System and method for using signatures to detect computer intrusions

US 7,032,114 B1
Filed: 08/30/2000
Issued: 04/18/2006
Est. Priority Date: 08/30/2000
Status: Expired due to Term

First Claim

Patent Images

1. A system for detecting intrusions, comprising:

a) a signature computing function configured to compute a computed file signature for a file;

b) a storage for storing a first file signature previously computed by the signature computing function for the file;

c) a storage for storing a second file signature previously computed by other than the signature computing function for the file; and

d) an analysis engine configured to compare the computed file signature to the first file signature and the second file signature;

determine the file is legitimate if the computed signature matches both the first file signature and the second file signature; and

either identify the file as suspicious or subject the file to further analysis if the computed signature does not match the first file signature, the second file signature, or both.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are disclosed for detecting intrusions in a host system on a network. The intrusion detection system comprises an analysis engine configured to use continuations and apply forward- and backward-chaining using rules. Also provided are sensors, which communicate with the analysis engine using a meta-protocol in which the data packet comprises a 4-tuple. A configuration discovery mechanism locates host system files and communicates the locations to the analysis engine. A file processing mechanism matches contents of a deleted file to a directory or filename, and a directory processing mechanism extracts deallocated directory entries from a directory, creating a partial ordering of the entries. A signature checking mechanism computes the signature of a file and compares it to previously computed signatures. A buffer overflow attack detector compares access times of commands and their associated files. The intrusion detection system further includes a mechanism for checking timestamps to identify and analyze forward and backward time steps in a log file.

255 Citations

14 Claims

1. A system for detecting intrusions, comprising:
- a) a signature computing function configured to compute a computed file signature for a file;
  
  b) a storage for storing a first file signature previously computed by the signature computing function for the file;
  
  c) a storage for storing a second file signature previously computed by other than the signature computing function for the file; and
  
  d) an analysis engine configured to compare the computed file signature to the first file signature and the second file signature;
  
  determine the file is legitimate if the computed signature matches both the first file signature and the second file signature; and
  
  either identify the file as suspicious or subject the file to further analysis if the computed signature does not match the first file signature, the second file signature, or both.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system as recited in claim 1, wherein the storage for the second previously computed file signature is a package management database.
  - 3. The system as recited in claim 2, wherein the package management database is at a remote location from the host.
  - 4. The system as recited in claim 2, wherein the storage for the first previously computed file signature is an internal database.
  - 5. The system as recited in claim 4, wherein the internal database includes signatures for files previously computed by other than the signature computing function.
  - 6. The system as recited in claim 1, wherein the first file signature is previously computed from an archival file.
  - 7. The system as recited in claim 1, wherein the storage for the second signature is a package management database;
    - the system further comprises a database of exceptions; and
      
      the analysis engine is further configured to check any mismatch between the computed signature and the second signature against the database of exceptions.
  - 8. The system as recited in claim 7, wherein the database of exceptions includes a plurality of rules.
  - 9. The system as recited in claim 8, wherein the database of exceptions further includes a rule categorizing some types of files as expected to change, and other types of files as expected to remain constant.
  - 10. The system as recited in claim 9, wherein the analysis engine is further configured to use information from a file type, filename, and file type categorization to compute a suspicion level associated with a change in the file.

11. A method for detecting intrusions on a host comprising the steps of:
- a) providing a signature computer;
  
  b) computing a computed signature of a file with the signature computer;
  
  c) comparing the computed signature to a first file signature previously computed by the signature computer;
  
  d) comparing the computed signature to a second file signature previously computed by other than the signature computer;
  
  e) determining the file is legitimate if the computed signature matches both the first file signature and the second file signature; and
  
  f) either identifying the file as suspicious or subjecting the file to further analysis if the computed signature does not match the first file signature, the second file signature, or both.
- View Dependent Claims (12)
- - 12. The method as recited in claim 11, further comprising the steps of:
    - a) providing a database of exceptions;
      
      b) if there is a mismatch between the computed signature and the second signature, checking the mismatch against the database of exceptions.

13. A computer program product for detecting intrusions on a host, the computer program product being embodied in a tangible computer readable medium having machine readable code embodied therein for performing the steps of:
- a) providing a signature computer;
  
  b) computing a computed signature of a file with the signature computer;
  
  c) comparing the computed signature to a first file signature previously computed by the signature computer;
  
  d) comparing the computed signature to a second file signature previously computed by other than the signature computer;
  
  e) determining the file is legitimate if the computed signature matches both the first file signature and the second file signature; and
  
  f) either identifying the file as suspicious or subjecting the file to further analysis if the computed signature does not match the first file signature, the second file signature, or both.
- View Dependent Claims (14)
- - 14. A computer program product for detecting intrusions on a host as recited in claim 13, the computer program product further comprising machine readable code embodied therein for performing the steps of:
    - a) providing a database of exceptions; and
      
      b) if there is a mismatch between the computed signature and the second signature, checking the mismatch against the database of exceptions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Symantec Corporation (NortonLifeLock Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Moran, Douglas B.
Primary Examiner(s)
Morse, Gregory
Assistant Examiner(s)
HENEGHAN, MATTHEW E

Application Number

US09/651,434
Time in Patent Office

2,057 Days
Field of Search

713/188, 713/176, 713/177, 713/201, 713/179, 713/187, 717/171, 717/172, 717/176, 717/177, 707/10, 709/203
US Class Current

713/187
CPC Class Codes

G06F 21/554 involving event detection a...

G06F 2221/2151 Time stamp

System and method for using signatures to detect computer intrusions

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

255 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for using signatures to detect computer intrusions

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

255 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links