Dynamic software system intrusion detection

Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer

Reexamination Certificate

Rate now

  [ 0.00 ] – not rated yet Voters 0   Comments 0

Details

Reexamination Certificate

active

06681331

ABSTRACT:

FIELD OF THE INVENTION
The present invention generally relates to detecting the use of software, and more specifically, to the dynamic detection of an intrusive anomalous use of computer software.
BACKGROUND OF THE INVENTION
The literature and media abound with reports of successful violations of computer system security by both external attackers and internal users. These breaches occur through physical attacks, social engineering attacks, and attacks on the system software. In a system software attack, the intruder subverts or bypasses the security mechanisms of the system in order to gain unauthorized access to the system or to increase current access privileges. These attacks are successful when the attacker is able to cause the system software to execute in a manner that is typically inconsistent with the software specification and thus leads to a breach in security.
Intrusion detection systems monitor some traces of user activity to determine if an intrusion has occurred. The traces of activity can be collated from audit trails or logs, network monitoring or a combination of both. Once the data regarding a relevant aspect of the behavior of the system are collected, the classification stage starts. Intrusion detection classification techniques can be broadly catalogued in the two main groups: misuse intrusion detection, and anomaly intrusion detection. The first type of classification technique searches for occurrences of known attacks with a particular “signature,” and the second type searches for a departure from normality. Some of the newest intrusion detection tools incorporate both approaches.
One prior art system for detecting an intrusion is the EMERALD™ program. EMERALD defines the architecture of independent monitors that are distributed about a network to detect intrusions. Each monitor performs a signature or profile analysis of a “target event stream” to detect intrusions and communicates such detection to other monitors on the system. The analysis is performed on event logs, but the structure of the logs is not prescribed and the timeliness of the analysis and detection of an intrusion depends on the analyzed system and how it chooses to provide such log data. By monitoring these logs, EMERALD can thus determine that at some point in the event stream that was recorded in the log, an intrusion occurred. However, the detection is generally not implemented in real time, but instead occurs at some interval of time after the intrusion. Also, this prior art system does not allow monitoring of all types of software activity, since it is limited to operating system kernel events. Accordingly, it would be desirable to provide a real time intrusion detection paradigm that is applicable to monitoring almost any type of program.
It would be preferable to detect an intrusion based on the measurement of program activity as control is passed among program modules. As a system executes its customary activities, the intrusion detection scheme should estimate a nominal system behavior. Departures from the nominal system profile will likely represent potential invidious activity on the system. Since unwanted activity may be detected by comparison of the current system activity to that occurring during previous assaults on the system, it would be desirable to store profiles for recognizing these activities from historical data. Historical data, however, cannot be used to recognize new kinds of assaults. An effective security tool would be one designed to recognize assaults as they occur through the understanding and comparison of the current behavior against nominal system activity. Currently, none of the prior art techniques fully achieve these objectives.
SUMMARY OF THE INVENTION
The present invention represents a new software engineering approach to intrusion detection using dynamic software measurement to assist in the detection of intruders. Dynamic software measurement provides a framework to analyze the internal behavior of a system as it executes and makes transitions among its various modules governed by the structure of a program call graph. A target system is instrumented so that measurements can be obtained to profile the module activity on the system in real time. Essentially, this approach measures from the inside of a software system to make inferences as to what is occurring outside of the program environment. In contrast, the more traditional approach of the prior art measures or profiles system activity from system log files and other such patterns of externally observable behavior.
Program modules are distinctly associated with certain functionalities that a program is capable of performing. As each functionality is executed, it creates its own distinct signature of transition events. Since the nominal behavior of a system is more completely understood while it is executing its customary activities, this nominal system behavior can be profiled quite accurately. Departures from a nominal system profile represent potential invidious activity on the system. New profiles of intrusive behavior can be stored and used to construct an historical database of intrusion profiles. However, these historical data cannot be used as a basis for the recognition of new types of assaults. The present invention is designed to recognize assaults as they occur through the understanding and comparison of the current behavior against nominal system activity.


REFERENCES:
patent: 5067073 (1991-11-01), Andrews
patent: 5278901 (1994-01-01), Shieh et al.
patent: 5313616 (1994-05-01), Cline et al.
patent: 5355487 (1994-10-01), Keller et al.
patent: 5487131 (1996-01-01), Kassatly et al.
patent: 5499340 (1996-03-01), Barritz
patent: 5528753 (1996-06-01), Fortin
patent: 5539907 (1996-07-01), Srivastava et al.
patent: 5557742 (1996-09-01), Smaha et al.
patent: 5581482 (1996-12-01), Wiedenman et al.
patent: 5621889 (1997-04-01), Lermuzeaux et al.
patent: 5675711 (1997-10-01), Kephart et al.
patent: 5732273 (1998-03-01), Srivastava et al.
patent: 5790858 (1998-08-01), Vogel
patent: 5907834 (1999-05-01), Kephart et al.
patent: 5987250 (1999-11-01), Subrahmanyam
patent: 5991881 (1999-11-01), Conklin et al.
patent: 6009514 (1999-12-01), Henzinger et al.
patent: 6026236 (2000-02-01), Fortin et al.
patent: 6094530 (2000-07-01), Brandewie
patent: 6119236 (2000-09-01), Shipley
patent: 6226408 (2001-05-01), Sirosh
patent: 6282701 (2001-08-01), Wygodny et al.
patent: 6321338 (2001-11-01), Porras et al.
patent: 6347374 (2002-02-01), Drake et al.
patent: 6370648 (2002-04-01), Diep
patent: 6405318 (2002-06-01), Rowland
Frank, “Artificial Intelligence and Intrusion Detection: Current and Future Directions” Jun. 9, 1994, Division of Computer Science University of California at Davis, p. 1-12.*
“Real-time attack recognition and response: A solution for tightening network security” 1997, Internet Security Systems, p. 1-13.*
Lankewicz et al, “Real-time Anomaly Detection Using a Nonparametric Pattern Recognition Approach”, 1991, IEEE, p. 80-89.*
Cannady, “Artificial Neural Networks for Misuse Detection” Oct. 1998, School of Computer and Information Sciences Nova Southeastern University, p. 1-14.*
Cannady et al, “The Application of Artificial Neural Networks to Misuse Detection: Initial Results”, Mar. 10, 1997, Georgia Tech Research Institute Georgia Institute of Technology, p. 1-13.*
Herringshaw, “Detecting Attacks on Networks” Dec. 1997, Industry Trends, p. 16-17.*
Mukherjee et al., “Network Intrusion Detection” May/Jun. 1994, IEEE Network, p. 26-41.*
Lane et al, “Sequence Matching and Learning in Anomaly Detection for Computer Security” 1997, School of Electrical and Computer Engineering Purdue University, p. 1-7.*
Dasgupta, D. et al., “Novelty Detection in Time Series Data Using Ideas from Immunology,” 1995, 6 pages.
D'haeseleer, P. et al., “A Distributed Approach to Anomaly Detection,” Aug. 30, 1997, 30 pages.
D'haeseleer, P. et al., “An Immunology Approach to Change Detection: Algorithms, Analysis and Implications,”IEEE Symposium on Security and Privacy, 1996, 10 pages.
Forrest, S. et al., “Com

LandOfFree

Say what you really think

Search LandOfFree.com for the USA inventors and patents. Rate them and share your experience with other people.

Rating

Dynamic software system intrusion detection does not yet have a rating. At this time, there are no reviews or comments for this patent.

If you have personal experience with Dynamic software system intrusion detection, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Dynamic software system intrusion detection will most certainly appreciate the feedback.

Rate now

     

Profile ID: LFUS-PAI-O-3243912

  Search
All data on this website is collected from public sources. Our data reflects the most accurate information available at the time of publication.