System and methods for detecting intrusions in a computer system by monitoring operating system registry accesses
DC CAFCFirst Claim
1. A method for detecting intrusions in the operation of a computer system comprising:
- (a) gathering features from records of normal processes that access the operating system registry;
(b) generating a probabilistic model of normal computer system usage based on the features and determining the likelihood of observing an event that was not observed during the gathering of features from the records of normal processes; and
(c) analyzing features from a record of a process that accesses the operating system registry to detect deviations from normal computer system usage to determine whether the access to the operating system registry is an anomaly.
2 Assignments
Litigations
2 Petitions
Accused Products
Abstract
A method for detecting intrusions in the operation of a computer system is disclosed which comprises gathering features from records of normal processes that access the files system of the computer, such as the Windows registry, and generating a probabilistic model of normal computer system usage based on occurrences of said features. The features of a record of a process that accesses the Windows registry are analyzed to determine whether said access to the Windows registry is an anomaly. A system is disclosed, comprising a registry auditing module configured to gather records regarding processes that access the Windows registry; a model generator configured to generate a probabilistic model of normal computer system usage based on records of a plurality of processes that access the Windows registry and that are indicative of normal computer system usage; and a model comparator configured to determine whether the access of the Windows registry is an anomaly.
433 Citations
28 Claims
-
1. A method for detecting intrusions in the operation of a computer system comprising:
-
(a) gathering features from records of normal processes that access the operating system registry; (b) generating a probabilistic model of normal computer system usage based on the features and determining the likelihood of observing an event that was not observed during the gathering of features from the records of normal processes; and (c) analyzing features from a record of a process that accesses the operating system registry to detect deviations from normal computer system usage to determine whether the access to the operating system registry is an anomaly. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system for detecting intrusions in the operation of a computer system comprising:
-
(a) an operting system registry; (b) a registry auditing module configured to gather records regarding processes that access the operating system registry; (c) a model generator configured to generate a probabilistic model of normal computer system usage based on records of a plurality of processes that access the operating system registry and that are indicative of normal computer system usage and to determine the likelihood of observing a process that was not observed in the records of the plurality of processes that access the operating system registry and that are indicative of normal computer usage; and (d) a model comparator configured to receive the probabilistic model of normal computer system usage and to receive records regarding processes that access the operating system registry and to detect deviations from normal computer system usage to determine whether the access of the operating system registry is an anomaly. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
Specification