Extensible intrusion detection system

US 7,065,657 B1
Filed: 08/30/2000
Issued: 06/20/2006
Est. Priority Date: 08/30/1999
Status: Expired due to Term

First Claim

Patent Images

1. A system for detecting intrusions, comprising:

an analysis engine; and

at least one sensor, configured to communicate with the analysis engine using at least one meta-protocol under which a 4-tuple is used to represent a data item to be sent to the analysis engine for analysis;

wherein the 4-tuple comprises a semantic type, data type, data type size, and value of the data item and represents the data item in a manner that enables the analysis engine to receive and use the data item regardless of how the data item is represented and organized on a platform associated with the sensor;

wherein the at least one sensor is configured to communicate with the analysis engine using a plurality of meta-protocols;

wherein each of the plurality of meta-protocols includes a said 4-tuple;

wherein the analysis engine is configured to invoke the at least one sensor and specify a set of meta-protocols supported by the analysis engine, and wherein the at least one sensor is configured to select a meta-protocol from the set;

wherein the analysis engine is configured to load a rule set while the analysis engine is in operation.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are disclosed for detecting intrusions in a host system on a network. The intrusion detection system comprises an analysis engine configured to use continuations and apply forward- and backward-chaining using rules. Also provided are sensors, which communicate with the analysis engine using a meta-protocol in which the data packet comprises a 4-tuple. A configuration discovery mechanism locates host system files and communicates the locations to the analysis engine. A file processing mechanism matches contents of a deleted file to a directory or filename, and a directory processing mechanism extracts deallocated directory entries from a directory, creating a partial ordering of the entries. A signature checking mechanism computes the signature of a file and compares it to previously computed signatures. A buffer overflow attack detector compares access times of commands and their associated files. The intrusion detection system further includes a mechanism for checking timestamps to identify and analyze forward and backward time steps in a log file.

193 Citations

17 Claims

1. A system for detecting intrusions, comprising:
- an analysis engine; and
  
  at least one sensor, configured to communicate with the analysis engine using at least one meta-protocol under which a 4-tuple is used to represent a data item to be sent to the analysis engine for analysis;
  
  wherein the 4-tuple comprises a semantic type, data type, data type size, and value of the data item and represents the data item in a manner that enables the analysis engine to receive and use the data item regardless of how the data item is represented and organized on a platform associated with the sensor;
  
  wherein the at least one sensor is configured to communicate with the analysis engine using a plurality of meta-protocols;
  
  wherein each of the plurality of meta-protocols includes a said 4-tuple;
  
  wherein the analysis engine is configured to invoke the at least one sensor and specify a set of meta-protocols supported by the analysis engine, and wherein the at least one sensor is configured to select a meta-protocol from the set;
  
  wherein the analysis engine is configured to load a rule set while the analysis engine is in operation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The system as recited in claim 1, wherein the meta-protocol includes a data packet, and the data packet includes the 4-tuple.
  - 3. The system as recited in claim 1, wherein the analysis engine is configured to use the data item to detect an intrusion.
  - 4. The system as recited in claim 1, wherein the set is a null set, and the at least one sensor is configured to use a default protocol.
  - 5. The system as recited in claim 1, wherein the analysis engine is configured to specify a set of semantic codes representing data being requested by the analysis engine.
  - 6. The system as recited in claim 5, the at least one sensor is configured to supply data associated with the semantic codes, and wherein the at least one sensor further supplies data not associated with the semantic codes.
  - 7. The system as recited in claim 6, wherein the analysis engine is configured to disregard the data not associated with the semantic codes.
  - 8. The system as recited in claim 5, wherein the set of semantic codes is a null set, and the at least one sensor is configured to use a default set of semantic codes.
  - 9. The system as recited in claim 1, wherein the analysis engine is located on a first host and an instance of the at least one sensor is located on a second host apart from the first host.
  - 10. The system as recited in claim 9, comprising a second instance of the at least one sensor, wherein the second instance is located on a host apart from the second host.
  - 11. The system as recited in claim 1, wherein the at least one sensor includes a sensor collect or in communication with the analysis engine.
  - 12. The system as recited in claim 1, further comp rising a sensor collector disposed in a communication path between the analysis engine and the at least one sensor.
  - 13. The system as recited in claim 1, further comprising a second sensor, and wherein the analysis engine is configured to load a rule set for the second sensor while the analysis engine is in operation.
  - 14. The system as recited in claim 13, wherein the rule set is configured to specify interactions of data from the second sensor with data from the at least one sensor.
  - 15. The system as recited in claim 14, wherein the analysis engine is configured to ignore rules in the rule set that specify data not supplied by any sensor.

16. A method for detecting intrusions, comprising the steps of:
- providing an analysis engine;
  
  providing at least one sensor; and
  
  defining a meta-protocol including a 4-tuple for communication between the analysis engine and the at least one sensor;
  
  wherein the 4-tuple comprises a semantic type, data type, data type size, and value of the data item and represents the data item in a manner that enables the analysis engine to receive and use the data item regardless of how the data item is represented and organized on a platform associated with the sensor;
  
  wherein the at least one sensor is configured to communicate with the analysis engine using a plurality of meta-protocols;
  
  wherein each of the plurality of meta-protocols includes a said 4-tuple;
  
  wherein the analysis engine is configured to invoke the at least one sensor and specify a set of meta-protocols supported by the analysis engine, and wherein the at least one sensor is configured to select a meta-protocol from the set;
  
  wherein the analysis engine is configured to load a rule set while the analysis engine is in operation.

17. A computer program product for detecting intrusions on a host, the computer program product being embodied in a computer readable medium having machine readable code embodied therein for performing the steps of:
- providing an analysis engine, providing at least one sensor; and
  
  defining a meta-protocol including a 4-tuple for communication between the analysis engine and the at least one sensor;
  
  wherein the 4-tuple comprises a semantic type, data type, data type size, and value of the data item and represents the data item in a manner that enables the analysis engine to receive and use the data item regardless of how the data item is represented and organized on a platform associated with the sensor;
  
  wherein the at least one sensor is configured to communicate with the analysis engine using a plurality of meta-protocols;
  
  wherein each of the plurality of meta-protocols includes a said 4-tuple;
  
  wherein the analysis engine is configured to invoke the at least one sensor and specify a set of meta-protocols supported by the analysis engine, and wherein the at least one sensor is configured to select a meta-protocol from the set;
  
  wherein the analysis engine is configured to load a rule set while the analysis engine is in operation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Symantec Corporation (NortonLifeLock Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Moran, Douglas B.
Primary Examiner(s)
Moise, Emmanuel
Assistant Examiner(s)
Baum, Ronald

Application Number

US09/651,303
Time in Patent Office

2,120 Days
Field of Search

713/201
US Class Current

726/5
CPC Class Codes

G06F 21/552 involving long-term monitor...

H04L 63/1425 Traffic logging, e.g. anoma...

Extensible intrusion detection system

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

193 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Extensible intrusion detection system

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

193 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links