Extensible intrusion detection system
First Claim
1. A system for detecting intrusions, comprising:
- an analysis engine; and
at least one sensor, configured to communicate with the analysis engine using at least one meta-protocol under which a 4-tuple is used to represent a data item to be sent to the analysis engine for analysis;
wherein the 4-tuple comprises a semantic type, data type, data type size, and value of the data item and represents the data item in a manner that enables the analysis engine to receive and use the data item regardless of how the data item is represented and organized on a platform associated with the sensor;
wherein the at least one sensor is configured to communicate with the analysis engine using a plurality of meta-protocols;
wherein each of the plurality of meta-protocols includes a said 4-tuple;
wherein the analysis engine is configured to invoke the at least one sensor and specify a set of meta-protocols supported by the analysis engine, and wherein the at least one sensor is configured to select a meta-protocol from the set;
wherein the analysis engine is configured to load a rule set while the analysis engine is in operation.
8 Assignments
0 Petitions
Accused Products
Abstract
A system and method are disclosed for detecting intrusions in a host system on a network. The intrusion detection system comprises an analysis engine configured to use continuations and apply forward- and backward-chaining using rules. Also provided are sensors, which communicate with the analysis engine using a meta-protocol in which the data packet comprises a 4-tuple. A configuration discovery mechanism locates host system files and communicates the locations to the analysis engine. A file processing mechanism matches contents of a deleted file to a directory or filename, and a directory processing mechanism extracts deallocated directory entries from a directory, creating a partial ordering of the entries. A signature checking mechanism computes the signature of a file and compares it to previously computed signatures. A buffer overflow attack detector compares access times of commands and their associated files. The intrusion detection system further includes a mechanism for checking timestamps to identify and analyze forward and backward time steps in a log file.
-
Citations
17 Claims
-
1. A system for detecting intrusions, comprising:
-
an analysis engine; and
at least one sensor, configured to communicate with the analysis engine using at least one meta-protocol under which a 4-tuple is used to represent a data item to be sent to the analysis engine for analysis;
wherein the 4-tuple comprises a semantic type, data type, data type size, and value of the data item and represents the data item in a manner that enables the analysis engine to receive and use the data item regardless of how the data item is represented and organized on a platform associated with the sensor;
wherein the at least one sensor is configured to communicate with the analysis engine using a plurality of meta-protocols;
wherein each of the plurality of meta-protocols includes a said 4-tuple;
wherein the analysis engine is configured to invoke the at least one sensor and specify a set of meta-protocols supported by the analysis engine, and wherein the at least one sensor is configured to select a meta-protocol from the set;
wherein the analysis engine is configured to load a rule set while the analysis engine is in operation. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A method for detecting intrusions, comprising the steps of:
-
providing an analysis engine;
providing at least one sensor; and
defining a meta-protocol including a 4-tuple for communication between the analysis engine and the at least one sensor;
wherein the 4-tuple comprises a semantic type, data type, data type size, and value of the data item and represents the data item in a manner that enables the analysis engine to receive and use the data item regardless of how the data item is represented and organized on a platform associated with the sensor;
wherein the at least one sensor is configured to communicate with the analysis engine using a plurality of meta-protocols;
wherein each of the plurality of meta-protocols includes a said 4-tuple;
wherein the analysis engine is configured to invoke the at least one sensor and specify a set of meta-protocols supported by the analysis engine, and wherein the at least one sensor is configured to select a meta-protocol from the set;
wherein the analysis engine is configured to load a rule set while the analysis engine is in operation.
-
-
17. A computer program product for detecting intrusions on a host, the computer program product being embodied in a computer readable medium having machine readable code embodied therein for performing the steps of:
-
providing an analysis engine, providing at least one sensor; and
defining a meta-protocol including a 4-tuple for communication between the analysis engine and the at least one sensor;
wherein the 4-tuple comprises a semantic type, data type, data type size, and value of the data item and represents the data item in a manner that enables the analysis engine to receive and use the data item regardless of how the data item is represented and organized on a platform associated with the sensor;
wherein the at least one sensor is configured to communicate with the analysis engine using a plurality of meta-protocols;
wherein each of the plurality of meta-protocols includes a said 4-tuple;
wherein the analysis engine is configured to invoke the at least one sensor and specify a set of meta-protocols supported by the analysis engine, and wherein the at least one sensor is configured to select a meta-protocol from the set;
wherein the analysis engine is configured to load a rule set while the analysis engine is in operation.
-
Specification