System and method for using timestamps to detect attacks
First Claim
1. A system for detecting intrusions on a host, comprising:
- a) a sensor for collecting information including events and timestamps from a logfile; and
b) an analysis engine configured to identify a backward time step in the logfile by identifying a first entry for which an associated first log entry time is earlier in time than a second log entry time associated with a second log entry entered in the logfile prior to the first entry, determine that the backward time step is associated with an event, and assign a suspicion value to the event based at least in part on the backward time step.
8 Assignments
0 Petitions
Accused Products
Abstract
A system and method are disclosed for detecting intrusions in a host system on a network. The intrusion detection system comprises an analysis engine configured to use continuations and apply forward- and backward-chaining using rules. Also provided are sensors, which communicate with the analysis engine using a meta-protocol in which the data packet comprises a 4-tuple. A configuration discovery mechanism locates host system files and communicates the locations to the analysis engine. A file processing mechanism matches contents of a deleted file to a directory or filename, and a directory processing mechanism extracts deallocated directory entries from a directory, creating a partial ordering of the entries. A signature checking mechanism computes the signature of a file and compares it to previously computed signatures. A buffer overflow attack detector compares access times of commands and their associated files. The intrusion detection system further includes a mechanism for checking timestamps to identify and analyze forward and backward time steps in a log file.
134 Citations
14 Claims
-
1. A system for detecting intrusions on a host, comprising:
-
a) a sensor for collecting information including events and timestamps from a logfile; and b) an analysis engine configured to identify a backward time step in the logfile by identifying a first entry for which an associated first log entry time is earlier in time than a second log entry time associated with a second log entry entered in the logfile prior to the first entry, determine that the backward time step is associated with an event, and assign a suspicion value to the event based at least in part on the backward time step. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method for detecting intrusions on a host, comprising the steps of:
-
a) collecting information including events and timestamps from a logfile; b) identifying a backward time step in the logfile by identifying a first entry for which an associated first log entry time is earlier in time than a second log entry time associated with a second log entry entered in the logfile prior to the first entry; c) determining that the backward time step is associated with an event; and d) assigning a suspicion value to the event based at least in part on the backward time step.
-
-
14. A computer program product for detecting intrusions on a host, the computer program product being embodied in a computer readable medium having machine readable code embodied therein for performing the steps of:
-
a) collecting information including events and timestamps from a logfile; b) identifying a backward time step in the logfile by identifying a first entry for which an associated first log entry time is earlier in time than a second log entry time associated with a second log entry entered in the logfile prior to the first entry; c) determining that the backward time step is associated with an event; and d) assigning a suspicion value to the event based at least in part on the backward time step.
-
Specification