking together multiple operating system audits into a first related grouping by analyzing and consolidating the system audits, each audit including information about activities on at least one operating system;
linking together multiple operating system audits into a second related grouping by analyzing and consolidating the system audits, each audit including information about activities on operating system;
first determining whether the multiple operating system audits in the first related grouping include activities meeting a first threshold;
second determining whether the multiple operating system audits in the second grouping include activities meeting a second threshold;
and if both the first threshold and the second threshold are met, then indicating that a first potential computer security threat exists.
-
-
21. A method of providing early detection of a potential computer security threat, comprising:
-
linking together multiple operating system audits into a first related grouping, each audit including information about activities on at least one operating system;
linking together multiple operating system audits into a second related grouping, each audit including information about activities on operating system;
first determining whether the multiple operating system audits in the first related grouping include activities meeting a first threshold;
second determining whether the multiple operating system audits in the second grouping include activities meeting a second threshold; and
if both the first threshold and the second threshold are met, then indicating that a first potential computer security threat exists, assigning a weight to each of the audits linked into a grouping and for each audit multiplying the weight times the number of occurrences to arrive at a total for each grouping, wherein the weight is assigned based on user, host, and network factors.
-
-
22. A method of providing early detection of a potential computer security threat, comprising:
-
linking together multiple operating system audits into a first related grouping, each audit including information about activities on at least one operating system;
linking together multiple operating system audits into a second related grouping, each audit including information about activities on operating system;
first determining whether the multiple operating system audits in the first related grouping include activities meeting a first threshold;
second determining whether the multiple operating system audits in the second grouping include activities meeting a second threshold; and
if both the first threshold and the second threshold are met, then indicating that a first potential computer security threat exists, assigning a weight to each of the audits linked into a grouping and for each audit multiplying the weight times the number of occurrences to arrive at a total for each grouping, wherein counting number of occurrences of a particular activity over a period of time and adjusting weights in accordance with predetermined values.
-
-
23. An article, comprising:
-
at least one sequence of machine executable instructions;
a medium bearing the executable instructions in machine readable form, wherein execution of the instructions by one or more processors causes the one or more processors to;
link together multiple operating system audits into a first related grouping, each audit including information about activities on at least one operating system;
link together multiple operating system audits into a second related grouping, each audit including information about activities on operating system;
first determine whether the multiple operating system audits in the first related grouping include activities meeting a first threshold;
second determine whether the multiple operating system audits in the second grouping include activities meeting a second threshold; and
if both the first threshold and the second threshold are met, then indicate that a first potential computer security threat exists, assigning a weight to each of the audits linked into a grouping and for each audit multiplying the weight times the number of occurrences to arrive at a total for each grouping, wherein the weight is assigned based on user, host, and network factors.
-
-
24. An article, comprising:
-
at least one sequence of machine executable instructions;
a medium bearing the executable instructions in machine readable form, wherein execution of the instructions by one or more processors causes the one or more processors to;
link together multiple operating system audits into a first related grouping, each audit including information about activities on at least one operating system;
link together multiple operating system audits into a second related grouping, each audit including information about activities on operating system;
first determine whether the multiple operating system audits in the first related grouping include activities meeting a first threshold;
second determine whether the multiple operating system audits in the second grouping include activities meeting a second threshold; and
if both the first threshold and the second threshold are met, then indicate that a first potential computer security threat exists, assigning a weight to each of the audits linked into a grouping and for each audit multiplying the weight times the number of occurrences to arrive at a total for each grouping, wherein counting number of occurrences of a particular activity over a period of time and adjusting weights in accordance with predetermined values.
-
-
25. A computer architecture, comprising:
-
linking means for linking together multiple operating system audits into a first related grouping, each audit including information about activities on at least one operating system;
linking means for linking together multiple operating system audits into a second related grouping, each audit including information about activities on operating system;
first determining means for determining whether the multiple operating system audits in the first related grouping include activities meeting a first threshold;
second determining means for determining whether the multiple operating system audits in the second grouping include activities meeting a second threshold; and
if both the first threshold and the second threshold are met, the means indicate that a first potential computer security threat exists, assigning a weight to each of the audits linked into a grouping and for each audit multiplying the weight times the number of occurrences to arrive at a total for each grouping, wherein the weight is assigned based on user, host, and network factors.
-
-
26. A computer architecture, comprising:
-
linking means for linking together multiple operating system audits into a first related grouping, each audit including information about activities on at least one operating system;
linking means for linking together multiple operating system audits into a second related grouping, each audit including information about activities on operating system;
first determining means for determining whether the multiple operating system audits in the first related grouping include activities meeting a first threshold;
second determining means for determining whether the multiple operating system audits in the second grouping include activities meeting a second threshold; and
if both the first threshold and the second threshold are met, the means indicate that a first potential computer security threat exists, assigning a weight to each of the audits linked into a grouping and for each audit multiplying the weight times the number of occurrences to arrive at a total for each grouping, wherein counting number of occurrences of a particular activity over a period of time and adjusting weights in accordance with predetermined values.
-
-
27. A computer system, comprising:
-
a processor; and
amemory coupled to said processor, the memory having stored therein sequences of instructions, which, when executed by said processor, cause said processor to perform the steps of;
linking together multiple operating system audits into a first related grouping, each audit including information about activities on at least one operating system;
linking together multiple operating system audits into a second related grouping, each audit including information about activities on operating system;
first determining whether the multiple operating system audits in the first related grouping include activities meeting a first threshold;
second determining whether the multiple operating system audits in the second grouping include activities meeting a second threshold;
and if both the first threshold and the second threshold are met, then indicating that a first potential computer security threat exists, assigning a weight to each of the audits linked into a grouping and for each audit multiplying the weight times the number of occurrences to arrive at a total for each grouping, wherein counting number of occurrences of a particular activity over a period of time and adjusting weights in accordance with predetermined values.
-
Specification