System and method for analyzing filesystems to detect intrusions

US 6,647,400 B1
Filed: 08/30/2000
Issued: 11/11/2003
Est. Priority Date: 08/30/1999
Status: Expired due to Term

First Claim

Patent Images

1. A system for detecting intrusions on a host, comprising:

a) a sensor configured to collect information directly from a filesystem, the filesystem being associated with the host and including directories having allocated and deallocated directory entries; and

b) a directory processing mechanism configured to extract the deallocated entries and create a partial ordering of the entries, wherein each of the deallocated entries is associated with a deleted file and the partial ordering comprises an indication of the relative order in which the deallocated entries were created.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are disclosed for detecting intrusions in a host system on a network. The intrusion detection system comprises an analysis engine configured to use continuations and apply forward- and backward-chaining using rules. Also provided are sensors, which communicate with the analysis engine using a meta-protocol in which the data packet comprises a 4-tuple. A configuration discovery mechanism locates host system files and communicates the locations to the analysis engine. A file processing mechanism matches contents of a deleted file to a directory or filename, and a directory processing mechanism extracts deallocated directory entries from a directory, creating a partial ordering of the entries. A signature checking mechanism computes the signature of a file and compares it to previously computed signatures. A buffer overflow attack detector compares access times of commands and their associated files. The intrusion detection system further includes a mechanism for checking timestamps to identify and analyze forward and backward time steps in a log file.

388 Citations

15 Claims

1. A system for detecting intrusions on a host, comprising:
- a) a sensor configured to collect information directly from a filesystem, the filesystem being associated with the host and including directories having allocated and deallocated directory entries; and
  
  b) a directory processing mechanism configured to extract the deallocated entries and create a partial ordering of the entries, wherein each of the deallocated entries is associated with a deleted file and the partial ordering comprises an indication of the relative order in which the deallocated entries were created.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system as recited in claim 1, further comprising a file processing mechanism configured to match contents of a deleted file to a directory and filename in the filesystem.
  - 3. The system as recited in claim 1, wherein the sensor includes the directory processing mechanism.
  - 4. The system as recited in claim 1, wherein the directory processing mechanism is configured to create the partial ordering based on a level of embedding of the entries.
  - 5. The system as recited in claim 4, wherein the directory processing mechanism is configured to create the partial ordering based on a temporal ordering of the entries.
  - 6. The system as recited in claim 4, wherein the entries include filenames, and further comprising an analysis engine configured to expand the partial ordering using at least one constraint based on lengths of the filenames.
  - 7. The system as recited in claim 6, wherein the at least one constraint includes a determination that an allocated directory entry, having a filename of a first length, found after a deallocated directory entry having a filename of a second length not less than the first length, was linked into the directory before the deallocated directory entry was unlinked from the directory.
  - 8. The system as recited in claim 6, further comprising a database of known filenames, and an analysis engine configured to search the partial ordering for filenames matching filenames in the database.
  - 9. The system as recited in claim 8, wherein the analysis engine is configured to use regular expressions in searching for matching filenames.
  - 10. The system as recited in claim 9, wherein the database of known filenames comprises regular expressions.

11. A system for detecting intrusions on a host, comprising:
- a) a sensor configured to collect information directly from a filesystem directory associated with the host; and
  
  b) a file processing mechanism configured to match contents of a deleted file to a directory and filename in the filesystem;
  
  wherein the file processing mechanism is configured to use temporal information in matching the contents to a directory and filename.
- View Dependent Claims (12, 13)
- - 12. The system as recited in claim 11, wherein the contents include i-nodes.
  - 13. The system as recited in claim 11, wherein the file processing mechanism is further configured to use ordering relationships between unlinked filenames in the directory.

14. A method for detecting intrusions on a host, comprising the steps of:
- a) collecting information directly from a filesystem associated with the host, the filesystem including directories having allocated and deallocated directory entries;
  
  b) extracting the deallocated entries; and
  
  c) creating a partial ordering of the entries;
  
  wherein each of the deallocated entries is associated with a deleted file and the partial ordering comprises an indication of the relative order in which the deallocated entries were created.

15. A computer program product for detecting intrusions on a host, the computer program product being embodied in a computer readable medium having machine readable code embodied therein for performing the steps of:
- a) collecting information directly from a filesystem associated with the host, the filesystem including directories having allocated and deallocated directory entries;
  
  b) extracting the deallocated entries; and
  
  c) creating a partial ordering of the entries;
  
  wherein each of the deallocated entries is associated with a deleted file and the partial ordering comprises an indication of the relative order in which the deallocated entries were created.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Symantec Corporation (NortonLifeLock Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Moran, Douglas B.
Primary Examiner(s)
Breene, John
Assistant Examiner(s)
Ali, Mohammad

Application Number

US09/651,304
Time in Patent Office

1,168 Days
Field of Search

707/1-6, 707/10, 707/200-206, 713/187, 713/191, 713/168, 713/200, 714/20
US Class Current

1/1
CPC Class Codes

H04L 63/12   Applying verification of th...

Y10S 707/99936   Pattern matching access

Y10S 707/99956   File allocation

System and method for analyzing filesystems to detect intrusions

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

388 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for analyzing filesystems to detect intrusions

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

388 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links