Method and device for detecting computer network intrusions
First Claim
1. A method for computer network intrusion detection on a computer network including a target server accessible by a client on the network and administered by a system administrator capable of authorizing attempts to execute software on the target server, a client on the network and a monitoring server coupled to the target server, the method comprising:
- running on the target server a monitored latent software performing a latent software function upon successful completion, wherein the running monitored latent software comprises running a monitored command implemented using a wrapper for a system command on the target server and altering a file system of the target server to load the wrapper in a former location of the system command and relocating the system command to another location;
receiving an attempt by the client to execute said monitored latent software on the target server while the client is connected to the target server, wherein said client is located remotely from said target server and said monitored latent software is monitored by the monitoring server that is physically separated from the target server and the client;
determining at the monitoring server whether the client is an authorized client that is authorized to execute the monitored latent software prior to successful completion of the monitored latent software;
successfully completing execution of the monitored latent software on the target server when the attempt to execute the monitored latent software is by said authorized client;
sending a message to the system administrator when the attempt to execute the monitored latent software is not by an authorized client; and
aborting the execution of the monitored latent software prior to successful completion when the attempt to execute the monitored latent software is not by an authorized client.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and device for detecting intrusion on a network utilizes a target server running software that is executed for a network client only upon receiving authorization from a monitoring server to execute the software. When an attempt to execute software on the target server by a client is not authorized, monitoring server notifies the system administrator of the unauthorized attempt.
39 Citations
19 Claims
-
1. A method for computer network intrusion detection on a computer network including a target server accessible by a client on the network and administered by a system administrator capable of authorizing attempts to execute software on the target server, a client on the network and a monitoring server coupled to the target server, the method comprising:
-
running on the target server a monitored latent software performing a latent software function upon successful completion, wherein the running monitored latent software comprises running a monitored command implemented using a wrapper for a system command on the target server and altering a file system of the target server to load the wrapper in a former location of the system command and relocating the system command to another location; receiving an attempt by the client to execute said monitored latent software on the target server while the client is connected to the target server, wherein said client is located remotely from said target server and said monitored latent software is monitored by the monitoring server that is physically separated from the target server and the client; determining at the monitoring server whether the client is an authorized client that is authorized to execute the monitored latent software prior to successful completion of the monitored latent software; successfully completing execution of the monitored latent software on the target server when the attempt to execute the monitored latent software is by said authorized client; sending a message to the system administrator when the attempt to execute the monitored latent software is not by an authorized client; and aborting the execution of the monitored latent software prior to successful completion when the attempt to execute the monitored latent software is not by an authorized client. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. On a computer network including a target server accessible by a plurality of clients on the network and administered by a system administrator capable of authorizing attempts to execute software on the target server by a client on the network and a monitoring server coupled to the target server but not directly accessible by clients on the network, a method of detecting intrusion comprising:
-
distinguishing between an active software and a latent software resident on the target server; permitting execution of the active software on the target server by each of the plurality of clients, wherein the permitting execution of the active software comprises running a monitored command implemented using a wrapper for a system command on the target server and altering a file system of the target server to load the wrapper in a former location of the system command and relocating the system command to another location; authorizing a client of the plurality of clients to attempt to execute said latent software on the target server after the client connects to the target server thereby defining an authorized client, wherein said client is located remotely from said target server and said latent software is monitored by the monitoring server that is physically separated from the target server and the client; receiving an attempt to execute said latent software on the target server from a client of the plurality of clients thereby defining an attempting client; determining at the monitoring server whether the attempting client is the authorized client prior to completely executing the latent software on the target server; completing execution of the latent software when the attempting client is the authorized client; and aborting the execution of the latent software prior to completion when the attempting client is not the authorized client. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A computer system administered by a system administrator and accessible by a client on an external network comprising:
-
a target server coupled to the external network and configured to receive connections from the client, wherein said client is located remotely from the target server and to receive requests from the client to execute a software thereon while the client is connected to the target server, wherein the target server includes a file system having a first location for a system command and a hidden location and wherein the system command is stored at the hidden location and a wrapper is stored at the first location, said wrapper including the authorization subroutine and a call to the system command at the hidden location; an interface with the system administrator; a monitoring server coupled to the target server but not directly accessible on the external network by the client, the monitoring server having authorization data resident thereon and administration software accessible through the interface for administering the authorization data; said target server including said software resident thereon including an authorization subroutine for sending a query to the monitoring server indicating that the client is requesting to execute the software and receiving a response from the monitoring server indicating that the client is authorized to execute the software prior to successfully completing execution of the software for the client; and said monitoring server including a subroutine thereon for receiving the query from the target server, accessing the authorization data to determine whether the client is authorized to execute the software on the target server, sending a response to the target server indicating that the client is authorized to execute the software or the client is not authorized to execute the software, and sending a message through the interface to the system administrator if the client is not authorized to execute the software, wherein said target server, said monitoring server and said client are physically separated. - View Dependent Claims (18, 19)
-
Specification