System and method for using timestamps to detect attacks
First Claim
1. A system for detecting intrusions on a host, comprising:
- a) a filesystem scanner, including at least one computer processor, configured to examine timestamps and signatures of files and directories in a filesystem;
b) an analysis engine configured to compare timestamps and signatures of a directory of the filesystem and of files in the directory, and assign a weighted value out of a plurality of weighted values to the directory or at least one file of the files in the directory if the timestamps and signatures are inconsistent, and scan for inconsistencies between an entry in a log file and expected information of the filesystem, wherein the inconsistencies comprise an action recorded in the log file and a corresponding action not indicated in a corresponding filesytem file, wherein the weighted value is indicative of an attack;
wherein the filesystem scanner is configured to examine timestamps and signatures of files and directories from a backup dump as an archival source of the directory of the filesystem and the files in the directory and to recover timestamp and signature information from the backup dump without restoring backup dump data to the filesystem, wherein the filesystem scanner is further configured to recover timestamp and signature information from a plurality of dump formats without restoring backup dump data to the filesystem, and wherein the analysis engine is further configured to compare the timestamps and signatures from the archival source to the timestamps and signatures of the directory and files in the directory.
3 Assignments
0 Petitions
Accused Products
Abstract
A system and method are disclosed for detecting intrusions in a host system on a network. The intrusion detection system comprises an analysis engine configured to use continuations and apply forward- and backward-chaining using rules. Also provided are sensors, which communicate with the analysis engine using a meta-protocol in which the data packet comprises a 4-tuple. A configuration discovery mechanism locates host system files and communicates the locations to the analysis engine. A file processing mechanism matches contents of a deleted file to a directory or filename, and a directory processing mechanism extracts deallocated directory entries from a directory, creating a partial ordering of the entries. A signature checking mechanism computes the signature of a file and compares it to previously computed signatures. A buffer overflow attack detector compares access times of commands and their associated files. The intrusion detection system further includes a mechanism for checking timestamps to identify and analyze forward and backward time steps in a log file.
187 Citations
15 Claims
-
1. A system for detecting intrusions on a host, comprising:
- a) a filesystem scanner, including at least one computer processor, configured to examine timestamps and signatures of files and directories in a filesystem;
b) an analysis engine configured to compare timestamps and signatures of a directory of the filesystem and of files in the directory, and assign a weighted value out of a plurality of weighted values to the directory or at least one file of the files in the directory if the timestamps and signatures are inconsistent, and scan for inconsistencies between an entry in a log file and expected information of the filesystem, wherein the inconsistencies comprise an action recorded in the log file and a corresponding action not indicated in a corresponding filesytem file, wherein the weighted value is indicative of an attack;
wherein the filesystem scanner is configured to examine timestamps and signatures of files and directories from a backup dump as an archival source of the directory of the filesystem and the files in the directory and to recover timestamp and signature information from the backup dump without restoring backup dump data to the filesystem, wherein the filesystem scanner is further configured to recover timestamp and signature information from a plurality of dump formats without restoring backup dump data to the filesystem, and wherein the analysis engine is further configured to compare the timestamps and signatures from the archival source to the timestamps and signatures of the directory and files in the directory. - View Dependent Claims (2, 3, 4, 5, 6, 7)
- a) a filesystem scanner, including at least one computer processor, configured to examine timestamps and signatures of files and directories in a filesystem;
-
8. A method for detecting intrusions on a host, comprising:
- examining timestamps and signatures of files and directories in a filesystem;
comparing, using an analysis engine, timestamps and signatures of a directory of the filesystem and of files in the directory;
assigning weighted value out of a plurality of values to the directory or at least one file of the files in the directory if the timestamps and signatures are inconsistent, wherein the weighted value is indicative of an attack; and
scanning for inconsistencies between an entry in a log file and expected file system information, wherein the inconsistencies comprise an action recorded in the log file and a corresponding action not indicated in a corresponding filesystem file;
wherein the scanning comprises examining timestamps and signatures of files and directories from a backup dump as an archival source of the directory of the filesystem and the files in the directory and recovering timestamp and signature information from the backup dump without restoring backup dump data to the filesystem, wherein the scanning is further configured to recover timestamp and signature information from a plurality of dump formats without restoring backup dump data to the filesystem, and wherein the analysis engine is configured to compare the timestamps and signatures from the archival source to the timestamps and signatures of the directory and files in the directory. - View Dependent Claims (9, 10, 11, 12, 13)
- examining timestamps and signatures of files and directories in a filesystem;
-
14. A computer program product for detecting intrusions on a host, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
- examining timestamps and signatures of files and directories in a filesystem;
comparing timestamps and signatures of a directory of the filesystem and of files in the directory;
assigning a weighted value out of a plurality of values to the directory or at least one file of the files in the directory if the timestamps and signatures are inconsistent, wherein the weighted value is indicative of an attack; and
scanning for inconsistencies between an entry in a log file and expected file system information, wherein the inconsistencies comprise an action recorded in the log file and a corresponding action not indicated in a corresponding filesystem file;
wherein the examining includes examining timestamps and signatures of files and directories from a backup dump as an archival source of the directory of the filesystem and the files in the directory and recovering timestamp and signature information from the backup dump without restoring backup dump data to the filesystem, wherein the examining is further configured to recover timestamp and signature information from a plurality of dump formats without restoring backup dump data to the filesystem, and wherein the comparing comprises comparing the timestamps and signatures from the archival source to the timestamps and signatures of the directory and files in the directory. - View Dependent Claims (15)
- examining timestamps and signatures of files and directories in a filesystem;
Specification