System and method for using timestamps to detect attacks

US 8,578,490 B2
Filed: 02/27/2007
Issued: 11/05/2013
Est. Priority Date: 08/30/1999
Status: Expired due to Fees

First Claim

Patent Images

1. A system for detecting intrusions on a host, comprising:

a) a filesystem scanner, including at least one computer processor, configured to examine timestamps and signatures of files and directories in a filesystem;

b) an analysis engine configured to compare timestamps and signatures of a directory of the filesystem and of files in the directory, and assign a weighted value out of a plurality of weighted values to the directory or at least one file of the files in the directory if the timestamps and signatures are inconsistent, and scan for inconsistencies between an entry in a log file and expected information of the filesystem, wherein the inconsistencies comprise an action recorded in the log file and a corresponding action not indicated in a corresponding filesytem file, wherein the weighted value is indicative of an attack;

wherein the filesystem scanner is configured to examine timestamps and signatures of files and directories from a backup dump as an archival source of the directory of the filesystem and the files in the directory and to recover timestamp and signature information from the backup dump without restoring backup dump data to the filesystem, wherein the filesystem scanner is further configured to recover timestamp and signature information from a plurality of dump formats without restoring backup dump data to the filesystem, and wherein the analysis engine is further configured to compare the timestamps and signatures from the archival source to the timestamps and signatures of the directory and files in the directory.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are disclosed for detecting intrusions in a host system on a network. The intrusion detection system comprises an analysis engine configured to use continuations and apply forward- and backward-chaining using rules. Also provided are sensors, which communicate with the analysis engine using a meta-protocol in which the data packet comprises a 4-tuple. A configuration discovery mechanism locates host system files and communicates the locations to the analysis engine. A file processing mechanism matches contents of a deleted file to a directory or filename, and a directory processing mechanism extracts deallocated directory entries from a directory, creating a partial ordering of the entries. A signature checking mechanism computes the signature of a file and compares it to previously computed signatures. A buffer overflow attack detector compares access times of commands and their associated files. The intrusion detection system further includes a mechanism for checking timestamps to identify and analyze forward and backward time steps in a log file.

187 Citations

15 Claims

1. A system for detecting intrusions on a host, comprising:
- a) a filesystem scanner, including at least one computer processor, configured to examine timestamps and signatures of files and directories in a filesystem;
  
  b) an analysis engine configured to compare timestamps and signatures of a directory of the filesystem and of files in the directory, and assign a weighted value out of a plurality of weighted values to the directory or at least one file of the files in the directory if the timestamps and signatures are inconsistent, and scan for inconsistencies between an entry in a log file and expected information of the filesystem, wherein the inconsistencies comprise an action recorded in the log file and a corresponding action not indicated in a corresponding filesytem file, wherein the weighted value is indicative of an attack;
  
  wherein the filesystem scanner is configured to examine timestamps and signatures of files and directories from a backup dump as an archival source of the directory of the filesystem and the files in the directory and to recover timestamp and signature information from the backup dump without restoring backup dump data to the filesystem, wherein the filesystem scanner is further configured to recover timestamp and signature information from a plurality of dump formats without restoring backup dump data to the filesystem, and wherein the analysis engine is further configured to compare the timestamps and signatures from the archival source to the timestamps and signatures of the directory and files in the directory.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system as recited in claim 1, wherein the analysis engine is configured to treat timestamps as inconsistent if the timestamp of the directory is later than the timestamp of any file in the directory.
  - 3. The system of claim 1, wherein the analysis engine is further configured to scan for inconsistencies between entries of a log file.
  - 4. The system of claim 1, wherein the entry in the log file comprises a user login entry and the expected file system information comprises a login start up file.
  - 5. The system of claim 1, wherein the analysis engine is further configured to scan for inconsistencies between an file system timestamp and an expected entry in a log file.
  - 6. The system of claim 5, wherein the file system timestamp comprises an access time by a user account and the expected entry in the log file comprises a user login entry.
  - 7. The system of claim 1, wherein the analysis engine is further configured to scan a log file for allocated and unused space.

8. A method for detecting intrusions on a host, comprising:
- examining timestamps and signatures of files and directories in a filesystem;
  
  comparing, using an analysis engine, timestamps and signatures of a directory of the filesystem and of files in the directory;
  
  assigning weighted value out of a plurality of values to the directory or at least one file of the files in the directory if the timestamps and signatures are inconsistent, wherein the weighted value is indicative of an attack; and
  
  scanning for inconsistencies between an entry in a log file and expected file system information, wherein the inconsistencies comprise an action recorded in the log file and a corresponding action not indicated in a corresponding filesystem file;
  
  wherein the scanning comprises examining timestamps and signatures of files and directories from a backup dump as an archival source of the directory of the filesystem and the files in the directory and recovering timestamp and signature information from the backup dump without restoring backup dump data to the filesystem, wherein the scanning is further configured to recover timestamp and signature information from a plurality of dump formats without restoring backup dump data to the filesystem, and wherein the analysis engine is configured to compare the timestamps and signatures from the archival source to the timestamps and signatures of the directory and files in the directory.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method as recited in claim 8, further including treating timestamps as inconsistent if the timestamp of the directory is later than the timestamp of any file in the directory.
  - 10. The method as recited in claim 8, wherein examining includes examining timestamps of files and directories from an archival source, and comparing includes comparing the timestamps from the archival source to the timestamps of the directory and files in the directory.
  - 11. The method of claim 8, wherein the entry in the log file comprises a user login entry and the expected file system information comprises a login start up file.
  - 12. The method of claim 8, further comprising:
    - scanning for inconsistencies between an file system timestamp and an expected entry in a log file.
  - 13. The method of claim 12, wherein the file system timestamp comprises an access time by a user account and the expected entry in the log file comprises a user login entry.

14. A computer program product for detecting intrusions on a host, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
- examining timestamps and signatures of files and directories in a filesystem;
  
  comparing timestamps and signatures of a directory of the filesystem and of files in the directory;
  
  assigning a weighted value out of a plurality of values to the directory or at least one file of the files in the directory if the timestamps and signatures are inconsistent, wherein the weighted value is indicative of an attack; and
  
  scanning for inconsistencies between an entry in a log file and expected file system information, wherein the inconsistencies comprise an action recorded in the log file and a corresponding action not indicated in a corresponding filesystem file;
  
  wherein the examining includes examining timestamps and signatures of files and directories from a backup dump as an archival source of the directory of the filesystem and the files in the directory and recovering timestamp and signature information from the backup dump without restoring backup dump data to the filesystem, wherein the examining is further configured to recover timestamp and signature information from a plurality of dump formats without restoring backup dump data to the filesystem, and wherein the comparing comprises comparing the timestamps and signatures from the archival source to the timestamps and signatures of the directory and files in the directory.
- View Dependent Claims (15)
- - 15. The computer program product as recited in claim 14, the computer program product further comprising computer instructions for treating timestamps as inconsistent if the timestamp of the directory is later than the timestamp of any file in the directory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Symantec Corporation (NortonLifeLock Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Moran, Douglas B.
Primary Examiner(s)
Brown, Christopher
Assistant Examiner(s)
Baum, Ronald

Application Number

US11/712,260
Publication Number

US 20070157315A1
Time in Patent Office

2,443 Days
Field of Search

726/23
US Class Current

726/23
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/552   involving long-term monitor...

G06F 2221/2151   Time stamp

H04L 2463/121   Timestamp cryptographic mec...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

System and method for using timestamps to detect attacks

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

187 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for using timestamps to detect attacks

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

187 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links