Method and device for detecting computer intrusion
First Claim
Patent Images
1. A method for computer intrusion detection on a computer system including a target server accessible by a client and administered by a system administrator capable of authorizing attempts to execute software on the target server, a client and a monitoring server coupled to the target server, the method comprising steps of:
- running on the target server a monitored latent software performing a latent software function upon successful completion of authorization by the monitoring server;
creating, via the system administrator, an authorization on the monitoring server prior to an attempt to execute the monitored latent software, wherein the authorization comprises an authorized client and a time interval;
receiving the attempt to execute the monitored latent software on the target server from the client, wherein said client is located remotely from said target server and said monitored latent software is monitored by the monitoring server that is physically separated from the target server and the client;
sending a query from the target server to the monitoring server to receive authorization to execute the monitored latent software;
after sending the query, suspending execution of the monitored latent software until a response is received by the target server from the monitoring server;
determining by the monitoring server whether the client is authorized to execute the monitored latent software by determining that the client is the authorized client and the attempt occurs during the time interval in the authorization; and
sending a message to the system administrator indicating detection of an intrusion when the attempt to execute the monitored latent software is not authorized, wherein the monitored latent software includes an implementing subroutine for performing the latent software function and a nested authorization subroutine for determining if the attempt to access the monitored latent software is authorized, wherein the implementing subroutine is resident entirely on the target server and the authorization subroutine includes a portion resident on the target server and a portion resident on the monitoring server.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and device for detecting intrusion on a computer system utilizes a target server running software that is executed for a client only upon receiving authorization from a monitoring server to execute the software. When an attempt to execute software on the target server by a client is not authorized, monitoring server notifies the system administrator of the unauthorized attempt.
44 Citations
7 Claims
-
1. A method for computer intrusion detection on a computer system including a target server accessible by a client and administered by a system administrator capable of authorizing attempts to execute software on the target server, a client and a monitoring server coupled to the target server, the method comprising steps of:
-
running on the target server a monitored latent software performing a latent software function upon successful completion of authorization by the monitoring server; creating, via the system administrator, an authorization on the monitoring server prior to an attempt to execute the monitored latent software, wherein the authorization comprises an authorized client and a time interval; receiving the attempt to execute the monitored latent software on the target server from the client, wherein said client is located remotely from said target server and said monitored latent software is monitored by the monitoring server that is physically separated from the target server and the client; sending a query from the target server to the monitoring server to receive authorization to execute the monitored latent software; after sending the query, suspending execution of the monitored latent software until a response is received by the target server from the monitoring server; determining by the monitoring server whether the client is authorized to execute the monitored latent software by determining that the client is the authorized client and the attempt occurs during the time interval in the authorization; and sending a message to the system administrator indicating detection of an intrusion when the attempt to execute the monitored latent software is not authorized, wherein the monitored latent software includes an implementing subroutine for performing the latent software function and a nested authorization subroutine for determining if the attempt to access the monitored latent software is authorized, wherein the implementing subroutine is resident entirely on the target server and the authorization subroutine includes a portion resident on the target server and a portion resident on the monitoring server. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeAT&T Corporation (AT&T, Inc.)
-
Original AssigneeAT&T Intellectual Property II LP (AT&T, Inc.)
-
InventorsHall, Robert J.
-
Primary Examiner(s)PATEL, NIRAV B
-
Application NumberUS10/463,817Publication NumberTime in Patent Office2,646 DaysField of Search713187-194, 713150-155, 726 22- 25, 709223-225, 709217-219, 709/229, 717/127, 717/176, 717/177, 717/124, 717/126, 705/51, 705/52US Class Current726/23CPC Class CodesH04L 63/1408 by monitoring network traff...H04L 63/1441 Countermeasures against mal...
