Integrated intrusion detection services
First Claim
1. A method of improving intrusion detection in a computing network, comprising:
- providing intrusion detection processing in an operating system kernel;
providing an application program which makes use of the operating system kernel during execution;
executing the application program; and
selectively evaluating at least one incoming communication of the executing application program for an intrusion using the provided intrusion detection processing in the operating system kernel, wherein the selectively evaluating is carried out in response to identification of errors by error-handling logic of a protocol stack executed in the operating system kernel; and
invoking a response action when the selectively evaluation detects the intrusion.
2 Assignments
0 Petitions
Accused Products
Abstract
Improvements in intrusion detection are disclosed by providing integrated intrusion detection services. Preferably, these services are integrated into a system or server that is the potential target of attack. Stack-based security processing is leveraged for access to cleartext data within the layers of the protocol stack. Layer-specific attacks may therefore be processed efficiently. Evaluation of incoming traffic for an intrusion is preferably performed only after an error condition of some type has been detected. This approach reduces the overhead of intrusion detection by reducing the number of packets to be inspected, and at the same time allows more efficient packet inspection through use of context-specific information that may be used to direct the inspection to particular candidate attacks. Generic attack class capability is also disclosed. Intrusion detection policy information may be used to direct the actions to be taken upon detecting an attack.
-
Citations
19 Claims
-
1. A method of improving intrusion detection in a computing network, comprising:
-
providing intrusion detection processing in an operating system kernel; providing an application program which makes use of the operating system kernel during execution; executing the application program; and selectively evaluating at least one incoming communication of the executing application program for an intrusion using the provided intrusion detection processing in the operating system kernel, wherein the selectively evaluating is carried out in response to identification of errors by error-handling logic of a protocol stack executed in the operating system kernel; and invoking a response action when the selectively evaluation detects the intrusion. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system for improving intrusion detection in a computing network, comprising:
-
an operating system kernel; an application program which makes use of the operating system kernel during execution; means for executing the application program; an embedded processor for executing a protocol stack within the operating system kernel, wherein the protocol stack is augmented to perform intrusion detection processing; and means for selectively evaluating at least one incoming communication of the executing application program for an intrusion using the intrusion detection processing by comparing current conditions to predetermined conditions which signal a potential intrusion in response to identification of errors by error-handling logic of a protocol stack executed in the operating system kernel. - View Dependent Claims (15, 16, 19)
-
-
17. A computer program product for improving intrusion detection in a computing network, the computer program product embodied on one or more computer-readable media and comprising:
-
computer-readable program code that is configured to execute an application program which makes use of an operating system kernel during execution; computer-readable program code that is configured to execute a protocol stack within the operating system kernel, wherein the protocol stack is augmented to perform intrusion detection processing; and computer-readable program code that is configured to selectively at least one incoming communication of the executing application program for an intrusion using the intrusion detection processing by comparing current condition to predetermined conditions which signal a potential intrusion in response to identification of errors by error-handling logic of the protocol stack executed by the poeration system kernel. - View Dependent Claims (18)
-
Specification