System and method for detecting computer intrusions
First Claim
1. A system for detecting intrusion on a host, comprising:
- a) a source of rules;
b) a source of facts; and
c) an analysis engine executed on a processor in communication with the source of rules and source of facts, configured to determine whether an intrusion has taken place by applying forward- and backward-chaining using facts from the source of facts and rules from the source of rules by;
(i) using forward chaining to generate one or more inferences;
(ii) determining which, if any, of the inferences matches a sub-goal associated with a rule from the source of rules;
(iii) with respect to each inference that matches a sub-goal, applying backward chaining from that sub-goal'"'"'s potential parents into other sub-goals; and
(iv) for each sub-goal reached either by forward or backward chaining, determining whether the sub-goal indicates an intrusion has taken place,wherein the analysis engine is further configured to use continuations to schedule the processing of a goal based at least in part on whether the data required to continue processing the goal is available and based at least in part on a subdivision of rules into segments which each become a rule.
5 Assignments
0 Petitions
Accused Products
Abstract
A system and method are disclosed for detecting intrusions in a host system on a network. The intrusion detection system comprises an analysis engine configured to use continuations and apply forward- and backward-chaining using rules. Also provided are sensors, which communicate with the analysis engine using a meta-protocol in which the data packet comprises a 4-tuple. A configuration discovery mechanism locates host system files and communicates the locations to the analysis engine. A file processing mechanism matches contents of a deleted file to a directory or filename, and a directory processing mechanism extracts deallocated directory entries from a directory, creating a partial ordering of the entries. A signature checking mechanism computes the signature of a file and compares it to previously computed signatures. A buffer overflow attack detector compares access times of commands and their associated files. The intrusion detection system further includes a mechanism for checking timestamps to identify and analyze forward and backward time steps in a log file.
-
Citations
17 Claims
-
1. A system for detecting intrusion on a host, comprising:
-
a) a source of rules; b) a source of facts; and c) an analysis engine executed on a processor in communication with the source of rules and source of facts, configured to determine whether an intrusion has taken place by applying forward- and backward-chaining using facts from the source of facts and rules from the source of rules by; (i) using forward chaining to generate one or more inferences; (ii) determining which, if any, of the inferences matches a sub-goal associated with a rule from the source of rules; (iii) with respect to each inference that matches a sub-goal, applying backward chaining from that sub-goal'"'"'s potential parents into other sub-goals; and (iv) for each sub-goal reached either by forward or backward chaining, determining whether the sub-goal indicates an intrusion has taken place, wherein the analysis engine is further configured to use continuations to schedule the processing of a goal based at least in part on whether the data required to continue processing the goal is available and based at least in part on a subdivision of rules into segments which each become a rule. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A method implemented on a computer for detecting intrusions on a host, comprising the steps of:
-
a) providing a source of rules and a source of facts; b) forward- and backward-chaining using facts from the source of facts and rules from the source of rules by; (i) using forward chaining to generate one or more inferences; (ii) determining which, if any, of the inferences matches a sub-goal associated with a rule from the source of rules; (iii) with respect to each inference that matches a sub-goal, applying backward chaining from that sub-goal'"'"'s potential parents into other sub-goals; and (iv) for each sub-goal reached either by forward or backward chaining, determining whether the sub-goal indicates an intrusion has taken place, wherein continuations are used to schedule the processing of a goal based at least in part on whether the data required to continue processing the goal is available and based at least in part on a subdivision of rules into segments which each become a rule.
-
-
17. A computer program product for detecting intrusions on a host, the computer program product being embodied in a tangible computer readable medium having machine readable code embodied therein for performing the steps of:
-
a) providing a source of rules and a source of facts; b) forward- and backward-chaining using facts from the source of facts and rules from the source of rules by; (i) using forward chaining to generate one or more inferences; (ii) determining which, if any, of the inferences matches a sub-goal associated with a rule from the source of rules; (iii) with respect to each inference that matches a sub-goal, applying backward chaining from that sub-goal'"'"'s potential parents into other sub-goals; and (iv) for each sub-goal reached either by forward or backward chaining, determining whether the sub-goal indicates an intrusion has taken place, wherein continuations are used to schedule the processing of a goal based at least in part on whether the data required to continue processing the goal is available and based at least in part on a subdivision of rules into segments which each become a rule.
-
Specification