Application-layer anomaly and misuse detection

US 7,143,444 B2
Filed: 11/28/2001
Issued: 11/28/2006
Est. Priority Date: 11/28/2001
Status: Expired due to Fees

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A method comprising:

in a server, hosting an intrusion detection process that provides intrusion detection services;

integrating the intrusion detection process with a server process; and

passing a request for data received by the server process to the intrusion detection process,where the intrusion detection process comprises;

packing a subset of information from the request into an analysis format; and

delivering the subset in a funneling process, via a socket, to an analysis process.

View all claims

5 Assignments

Timeline View

Assignment View

Litigations

0 Petitions

Accused Products

Abstract

A method includes passing a request for data received by a first server process executing in a first server to a detection process that includes packing a subset of the data into an analysis format and passing the subset to an analysis process.

59 Citations

View as Search Results

21 Claims

1. A method comprising:
- in a server, hosting an intrusion detection process that provides intrusion detection services;
  
  integrating the intrusion detection process with a server process; and
  
  passing a request for data received by the server process to the intrusion detection process,where the intrusion detection process comprises;
  
  packing a subset of information from the request into an analysis format; and
  
  delivering the subset in a funneling process, via a socket, to an analysis process.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 in which integrating comprises:
    - defining global application programmer interface (API) structures in the intrusion detection process to establish a connection to an application programmer interface (API) of the server process.
  - 3. The method of claim 1 further comprising analyzing the subset In the analysis process.
  - 4. The method of claim 1 in which the server is a web server.
  - 5. The method of claim 1 in which the analysis process is resident in the server.
  - 6. The method of claim 1 in which the analysis process is resident outside of the server.
  - 7. The method of claim 1 in which the funneling process comprises:
    - accepting incoming connections to which the subset can be transmitted; and
      
      passing the subset to outgoing connections.
  - 8. The method of claim 1 in which the funneling process further comprises duplicating the subset for delivery to a second analysis process.

9. A method comprising:
- conveying a request for data received by a web server process executing in a first server to a detection process that includes;
  
  packing a subset of information from the request into an analysis format; and
  
  passing the subset to an analysis process, where passing comprises;
  
  receiving the subset in a piped logs interface of the web server; and
  
  delivering the subset to a funneling process via a socket.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method of claim 9 also including analyzing the subset in the analysis process.
  - 11. The method of claim 10 in which the analysis process is resident in the first server.
  - 12. The method of claim 10 in which the analysis process is resident in a second server.
  - 13. The method of claim 9 in which the detection process is resident in the first server.
  - 14. The method of claim 9 in which the funneling process comprises:
    - accepting incoming connections to which the subset can be transmitted; and
      
      passing the subset to outgoing connections.
  - 15. The method of claim 9 in which the funneling process further comprises duplicating the subset for delivery to a second analysis process.

16. A computer program product residing on a computer readable medium having instructions stored thereon which, when executed by a processor, cause the processor to:
- host, in a server, an intrusion detection process that provides intrusion detection services;
  
  integrate the intrusion detection process with a server process; and
  
  pass a request for data received by the server process to the intrusion detection process,where the intrusion detection process comprises;
  
  packing a subset of information from the request into an analysis format; and
  
  delivering the subset in a funneling process, via a socket, to an analysis process.

17. A computer program product residing on a computer readable medium having instructions stored thereon which, when executed by a processor, cause the processor to:
- convey a request for data received by a web server process executing in a first server to a detection process that includes;
  
  pack a subset of information from the request into an analysis format; and
  
  pass the subset to an analysis process, where passing comprises;
  
  receiving the subset in a piped logs interface of the web server; and
  
  delivering the subset to a funneling process via a socket.

18. A method for detecting misuse of an application server process that is hosted at a server in a network, the method comprising:
- receiving, from the application server process, a forwarded request for data;
  
  packing a subset of information from the request into an analysis format; and
  
  delivering the subset in a funneling process, via a socket, to an analysis process.
- View Dependent Claims (19, 20, 21)
- - 19. The method of claim 18, wherein the application server process is a web server process.
  - 20. The method of claim 18, wherein the analysis process is resident outside of the server.
  - 21. The method of claim 18, further comprising analyzing the subset in the analysis process.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
SRI International, Inc.
Original Assignee
SRI International, Inc.
Inventors
Porras, Phillip Andrew, Almgren, Magnus, Lindqvist, Ulf E., Dawson, Steven Mark
Primary Examiner(s)
Wright, Norman M.

Application Number

US09/996,154
Publication Number

US 20030101358A1
Time in Patent Office

1,826 Days
Field of Search

726/23, 726/25, 726/26, 726/30, 726/29, 726/28, 726/27, 726/24, 726/11, 726/5
US Class Current

726/30
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H04L 63/1408   by monitoring network traff...

H04L 67/02   based on web technology, e....

H04L 69/329   in the application layer [O...

Application-layer anomaly and misuse detection

First Claim

5 Assignments

Litigations

0 Petitions

Accused Products

Abstract

59 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Application-layer anomaly and misuse detection

First Claim

5 Assignments

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

59 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links