Intrusion detection

US 7,565,690 B2
Filed: 10/17/2003
Issued: 07/21/2009
Est. Priority Date: 08/04/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A method of detecting intrusion in a host via a monitoring daemon operating in conjunction with a configuration file defining data entities to be monitored, the method comprising:

monitoring data entities by comparing a locally stored copy of a digital signature associated with each data entity against a corresponding digital signature stored in a first remote database; and

upon identifying a mismatch in compared digital signatures, issuing an instruction to record an entry in a log file located in a second remote database, said entry identifying a possible intrusion in a host, and issuing a command to an operating system of said host to bring said host to a single user state, wherein the command limits access to a single user and the access is physical to an interface of the host.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system daemon starts through normal system startup procedures and reads its configuration file to determine which data entities (e.g., directories and files) are to be monitored. The monitoring includes a valid MD5 signature, correct permissions, ownership of the file, and an existence of the file. If any modification are made to the data entities, then the system daemon generates an alarm (intended for the administrator of the host) that an intrusion has taken place. Once an intrusion is detected, then the isolating steps or commands are issued in a real-time continuous manner to protect the host system from attack or intrusion.

Citations

23 Claims

1. A method of detecting intrusion in a host via a monitoring daemon operating in conjunction with a configuration file defining data entities to be monitored, the method comprising:
- monitoring data entities by comparing a locally stored copy of a digital signature associated with each data entity against a corresponding digital signature stored in a first remote database; and
  
  upon identifying a mismatch in compared digital signatures, issuing an instruction to record an entry in a log file located in a second remote database, said entry identifying a possible intrusion in a host, and issuing a command to an operating system of said host to bring said host to a single user state, wherein the command limits access to a single user and the access is physical to an interface of the host.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising issuing a command to bring down one or more network interfaces of said host to isolate said host upon identifying the mismatch in compared digital signatures.
  - 3. The method of claim 1, wherein said first remote database and said second remote database are located on a single server or a plurality of servers belonging to a local area network.
  - 4. The method of claim 1, wherein communications between said host and said first remote database are encrypted.
  - 5. The method of claim 1, wherein communications between said host and said second remote database are encrypted.
  - 6. The method of claim 1, wherein said digital signature is an MD5 signature and said first remote database is an MD5 database.
  - 7. The method of claim 1, wherein said second remote database is a SYSLOG database.
  - 8. The method of claim 1, wherein said data entities comprise one or more of files, configuration files, and directories.

9. A system to detect intrusion comprising:
- a host running a monitoring daemon working in conjunction with a configuration file, said configuration file identifying files and directories to be monitored in said host and said host communicating with external networks via one or more network interfaces, said monitoring daemon dynamically monitoring said files and directories identified by said configuration file by comparing a locally stored digital signature corresponding to each file or directory against a remotely stored corresponding digital signature;
  
  a digital signature database remote from said host storing said digital signatures associated with files and directories identified by said configuration file; and
  
  a log database remote from said host recording entries corresponding to mismatches between a digital signature stored in said host and a corresponding digital signature in said digital signature database,wherein a mismatch identifies a possible intrusion in the host, resulting in a command being issued to an operating system of said host to bring said host to a single user state, wherein the command limits access to a single user and the access is physical to an interface of the host.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The system of claim 9, wherein said digital signature database and said log database are located on a single server or a plurality of servers belonging to a local area network.
  - 11. The system of claim 9, wherein communications between said host and said digital signature database are encrypted.
  - 12. The system of claim 9, wherein communications between said host and said log database are encrypted.
  - 13. The system of claim 9, wherein said digital signature is an MD5 signature and said first remote database is an MD5 database.

14. An article of manufacture comprising a computer usable medium having computer readable program code embedded therein to detect intrusion in a host via a monitoring daemon operating in conjunction with a configuration file defining data entities to be monitored, said medium comprising:
- computer readable program code comprising executable instructions to monitor data entities via comparing a locally stored copy of a digital signature associated with each data entity against a corresponding digital signature stored in a first remote database;
  
  computer readable program code comprising executable instructions to issue an instruction to record an entry in a log file located in a second remote database upon identifying a mismatch in compared digital signatures, said entry identifying a possible intrusion in a host; and
  
  computer readable program code comprising executable instructions to issue a command to an operating system of said host to bring said host to a single user state upon identifying the mismatch in compared digital signatures, wherein the command limits access to a single user and the access is physical to an interface of the host.
- View Dependent Claims (15)
- - 15. The article of manufacture of claim 14, further comprising computer readable program code comprising executable instructions to issue a command to bring down one or more network interfaces to isolate said host upon identifying the mismatch in compared digital signatures.

16. An intrusion detection and isolation method implemented using a monitoring daemon in a host, said host having one or more network interfaces to communicate over one or more networks, said method comprising:
- reading a configuration file to identify data entities to be monitored on a host;
  
  for each data entity to be monitored, extracting a digital signature from said host;
  
  for each data entity to be monitored, querying a remote digital signature database via said one or more network interfaces and requesting a digital signature corresponding to said digital signature extracted from said host;
  
  for each data entity to be monitored, receiving said corresponding digital signature from said remote digital signature database;
  
  matching digital signature received from said remote digital signature database with digital signature extracted at said host;
  
  upon identifying a mismatch, transmitting an instruction to a remote log database via said one or more network interfaces, said instruction executed in said remote log database to record an entry in a log file indicating a possible intrusion in said host; and
  
  issuing a command to an operating system of said host to bring said host to a single user state, wherein the command limits access to a single user and the access is physical to an interface of the host.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- - 17. The intrusion detection and isolation method of claim 16, wherein said remote digital signature database and said remote log database are located on a single server or a plurality of servers belonging to a local area network.
  - 18. The intrusion detection and isolation method of claim 16, wherein communications between said host and said remote digital signature database are encrypted.
  - 19. The intrusion detection and isolation method of claim 16, wherein communications between said host and said remote log database are encrypted.
  - 20. The intrusion detection and isolation method of claim 16, wherein said remote digital signature database is an MD5 database.
  - 21. The intrusion detection and isolation method of claim 16, wherein said remote log database is a SYSLOG database.
  - 22. The intrusion detection and isolation method of claim 16, wherein said data entities are any of the following:
    - system files, configuration files, or directories.
  - 23. The intrusion detection and isolation method of claim 16, further comprising issuing a command to bring down said one or more network interfaces to isolate said host.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Adams, Thomas Lee, Mueller, Stephen Mark, Doherty, James M.
Primary Examiner(s)
Smithers; Matthew B
Assistant Examiner(s)
GERGISO, TECHANE

Application Number

US10/605,689
Publication Number

US 20050033984A1
Time in Patent Office

2,104 Days
Field of Search

713/170, 713/150, 726/22
US Class Current

726/22
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/2141   Access rights, e.g. capabil...

Intrusion detection

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Intrusion detection

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links