System and method for detecting computer intrusions

US 6,996,843 B1
Filed: 08/30/2000
Issued: 02/07/2006
Est. Priority Date: 08/30/1999
Status: Expired due to Fees

First Claim

Patent Images

1. A system for detecting intrusion on a host, comprising:

a) a source of rules;

b) a source of facts; and

c) an analysis engine executed on a processor in communication with the source of rules and source of facts, configured to determine whether an intrusion has taken place by applying forward- and backward-chaining using facts from the source of facts and rules from the source of rules by;

(i) using forward chaining to generate one or more inferences;

(ii) determining which, if any, of the inferences matches a sub-goal associated with a rule from the source of rules;

(iii) with respect to each inference that matches a sub-goal, applying backward chaining from that sub-goal'"'"'s potential parents into other sub-goals; and

(iv) for each sub-goal reached either by forward or backward chaining, determining whether the sub-goal indicates an intrusion has taken place,wherein the analysis engine is further configured to use continuations to schedule the processing of a goal based at least in part on whether the data required to continue processing the goal is available and based at least in part on a subdivision of rules into segments which each become a rule.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are disclosed for detecting intrusions in a host system on a network. The intrusion detection system comprises an analysis engine configured to use continuations and apply forward- and backward-chaining using rules. Also provided are sensors, which communicate with the analysis engine using a meta-protocol in which the data packet comprises a 4-tuple. A configuration discovery mechanism locates host system files and communicates the locations to the analysis engine. A file processing mechanism matches contents of a deleted file to a directory or filename, and a directory processing mechanism extracts deallocated directory entries from a directory, creating a partial ordering of the entries. A signature checking mechanism computes the signature of a file and compares it to previously computed signatures. A buffer overflow attack detector compares access times of commands and their associated files. The intrusion detection system further includes a mechanism for checking timestamps to identify and analyze forward and backward time steps in a log file.

Citations

17 Claims

1. A system for detecting intrusion on a host, comprising:
- a) a source of rules;
  
  b) a source of facts; and
  
  c) an analysis engine executed on a processor in communication with the source of rules and source of facts, configured to determine whether an intrusion has taken place by applying forward- and backward-chaining using facts from the source of facts and rules from the source of rules by;
  
  (i) using forward chaining to generate one or more inferences;
  
  (ii) determining which, if any, of the inferences matches a sub-goal associated with a rule from the source of rules;
  
  (iii) with respect to each inference that matches a sub-goal, applying backward chaining from that sub-goal'"'"'s potential parents into other sub-goals; and
  
  (iv) for each sub-goal reached either by forward or backward chaining, determining whether the sub-goal indicates an intrusion has taken place,wherein the analysis engine is further configured to use continuations to schedule the processing of a goal based at least in part on whether the data required to continue processing the goal is available and based at least in part on a subdivision of rules into segments which each become a rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The system as recited in claim 1, wherein the analysis engine performs forward-chaining by using the facts to generate inferences using the rules, and the analysis engine is further configured to limit lengths of the forward-chaining.
  - 3. The system as recited in claim 2, wherein the analysis engine is configured to perform backward-chaining from a goal and produce at least one sub-goal.
  - 4. The system as recited in claim 3, wherein the analysis engine is configured to assign a score to the goal.
  - 5. The system as recited in claim 4, wherein the score comprises at least one of a cost function, a confidence factor, a support value, and importance of the goal.
  - 6. The system as recited in claim 4, wherein the analysis engine is further configured to use the scores to select a goal to be pursued.
  - 7. The system as recited in claim 6, wherein the rules are configured to enable the system to detect an intrusion after occurrence of the intrusion.
  - 8. The system as recited in claim 7, wherein the rules are configured to cause the analysis engine to correlate and evaluate facts from a plurality of sources of facts.
  - 9. The system as recited in claim 8, wherein the plurality of sources comprises primary, secondary, and indirect sources of facts.
  - 10. The system as recited in claim 8, wherein the rules are further configured to cause the analysis to collect, correlate, and evaluate facts related to all phases of an attack.
  - 11. The system as recited in claim 2, wherein the analysis engine is configured to correlate and evaluate incomplete facts to detect attacks with missing or forged facts.
  - 12. The system as recited in claim 1, further comprising a user interface, wherein the analysis engine is configured to provide the user interface with an analysis based on the facts and rules, and provide the user interface with information relating to the analysis.
  - 13. The system as recited in claim 12, wherein the analysis engine is further configured to provide background information relating to the analysis.
  - 14. A method as in claim 1, wherein the subdivision of rules is organized into a set of graphs.
  - 15. A method as in claim 14, wherein information associated with connections in the set of graphs are used at least in part to schedule the processing of a goal.

16. A method implemented on a computer for detecting intrusions on a host, comprising the steps of:
- a) providing a source of rules and a source of facts;
  
  b) forward- and backward-chaining using facts from the source of facts and rules from the source of rules by;
  
  (i) using forward chaining to generate one or more inferences;
  
  (ii) determining which, if any, of the inferences matches a sub-goal associated with a rule from the source of rules;
  
  (iii) with respect to each inference that matches a sub-goal, applying backward chaining from that sub-goal'"'"'s potential parents into other sub-goals; and
  
  (iv) for each sub-goal reached either by forward or backward chaining, determining whether the sub-goal indicates an intrusion has taken place,wherein continuations are used to schedule the processing of a goal based at least in part on whether the data required to continue processing the goal is available and based at least in part on a subdivision of rules into segments which each become a rule.

17. A computer program product for detecting intrusions on a host, the computer program product being embodied in a tangible computer readable medium having machine readable code embodied therein for performing the steps of:
- a) providing a source of rules and a source of facts;
  
  b) forward- and backward-chaining using facts from the source of facts and rules from the source of rules by;
  
  (i) using forward chaining to generate one or more inferences;
  
  (ii) determining which, if any, of the inferences matches a sub-goal associated with a rule from the source of rules;
  
  (iii) with respect to each inference that matches a sub-goal, applying backward chaining from that sub-goal'"'"'s potential parents into other sub-goals; and
  
  (iv) for each sub-goal reached either by forward or backward chaining, determining whether the sub-goal indicates an intrusion has taken place,wherein continuations are used to schedule the processing of a goal based at least in part on whether the data required to continue processing the goal is available and based at least in part on a subdivision of rules into segments which each become a rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Symantec Corporation (NortonLifeLock Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Moran, Douglas B.
Primary Examiner(s)
Morse, Gregory
Assistant Examiner(s)
HENEGHAN, MATTHEW E

Application Number

US09/651,439
Time in Patent Office

1,987 Days
Field of Search

706/45, 706/46, 706/47, 706/48, 706/908, 706/934, 706/10, 706/51, 713/188, 713/200, 713/201, 726/22, 726/23
US Class Current

726/23
CPC Class Codes

G06F 21/564   by virus signature recognition

G06N 5/042   Backward inferencing

H04L 63/123   received data contents, e.g...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

System and method for detecting computer intrusions

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detecting computer intrusions

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links