System and methods for adaptive model generation for detecting intrusions in computer systems
First Claim
1. A system for detecting intrusions in the operation of a computer system comprising:
- (a) a sensor configured to gather information regarding the operation of the computer system, to format the information in a data record having a predetermined format, and to transmit the data in the predetermined data format;
(b) a data warehouse configured to receive the data record from the sensor in the predetermined data format, aggregate the data, store the data in a SQL database, and to store an intrusion detection model;
(c) a detection model generator configured to request data records from the data warehouse in the predetermined data format, to generate the intrusion detection model based on said data records, and to transmit the intrusion detection model to the data warehouse according to the predetermined data format;
(d) a detector configured to receive a data record in the predetermined data format from the sensor and to classify the data record in real-time as one of normal operation and an attack based on said intrusion detection model; and
(e) a data analysis engine configured to request data records from the data warehouse according to the predetermined data format and to perform a data processing function on the data records.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and methods for detecting intrusions in the operation of a computer system comprises a sensor configured to gather information regarding the operation of the computer system, to format the information in a data record having a predetermined format, and to transmit the data in the predetermined data format. A data warehouse is configured to receive the data record from the sensor in the predetermined data format and to store the data in a database. A detection model generator is configured to request data records from the data warehouse in the predetermined data format, to generate an intrusion detection model based on said data records, and to transmit the intrusion detection model to the data warehouse according to the predetermined data format. A detector is configured to receive a data record in the predetermined data format from the sensor and to classify the data record in real-time as one of normal operation and an attack based on said intrusion detection model. A data analysis engine is configured to request data records from the data warehouse according to the predetermined data format and to perform a data processing function on the data records.
-
Citations
49 Claims
-
1. A system for detecting intrusions in the operation of a computer system comprising:
-
(a) a sensor configured to gather information regarding the operation of the computer system, to format the information in a data record having a predetermined format, and to transmit the data in the predetermined data format; (b) a data warehouse configured to receive the data record from the sensor in the predetermined data format, aggregate the data, store the data in a SQL database, and to store an intrusion detection model; (c) a detection model generator configured to request data records from the data warehouse in the predetermined data format, to generate the intrusion detection model based on said data records, and to transmit the intrusion detection model to the data warehouse according to the predetermined data format; (d) a detector configured to receive a data record in the predetermined data format from the sensor and to classify the data record in real-time as one of normal operation and an attack based on said intrusion detection model; and (e) a data analysis engine configured to request data records from the data warehouse according to the predetermined data format and to perform a data processing function on the data records. - View Dependent Claims (2, 3, 4)
-
-
5. A system for detecting intrusions in the operation of a computer system comprising:
-
(a) a sensor configured to gather information regarding the operation of the computer system, to format the information in a data record having a predetermined format, and to transmit the data in the predetermined data format; (b) a data warehouse configured to receive the data record from the sensor in the predetermined data format and to store the data in a SQL database; (c) a detection model generator configured to request data records from the data warehouse in the predetermined data format, to generate an intrusion detection model based on said data records, and to transmit the intrusion detection model to the data warehouse according to the predetermined data format; (d) a detector configured to receive a data record in the predetermined data format from the sensor and to classify the data record in real-time as one of normal operation and an attack based on said intrusion detection model; and (e) a data analysis engine configured to request data records from the data warehouse according to the predetermined data format and to perform a data processing function on the data records, wherein the data analysis engine is configured to label a data record as one of normal operation and an attack. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A distributed system for detecting intrusions in the operation of a computer system comprising:
-
(a) a plurality of sensors configured to gather information regarding the operation of the computer system, to format the information in a data record having a predetermined format, and to transmit the data in the predetermined data format; (b) a data warehouse configured to receive the data record from the sensor in the predetermined data format, aggregate the data, store the data in a SQL database, and to store an intrusion detection model; (c) a plurality of detection model generators configured to request data records from the data warehouse in the predetermined data format, each detection model generator configured to generate the respective intrusion detection model based on said data records, and to transmit the respective intrusion detection model to the data warehouse according to the predetermined data format; (d) a plurality of detectors configured to receive a data record in the predetermined data format from the sensor and to classify the data record in real-time as one of normal operation and an attack based on a respective intrusion detection model; and (e) a data analysis engine configured to request data records from the data warehouse according to the predetermined data format and to perform a data processing function on the data records. - View Dependent Claims (19, 20, 21)
-
-
22. A distributed system for detecting intrusions in the operation of a computer system comprising:
-
(a) a plurality of sensors configured to gather information regarding the operation of the computer system, to format the information in a data record having a predetermined format, and to transmit the data in the predetermined data format; (b) a data warehouse configured to receive the data record from the sensor in the predetermined data format and to store the data in a SQL database; (c) a plurality of detection model generators configured to request data records from the data warehouse in the predetermined data format, each detection model generator configured to generate a respective intrusion detection model based on said data records, and to transmit the respective intrusion detection model to the data warehouse according to the predetermined data format; (d) a plurality of detectors configured to receive a data record in the predetermined data format from the sensor and to classify the data record in real-time as one of normal operation and an attack based on a respective intrusion detection model; and (e) a data analysis engine configured to request data records from the data warehouse according to the predetermined data format and to perform a data processing function on the data records, wherein the data analysis engine is configured to label a data record as one of normal operation and an attack. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
-
-
35. A method for detecting intrusions in the operation of a computer system comprising:
-
(a) gathering information regarding the operation of the computer system at a sensor and formatting the information into a data record having a predetermined data format; (b) transmitting the data record in the predetermined data format to a data warehouse, aggregating the data, and storing the data in a SQL database; (c) generating an intrusion detection model comprising requesting data records from the data warehouse according to the predetermined data format, transmitting the intrusion detection model to the data warehouse in the predetermined data format, and storing the intrusion detection model at the data warehouse; (d) classifying a data item in real-time as one of normal operation and an attack based on the intrusion detection model comprising receiving the data records from the sensor; and (e) requesting a data record from the data warehouse according to the predetermined data format and performing a data processing function on the data record. - View Dependent Claims (36, 37, 38)
-
-
39. A method for detecting intrusions in the operation of a computer system comprising:
-
(a) gathering information regarding the operation of the computer system at a sensor and formatting the information into a data record having a predetermined data format; (b) transmitting the data record in the predetermined data format to a data warehouse and storing the data in a SQL database; (c) generating an intrusion detection model comprising requesting data records from the data warehouse according to the predetermined data format and transmitting the intrusion detection model to the data warehouse in the predetermined data format; (d) classifying a data item in real-time as one of normal operation and an attack based on the intrusion detection model comprising receiving the data records from the sensor; and (e) requesting a data record from the data warehouse according to the predetermined data format and performing a data processing function on the data record, wherein the step of requesting data from the data warehouse comprises labeling a data record as one of normal operation and an attack. - View Dependent Claims (40, 41, 42, 43, 44, 45, 46, 47, 48, 49)
-
Specification