System and method for using timestamps to detect attacks

US 7,203,962 B1
Filed: 08/30/2000
Issued: 04/10/2007
Est. Priority Date: 08/30/1999
Status: Expired due to Term

First Claim

Patent Images

1. A system for detecting intrusions on a host, comprising:

a) a sensor for collecting information including events and timestamps from a logfile; and

b) an analysis engine configured to identify a backward time step in the logfile by identifying a first entry for which an associated first log entry time is earlier in time than a second log entry time associated with a second log entry entered in the logfile prior to the first entry, determine that the backward time step is associated with an event, and assign a suspicion value to the event based at least in part on the backward time step.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are disclosed for detecting intrusions in a host system on a network. The intrusion detection system comprises an analysis engine configured to use continuations and apply forward- and backward-chaining using rules. Also provided are sensors, which communicate with the analysis engine using a meta-protocol in which the data packet comprises a 4-tuple. A configuration discovery mechanism locates host system files and communicates the locations to the analysis engine. A file processing mechanism matches contents of a deleted file to a directory or filename, and a directory processing mechanism extracts deallocated directory entries from a directory, creating a partial ordering of the entries. A signature checking mechanism computes the signature of a file and compares it to previously computed signatures. A buffer overflow attack detector compares access times of commands and their associated files. The intrusion detection system further includes a mechanism for checking timestamps to identify and analyze forward and backward time steps in a log file.

134 Citations

14 Claims

1. A system for detecting intrusions on a host, comprising:
- a) a sensor for collecting information including events and timestamps from a logfile; and
  
  b) an analysis engine configured to identify a backward time step in the logfile by identifying a first entry for which an associated first log entry time is earlier in time than a second log entry time associated with a second log entry entered in the logfile prior to the first entry, determine that the backward time step is associated with an event, and assign a suspicion value to the event based at least in part on the backward time step.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system as recited in claim 1, wherein the analysis engine is configured to identify a time step as forward if a timestamp of an entry in the logfile is later than an preceding entry in the logfile, and identify a time step as backward if a timestamp of an entry in the logfile is earlier than an preceding entry in the logfile.
  - 3. The system as recited in claim 1, wherein the analysis engine is further configured to use expected activity level in a directory to determine the suspicion value.
  - 4. The system as recited in claim 1, further comprising a second sensor for collecting information including events and timestamps from a second logfile.
  - 5. The system as recited in claim 4, wherein the analysis engine is configured to correlate a time step in the logfile with an event in the second logfile.
  - 6. The system as recited in claim 1, wherein the analysis engine is further configured to filter out expected time steps from further analysis.
  - 7. The system as recited in claim 6, wherein the analysis engine is configured to filter out expected backward time steps by correlating them to Network Time Protocol adjustments.
  - 8. The system as recited in claim 6, wherein the analysis engine is further configured to compute an expected time drift resulting from a Network Time Protocol adjustment, and compare a forward time step in the logfile with the expected time drift.
  - 9. The system as recited in claim 8, wherein the analysis engine is further configured to compute a standard deviation of the expected time drift.
  - 10. The system as recited in claim 9, wherein the analysis engine is further configured to label time steps with weighted distributions.
  - 11. The system as recited in claim 1, further comprising a user interface, and wherein the analysis engine is configured, upon correlating a time step to a record of an event in a logfile, to present the record to a user for labeling as to suspicion value.
  - 12. The system as recited in claim 11, wherein the analysis engine is further configured to propagate the suspicion value to related events.

13. A method for detecting intrusions on a host, comprising the steps of:
- a) collecting information including events and timestamps from a logfile;
  
  b) identifying a backward time step in the logfile by identifying a first entry for which an associated first log entry time is earlier in time than a second log entry time associated with a second log entry entered in the logfile prior to the first entry;
  
  c) determining that the backward time step is associated with an event; and
  
  d) assigning a suspicion value to the event based at least in part on the backward time step.

14. A computer program product for detecting intrusions on a host, the computer program product being embodied in a computer readable medium having machine readable code embodied therein for performing the steps of:
- a) collecting information including events and timestamps from a logfile;
  
  b) identifying a backward time step in the logfile by identifying a first entry for which an associated first log entry time is earlier in time than a second log entry time associated with a second log entry entered in the logfile prior to the first entry;
  
  c) determining that the backward time step is associated with an event; and
  
  d) assigning a suspicion value to the event based at least in part on the backward time step.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Symantec Corporation (NortonLifeLock Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Moran, Douglas B.
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
Baum; Ronald

Application Number

US09/654,347
Time in Patent Office

2,414 Days
Field of Search

713/201, 713/502
US Class Current

726/23
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/552   involving long-term monitor...

G06F 2221/2151   Time stamp

H04L 2463/121   Timestamp cryptographic mec...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

System and method for using timestamps to detect attacks

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

134 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for using timestamps to detect attacks

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

134 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links