Method and system for detecting intrusion into and misuse of a data processing system

US 6,839,850 B1
Filed: 03/04/1999
Issued: 01/04/2005
Est. Priority Date: 03/04/1999
Status: Expired due to Term

First Claim

Patent Images

1. A method of providing early detection of a potential computer security threat, comprising:

linking together multiple operating system audits into a first related grouping by analyzing and consolidating the system audits, each audit including information about activities on at least one operating system;

linking together multiple operating system audits into a second related grouping by analyzing and consolidating the system audits, each audit including information about activities on operating system;

first determining whether the multiple operating system audits in the first related grouping include activities meeting a first threshold;

second determining whether the multiple operating system audits in the second grouping include activities meeting a second threshold; and

if both the first threshold and the second threshold are met, then indicating that a first potential computer security threat exists.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is a Security Indications and Warning (SI&W) Engine usable in conjunction with an audit agent. The audit agent forwards normalized audits to the SI&W Engine. The SI&W Engine groups the normalized audits into related groupings. Gauges are used to count the number of occurrences of audited events. A statistical engine provides statistical representations of the number of events per user, per session and per node. A predetermined number of criteria are defined a particular gauge or gauge pair. There may be many criteria for a particular network. When a predetermined number of criteria within a criteria set are triggered, an indicator is triggered. More complex indicators can use combinations of lower level indicators to provide further indications of potential security threads. Thus, a hierarchical system of gauges, criteria and indicators is used to measure boundary violations and breaches of different barriers. Advantageously, because there are no predefined scenarios or profiles that must be performed by a potential misuser or intruder, the SI&W Engine of the present invention is capable of indicating that a potential security threat exists in near-real time.

302 Citations

27 Claims

1. A method of providing early detection of a potential computer security threat, comprising:
- linking together multiple operating system audits into a first related grouping by analyzing and consolidating the system audits, each audit including information about activities on at least one operating system;
  
  linking together multiple operating system audits into a second related grouping by analyzing and consolidating the system audits, each audit including information about activities on operating system;
  
  first determining whether the multiple operating system audits in the first related grouping include activities meeting a first threshold;
  
  second determining whether the multiple operating system audits in the second grouping include activities meeting a second threshold; and
  
  if both the first threshold and the second threshold are met, then indicating that a first potential computer security threat exists.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, comprising receiving operating system audits in a standardized format.
  - 3. The method of claim 1, wherein said first grouping is performed during a first time period and said second grouping is performed during a second time period.
  - 4. The method of claim 1, wherein the first threshold includes a predetermined number of failed network logins.
  - 5. The method of claim 1, wherein the second threshold includes a predetermined number of failed host logins.
  - 6. The method of claim 1, wherein the related groupings include at least one field having common information.
  - 7. The method of claim 1, comprising assigning a weight to each of the audits linked into a grouping and for each audit multiplying the weight times the number of occurrences to arrive at a total for each grouping.
  - 8. The method of claim 7, comprising comparing the total against a predetermined threshold to activate a criterion.
  - 9. The method of claim 7wherein the weight is assigned based on user, host, and network factors.
  - 10. The method of claim 8, comprisingchanging weights recorded to a related grouping of activities based upon the total for the related grouping.
  - 11. The method of claim 10, comprising increasing the weights accorded to a related grouping of activities based upon the total for the related grouping being above a predetermined threshold.
  - 12. The method of claim 10, comprising decreasing the weights accorded to a related grouping of activities based upon the total for the related grouping being below a predetermined threshold.
  - 13. The method of claim 7, comprisingcounting number of occurrences of a particular activity over a period of time and adjusting weights in accordance with predetermined values.
  - 14. The method of claim 7, comprisingreducing the weight accorded to an activity based upon the amount of time elapsed since the activity occurred.
  - 15. The method of claim 14, wherein the weight is adjusted by a straight line formula.
  - 16. The method of claim 14, wherein the weight is adjusted by an exponential formula.
  - 17. The method of claim 1, comprising:
    - linking together multiple operating system audits into a third related grouping by analyzing and consolidating the system audits, each audit including information about activities on at least one operating system;
      
      linking together multiple operating system audits into a fourth related grouping by analyzing and consolidating the system audits, each audit including information about activities on at least one operating system;
      
      third determining whether the multiple operating system audits in the third related grouping include activities meeting a third threshold;
      
      fourth determining whether the multiple operating system audits in the fourth grouping include activities meeting a fourth threshold;
      
      if both the third and the fourth thresholds are met, then indicating that a second potential computer security threat exists; and
      
      if both the first and a second potential security threats exist then providing an additional indication that a heightened computer security threat exists.

18. An article, comprising:
- at least one sequence of machine executable instructions;
  
  a medium bearing the executable instructions in machine readable form, wherein execution of the instructions by one or more processors causes the one or more processors to;
  
  link together multiple operating system audits into a first related grouping by analyzing and consolidating the system audits, each audit including information about activities on at least one operating system;
  
  link together multiple operating system audits into a second related grouping by analyzing and consolidating the system audits, each audit including information about activities on operating system;
  
  first determine whether the multiple operating system audits in the first related grouping include activities meeting a first threshold;
  
  second determine whether the multiple operating system audits in the second grouping include activities meeting a second threshold; and
  
  if both the first threshold and the second threshold are met, then indicate that a first potential computer security threat exists.

19. A computer architecture, comprising:
- linking means for linking together multiple operating system audits into a first related grouping by analyzing and consolidating the system audits, each audit including information about activities on at least one operating system;
  
  linking means for linking together multiple operating system audits into a second related grouping by analyzing and consolidating the system audits, each audit including information about activities on operating system;
  
  first determining means for determining whether the multiple operating system audits in the first related grouping include activities meeting a first threshold;
  
  second determining means for determining whether the multiple operating system audits in the second grouping include activities meeting a second threshold; and
  
  if both the first threshold and the second threshold are met, the means indicate that a first potential computer security threat exists.

20. A computer system, comprising:
- a processor; and
  
  a memory coupled to said processor, the memory having stored therein sequences of instructions, which, when executed by said processor, cause said processor to perform the steps of;
  
  linking together multiple operating system audits into a first related grouping by analyzing and consolidating the system audits, each audit including information about activities on at least one operating system;
  
  linking together multiple operating system audits into a second related grouping by analyzing and consolidating the system audits, each audit including information about activities on operating system;
  
  first determining whether the multiple operating system audits in the first related grouping include activities meeting a first threshold;
  
  second determining whether the multiple operating system audits in the second grouping include activities meeting a second threshold;
  
  and if both the first threshold and the second threshold are met, then indicating that a first potential computer security threat exists.

21. A method of providing early detection of a potential computer security threat, comprising:
- linking together multiple operating system audits into a first related grouping, each audit including information about activities on at least one operating system;
  
  linking together multiple operating system audits into a second related grouping, each audit including information about activities on operating system;
  
  first determining whether the multiple operating system audits in the first related grouping include activities meeting a first threshold;
  
  second determining whether the multiple operating system audits in the second grouping include activities meeting a second threshold; and
  
  if both the first threshold and the second threshold are met, then indicating that a first potential computer security threat exists, assigning a weight to each of the audits linked into a grouping and for each audit multiplying the weight times the number of occurrences to arrive at a total for each grouping, wherein the weight is assigned based on user, host, and network factors.

22. A method of providing early detection of a potential computer security threat, comprising:
- linking together multiple operating system audits into a first related grouping, each audit including information about activities on at least one operating system;
  
  linking together multiple operating system audits into a second related grouping, each audit including information about activities on operating system;
  
  first determining whether the multiple operating system audits in the first related grouping include activities meeting a first threshold;
  
  second determining whether the multiple operating system audits in the second grouping include activities meeting a second threshold; and
  
  if both the first threshold and the second threshold are met, then indicating that a first potential computer security threat exists, assigning a weight to each of the audits linked into a grouping and for each audit multiplying the weight times the number of occurrences to arrive at a total for each grouping, wherein counting number of occurrences of a particular activity over a period of time and adjusting weights in accordance with predetermined values.

23. An article, comprising:
- at least one sequence of machine executable instructions;
  
  a medium bearing the executable instructions in machine readable form, wherein execution of the instructions by one or more processors causes the one or more processors to;
  
  link together multiple operating system audits into a first related grouping, each audit including information about activities on at least one operating system;
  
  link together multiple operating system audits into a second related grouping, each audit including information about activities on operating system;
  
  first determine whether the multiple operating system audits in the first related grouping include activities meeting a first threshold;
  
  second determine whether the multiple operating system audits in the second grouping include activities meeting a second threshold; and
  
  if both the first threshold and the second threshold are met, then indicate that a first potential computer security threat exists, assigning a weight to each of the audits linked into a grouping and for each audit multiplying the weight times the number of occurrences to arrive at a total for each grouping, wherein the weight is assigned based on user, host, and network factors.

24. An article, comprising:
- at least one sequence of machine executable instructions;
  
  a medium bearing the executable instructions in machine readable form, wherein execution of the instructions by one or more processors causes the one or more processors to;
  
  link together multiple operating system audits into a first related grouping, each audit including information about activities on at least one operating system;
  
  link together multiple operating system audits into a second related grouping, each audit including information about activities on operating system;
  
  first determine whether the multiple operating system audits in the first related grouping include activities meeting a first threshold;
  
  second determine whether the multiple operating system audits in the second grouping include activities meeting a second threshold; and
  
  if both the first threshold and the second threshold are met, then indicate that a first potential computer security threat exists, assigning a weight to each of the audits linked into a grouping and for each audit multiplying the weight times the number of occurrences to arrive at a total for each grouping, wherein counting number of occurrences of a particular activity over a period of time and adjusting weights in accordance with predetermined values.

25. A computer architecture, comprising:
- linking means for linking together multiple operating system audits into a first related grouping, each audit including information about activities on at least one operating system;
  
  linking means for linking together multiple operating system audits into a second related grouping, each audit including information about activities on operating system;
  
  first determining means for determining whether the multiple operating system audits in the first related grouping include activities meeting a first threshold;
  
  second determining means for determining whether the multiple operating system audits in the second grouping include activities meeting a second threshold; and
  
  if both the first threshold and the second threshold are met, the means indicate that a first potential computer security threat exists, assigning a weight to each of the audits linked into a grouping and for each audit multiplying the weight times the number of occurrences to arrive at a total for each grouping, wherein the weight is assigned based on user, host, and network factors.

26. A computer architecture, comprising:
- linking means for linking together multiple operating system audits into a first related grouping, each audit including information about activities on at least one operating system;
  
  linking means for linking together multiple operating system audits into a second related grouping, each audit including information about activities on operating system;
  
  first determining means for determining whether the multiple operating system audits in the first related grouping include activities meeting a first threshold;
  
  second determining means for determining whether the multiple operating system audits in the second grouping include activities meeting a second threshold; and
  
  if both the first threshold and the second threshold are met, the means indicate that a first potential computer security threat exists, assigning a weight to each of the audits linked into a grouping and for each audit multiplying the weight times the number of occurrences to arrive at a total for each grouping, wherein counting number of occurrences of a particular activity over a period of time and adjusting weights in accordance with predetermined values.

27. A computer system, comprising:
- a processor; and
  
  a memory coupled to said processor, the memory having stored therein sequences of instructions, which, when executed by said processor, cause said processor to perform the steps of;
  
  linking together multiple operating system audits into a first related grouping, each audit including information about activities on at least one operating system;
  
  linking together multiple operating system audits into a second related grouping, each audit including information about activities on operating system;
  
  first determining whether the multiple operating system audits in the first related grouping include activities meeting a first threshold;
  
  second determining whether the multiple operating system audits in the second grouping include activities meeting a second threshold;
  
  and if both the first threshold and the second threshold are met, then indicating that a first potential computer security threat exists, assigning a weight to each of the audits linked into a grouping and for each audit multiplying the weight times the number of occurrences to arrive at a total for each grouping, wherein counting number of occurrences of a particular activity over a period of time and adjusting weights in accordance with predetermined values.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Northrop Grumman Systems Corporation (Northrop Grumman Corporation)
Original Assignee
PRC, Inc. (Arthur D. Little, Inc.)
Inventors
Campbell, Wayne A., Walker, Jeffrey H.
Primary Examiner(s)
Sheikh, Ayaz
Assistant Examiner(s)
JACKSON, JENISE E

Application Number

US09/262,027
Time in Patent Office

2,133 Days
Field of Search

713/200, 713/201, 709/223, 709/224, 709/226, 709/229
US Class Current

726/23
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Method and system for detecting intrusion into and misuse of a data processing system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

302 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for detecting intrusion into and misuse of a data processing system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

302 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links