System and methods for detecting intrusions in a computer system by monitoring operating system registry accesses

DC CAFC

US 7,448,084 B1
Filed: 01/27/2003
Issued: 11/04/2008
Est. Priority Date: 01/25/2002
Status: Expired due to Term

- Alert
- Pin

First Claim

Patent Images

1. A method for detecting intrusions in the operation of a computer system comprising:

(a) gathering features from records of normal processes that access the operating system registry;

(b) generating a probabilistic model of normal computer system usage based on the features and determining the likelihood of observing an event that was not observed during the gathering of features from the records of normal processes; and

(c) analyzing features from a record of a process that accesses the operating system registry to detect deviations from normal computer system usage to determine whether the access to the operating system registry is an anomaly.

View all claims

2 Assignments

Timeline View

Assignment View

Litigations

2 Petitions

Accused Products

Abstract

A method for detecting intrusions in the operation of a computer system is disclosed which comprises gathering features from records of normal processes that access the files system of the computer, such as the Windows registry, and generating a probabilistic model of normal computer system usage based on occurrences of said features. The features of a record of a process that accesses the Windows registry are analyzed to determine whether said access to the Windows registry is an anomaly. A system is disclosed, comprising a registry auditing module configured to gather records regarding processes that access the Windows registry; a model generator configured to generate a probabilistic model of normal computer system usage based on records of a plurality of processes that access the Windows registry and that are indicative of normal computer system usage; and a model comparator configured to determine whether the access of the Windows registry is an anomaly.

433 Citations

28 Claims

1. A method for detecting intrusions in the operation of a computer system comprising:
- (a) gathering features from records of normal processes that access the operating system registry;
  
  (b) generating a probabilistic model of normal computer system usage based on the features and determining the likelihood of observing an event that was not observed during the gathering of features from the records of normal processes; and
  
  (c) analyzing features from a record of a process that accesses the operating system registry to detect deviations from normal computer system usage to determine whether the access to the operating system registry is an anomaly.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method according to claim 1, further comprising storing the probabilistic model of normal computer usage on the operating system registry.
  - 3. The method according to claim 1, wherein gathering features from records of normal processes that access the operating system comprises gathering a feature corresponding to a name of a process accessing the operating system registry.
  - 4. The method according to claim 1, wherein gathering features from records of normal processes that access the operating system registry comprises gathering a feature corresponding to a type of query being sent to the operating system registry.
  - 5. The method according to claim 4, wherein gathering features from records of normal processes that access the operating system registry comprises gathering a feature corresponding to an outcome of a query being sent to the operating system registry.
  - 6. The method according to claim 1, wherein gathering features from records of normal processes that access the operating system registry comprises gathering a feature corresponding to a name of a key being accessed in the operating system registry.
  - 7. The method according to claim 6, wherein gathering features from records of normal processes that access the operating system registry comprises gathering a feature corresponding to a value of the key being accessed.
  - 8. The method according to claim 1, wherein gathering features from records of normal processes that access the operating system registry comprises gathering two features selected from the group of features consisting of a name of a process accessing the operating system registry, a type of query being sent to the operating system registry, an outcome of a query being sent to the operating system registry, a name of a key being accessed in the operating system registry, and a value of the key being accessed.
  - 9. The method according to claim 1, wherein generating a probabilistic model of normal computer system usage comprises determining a likelihood of observing a feature in the records of processes that access the operating system registry.
  - 10. The method according to claim 9, wherein determining a likelihood of observing a feature comprises determining a conditional probability of observing a first feature in the records of processes that access the operating system registry given an occurrence of a second feature in the records.
  - 11. The method according to claim 1, wherein analyzing a record of a process that accesses the operating system registry comprises, for each feature, performing a check to determine if a value of the feature has been previously observed for the feature.
  - 12. The method according to claim 11, further comprising, if the value of the feature has not been observed, computing a score based on a probability of observing the value of the feature.
  - 13. The method according to claim 12, further comprising, if the score is greater than a predetermined threshold, labeling the access to the operating system registry as anomalous and labeling the process that accessed the operating system registry as malicious.

14. A system for detecting intrusions in the operation of a computer system comprising:
- (a) an operting system registry;
  
  (b) a registry auditing module configured to gather records regarding processes that access the operating system registry;
  
  (c) a model generator configured to generate a probabilistic model of normal computer system usage based on records of a plurality of processes that access the operating system registry and that are indicative of normal computer system usage and to determine the likelihood of observing a process that was not observed in the records of the plurality of processes that access the operating system registry and that are indicative of normal computer usage; and
  
  (d) a model comparator configured to receive the probabilistic model of normal computer system usage and to receive records regarding processes that access the operating system registry and to detect deviations from normal computer system usage to determine whether the access of the operating system registry is an anomaly.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 15. The system according to claim 14, wherein the probabilistic model of normal computer usage is stored in the operating system registry.
  - 16. The system according to claim 14, further comprising a database configured to receive records regarding processes that access the operating system registry from the registry auditing module.
  - 17. The system according to claim 14, wherein the model generator is configured to receive the records regarding processes that access the operating system registry from the database.
  - 18. The system according to claim 14, wherein the records regarding processes that access the operating system registry comprise a feature of the access to the operating system registry.
  - 19. The system according to claim 18, wherein the feature corresponds to a name of a process accessing the operating system registry.
  - 20. The system according to claim 18, wherein the feature corresponds to a type of query being sent to the operating system registry.
  - 21. The system according to claim 18, wherein the feature corresponds to an outcome of a query being sent to the operating system registry.
  - 22. The system according to claim 18, wherein the feature corresponds to a name of a key being accessed in the operating system registry.
  - 23. The system according to claim 18, wherein the feature corresponds to a value of the key being accessed.
  - 24. The system according to claim 18, wherein the features corresponds to a combination of two features selected from the group of features consisting of a name of a process accessing the operating system registry, a type of query being sent to the operating system registry, an outcome of a query being sent to the operating system registry, a name of a key being accessed in the operating system registry, and a value of the key being accessed.
  - 25. The system according to claim 14, wherein the model generator is configured to determine a likelihood of observing a feature in the records regarding processes that access the operating system registry.
  - 26. The system according to claim 25, wherein the model generator is configured to determine a conditional probability of observing a first feature in records regarding processes that access the operating system registry given an occurrence of a second feature is the record.
  - 27. The system according to claim 25, wherein the model comparator determines a score based on the likelihood of observing a feature in a record regarding a process that accesses the operating system registry.
  - 28. The system according to claim 25, wherein the model comparator is configured to determine an access to the operating system registry is anomalous based on whether the score exceeds a predetermined threshold.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Original Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Inventors
Stolfo, Salvatore J., Apap, Frank, Honig, Andrew, Shlomo, Hershkop, Eskin, Eleazar
Primary Examiner(s)
Revak, Christopher A

Application Number

US10/352,343
Time in Patent Office

2,108 Days
Field of Search

726/23, 726/22, 726/4
US Class Current

726/24
CPC Class Codes

G06F 21/552 involving long-term monitor...

H04L 63/1416 Event detection, e.g. attac...

System and methods for detecting intrusions in a computer system by monitoring operating system registry accesses

First Claim

2 Assignments

Litigations

2 Petitions

Accused Products

Abstract

433 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

System and methods for detecting intrusions in a computer system by monitoring operating system registry accesses

First Claim

2 Assignments

Subscription Required

Subscription Required

Litigations

2 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

433 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links