System and method for using signatures to detect computer intrusions
First Claim
1. A system for detecting intrusions, comprising:
- a) a signature computing function configured to compute a computed file signature for a file;
b) a storage for storing a first file signature previously computed by the signature computing function for the file;
c) a storage for storing a second file signature previously computed by other than the signature computing function for the file; and
d) an analysis engine configured to compare the computed file signature to the first file signature and the second file signature;
determine the file is legitimate if the computed signature matches both the first file signature and the second file signature; and
either identify the file as suspicious or subject the file to further analysis if the computed signature does not match the first file signature, the second file signature, or both.
7 Assignments
0 Petitions
Accused Products
Abstract
A system and method are disclosed for detecting intrusions in a host system on a network. The intrusion detection system comprises an analysis engine configured to use continuations and apply forward- and backward-chaining using rules. Also provided are sensors, which communicate with the analysis engine using a meta-protocol in which the data packet comprises a 4-tuple. A configuration discovery mechanism locates host system files and communicates the locations to the analysis engine. A file processing mechanism matches contents of a deleted file to a directory or filename, and a directory processing mechanism extracts deallocated directory entries from a directory, creating a partial ordering of the entries. A signature checking mechanism computes the signature of a file and compares it to previously computed signatures. A buffer overflow attack detector compares access times of commands and their associated files. The intrusion detection system further includes a mechanism for checking timestamps to identify and analyze forward and backward time steps in a log file.
255 Citations
14 Claims
-
1. A system for detecting intrusions, comprising:
-
a) a signature computing function configured to compute a computed file signature for a file; b) a storage for storing a first file signature previously computed by the signature computing function for the file; c) a storage for storing a second file signature previously computed by other than the signature computing function for the file; and d) an analysis engine configured to compare the computed file signature to the first file signature and the second file signature;
determine the file is legitimate if the computed signature matches both the first file signature and the second file signature; and
either identify the file as suspicious or subject the file to further analysis if the computed signature does not match the first file signature, the second file signature, or both. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for detecting intrusions on a host comprising the steps of:
-
a) providing a signature computer; b) computing a computed signature of a file with the signature computer; c) comparing the computed signature to a first file signature previously computed by the signature computer; d) comparing the computed signature to a second file signature previously computed by other than the signature computer; e) determining the file is legitimate if the computed signature matches both the first file signature and the second file signature; and f) either identifying the file as suspicious or subjecting the file to further analysis if the computed signature does not match the first file signature, the second file signature, or both. - View Dependent Claims (12)
-
-
13. A computer program product for detecting intrusions on a host, the computer program product being embodied in a tangible computer readable medium having machine readable code embodied therein for performing the steps of:
-
a) providing a signature computer; b) computing a computed signature of a file with the signature computer; c) comparing the computed signature to a first file signature previously computed by the signature computer; d) comparing the computed signature to a second file signature previously computed by other than the signature computer; e) determining the file is legitimate if the computed signature matches both the first file signature and the second file signature; and f) either identifying the file as suspicious or subjecting the file to further analysis if the computed signature does not match the first file signature, the second file signature, or both. - View Dependent Claims (14)
-
Specification