Computer intrusion detection system and method based on application monitoring

US 7,181,768 B1
Filed: 10/30/2000
Issued: 02/20/2007
Est. Priority Date: 10/28/1999
Status: Active Grant

First Claim

Patent Images

1. A detection system for detecting intrusive behavior in a session on a computer during an application monitoring phase, said session comprising a plurality of applications invoked on said computer, and said computer having a computer operating system, said detection system comprising:

(a) a plurality of trained neural networks, wherein each trained neural network has previously been trained during a training phase to identify a pre-determined behavior pattern for a corresponding one of the plurality of applications, and wherein each trained neural network is selected for use in the application monitoring phase based upon performance during a testing phase and based upon a machine learning algorithm, wherein the machine learning algorithm employs a string distance metric, other than string matching, for preprocessing its inputs during learning, wherein a string is defined as a sequence of symbols and the string distance metric is based on at least one of events common to two strings and the difference in positions of common events, and the string distance metric is used to measure the distance from an input string to each of several exemplar strings;

(b) a plurality of application profiles, wherein each application profile comprises a plurality of application data for a corresponding one of the plurality of applications, wherein said application data is collected during the session;

(c) a temporal locality identifier, wherein when one of the plurality of application profiles is sequentially input to a corresponding one of the plurality of trained neural networks the trained neural network outputs a behavior indicator for each of the plurality of data strings in the application profile; and

wherein if the behavior indicator meets a pre-determined criteria, a counter is incremented, and wherein if the counter has a high rate of increase the temporal locality identifier labels the application behavior intrusive, and wherein if a predetermined percentage of application behaviors are intrusive the session behavior is labeled intrusive.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intrusion detection system (IDS) that uses application monitors for detecting application-based attacks against computer systems. The IDS implements application monitors in the form of a software program to learn and monitor the behavior of system programs in order to detect attacks against computer hosts. The application monitors implement machine learning algorithms to provide a mechanism for learning from previously observed behavior in order to recognize future attacks that it has not seen before. The application monitors include temporal locality algorithms to increased the accuracy of the IDS. The IDS of the present invention may comprise a string-matching program, a neural network, or a time series prediction algorithm for learning normal application behavior and for detecting anomalies.

201 Citations

24 Claims

1. A detection system for detecting intrusive behavior in a session on a computer during an application monitoring phase, said session comprising a plurality of applications invoked on said computer, and said computer having a computer operating system, said detection system comprising:
- (a) a plurality of trained neural networks, wherein each trained neural network has previously been trained during a training phase to identify a pre-determined behavior pattern for a corresponding one of the plurality of applications, and wherein each trained neural network is selected for use in the application monitoring phase based upon performance during a testing phase and based upon a machine learning algorithm, wherein the machine learning algorithm employs a string distance metric, other than string matching, for preprocessing its inputs during learning, wherein a string is defined as a sequence of symbols and the string distance metric is based on at least one of events common to two strings and the difference in positions of common events, and the string distance metric is used to measure the distance from an input string to each of several exemplar strings;
  
  (b) a plurality of application profiles, wherein each application profile comprises a plurality of application data for a corresponding one of the plurality of applications, wherein said application data is collected during the session;
  
  (c) a temporal locality identifier, wherein when one of the plurality of application profiles is sequentially input to a corresponding one of the plurality of trained neural networks the trained neural network outputs a behavior indicator for each of the plurality of data strings in the application profile; and
  
  wherein if the behavior indicator meets a pre-determined criteria, a counter is incremented, and wherein if the counter has a high rate of increase the temporal locality identifier labels the application behavior intrusive, and wherein if a predetermined percentage of application behaviors are intrusive the session behavior is labeled intrusive.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The detection system of claim 1, wherein the pre-determined behavior pattern comprises a non-intrusive behavior.
  - 3. The detection system of claim 1, wherein the application data comprises a distance between a sequential mapping of system calls made by a corresponding one of the plurality of applications and a pre-defined string of system calls.
  - 4. The detection system of claim 1, wherein the application data comprises a distance between a sequential mapping of object requests made by a corresponding one of the plurality of applications and a pre-defined string of object requests.
  - 5. The detection system of claim 1, wherein the plurality of application profiles is created by a data pre-processor application.
  - 6. The detection system of claim 5, wherein the data pre-processor receives input from an auditing system integral to the computer operating system.
  - 7. The detection system of claim 5, wherein the data pre-processor creates the plurality of second application profiles in real-time.
  - 8. The detection system of claim 5, wherein the plurality of trained neural networks receive input from the plurality of application profiles in real-time.
  - 9. The detection system of claim 1, wherein the plurality of trained neural networks comprises a plurality of backpropogation neural networks.
  - 10. The detection system of claim 9, wherein each backpropogation neural network in the plurality of backpropogation neural networks comprises an input layer, a hidden layer and an output layer.
  - 11. The detection system of claim 10, wherein a number of nodes in the hidden layer is determined by testing a plurality of cases for each backpropogation neural network in the plurality of backpropogation neural networks and selecting the backpropogation neural network having a highest accuracy rate during the testing phase for use in application monitoring.
  - 12. The detection system of claim 1, wherein the plurality of trained neural networks comprises a plurality of recurrent neural networks.

13. A method for detecting intrusive behavior in a session on a computer during an application monitoring phase, said session comprising a plurality of applications invoked on said computer, and said computer having a computer operating system, said method comprising the steps of:
- (a) training a plurality of neural networks during a training phase, wherein each neural network is trained to identify a pre-determined behavior pattern for a corresponding one of the plurality of applications;
  
  (b) selecting for use one or more trained neural networks based upon performance during a testing phase and based upon a machine learning algorithm, wherein the machine learning algorithm employs a string distance metric, other than string matching, for preprocessing its inputs during learning, wherein a string is defined as a sequence of symbols and the string distance metric is based on at least one of events common to two strings and the difference in positions of common events, and the string distance metric is used to measure the distance from an input string to each of several exemplar strings;
  
  (c) creating a plurality of application profiles, wherein each application profile comprises a plurality of application data for a corresponding one of the plurality of applications, wherein said application data is collected during the session;
  
  (d) performing a temporal locality identifying algorithm, wherein when one of the plurality of application profiles is sequentially input to a corresponding one of the plurality of trained neural networks the trained neural network outputs a behavior indicator for each of the plurality of data strings in the application profile, and wherein if the behavior indicator meets a pre-determined criteria, a counter is incremented, and wherein if the counter has a high rate of increase the temporal locality identifier labels the application behavior intrusive, and wherein if a predetermined percentage of application behaviors are intrusive the session behavior is labeled intrusive.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The method of claim 13, wherein the pre-determined behavior pattern comprises a non-intrusive behavior.
  - 15. The method of claim 13, wherein the application data comprises a distance between a sequential mapping of system calls made by a corresponding one of the plurality of applications and a pre-defined string of system calls.
  - 16. The method of claim 13, wherein the application data comprises a distance between a sequential mapping of object requests made by a corresponding one of the plurality of applications and a pre-defined string of object requests.
  - 17. The method of claim 13, wherein the plurality of application profiles is created by a data pre-processor application.
  - 18. The method of claim 17, wherein the data pre-processor receives input from an auditing system integral to the computer operating system.
  - 19. The method of claim 17, wherein the data pre-processor creates the plurality of second application profiles in real-time.
  - 20. The method of claim 17, wherein the plurality of trained neural networks receive input from the plurality of application profiles in real-time.
  - 21. The method of claim 13, wherein the plurality of trained neural networks comprises a plurality of backpropogation neural networks.
  - 22. The method of claim 13, wherein each backpropogation neural network in the plurality of backpropogation neural networks comprises an input layer, a hidden layer and an output layer.
  - 23. The method of claim 22, wherein a number of nodes in the hidden layer is determined by testing a plurality of cases for each backpropogation neural network in the plurality of backpropogation neural networks and selecting the case wherein the corresponding neural network has a highest accuracy rate.
  - 24. The method of claim 13, wherein the plurality of trained neural networks comprises a plurality of recurrent neural networks.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Synopsys Incorporated
Original Assignee
Cigital
Inventors
Ghosh, Anup K., Michael, Christoph C., Schatz, Michael, Schwartzbard, Aaron
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
Tran; Ellen C.

Application Number

US09/698,159
Time in Patent Office

2,304 Days
Field of Search

709/224, 713/200, 713/201, 714/57, 726/23, 706/15, 706/21, 706/23
US Class Current

726/23
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06N 3/06   Physical realisation, i.e. ...

H04L 63/1408   by monitoring network traff...

Computer intrusion detection system and method based on application monitoring

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

201 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Computer intrusion detection system and method based on application monitoring

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

201 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links