Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1998-06-05
2002-02-12
Peeso, Thomas R. (Department: 2132)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S152000, C709S224000
Reexamination Certificate
active
06347374
ABSTRACT:
BACKGROUND OF THE INVENTION
The present invention relates to event detection, and more particularly to a computerized system and method for detecting events based on audit data received from one or more audit sources. Even more particularly, the present invention relates to the detection of intrusion or misuse event detection in a distributed computer network environment based on audit data generated at one or more audit sources, such as operating systems running at remote computer installations.
Misuse detection is the process of detecting and reporting uses of systems that would be deemed inappropriate or unauthorized if known to the responsible parties. Even though designers, owners, and administrators of such systems usually try to prevent misuses, the complexity of modern system environments and the difficulty of preventing authorized users from abusing their privileges makes it virtually impossible to anticipate and prevent all possible security problems. To date, however, there is no known system or method for effectively and independently detecting and reporting misuses and facilitating their subsequent investigation.
This misuse detection and reporting research has followed two basic approaches: anomaly detection systems and expert systems, with the overwhelming emphasis on anomaly detection.
Anomaly detection looks for statistically anomalous behavior. It assumes that intrusions and other security problems are rare and that they appear unusual when compared to other user behavior. D. Denning, “An Intrusion Detection Model,” Proc 1986 IEEE Symp. Security & Privacy, (April 1986) provides an anomaly detection model (hereinafter the “Denning Model”) for detecting intrusions into computer systems. The Denning Model uses statistical profiles for user, dataset, and program usage to detect “exceptional” use of the system.
There are variations of the Denning Model of anomaly detection models and different applications of these models.
Expert systems (also known as rule-based systems or production systems) also have had some use in misuse detection, generally as a layer on top of anomaly detection systems for interpreting reports of anomalous behavior.
S. Snapp, et al., “DIDS (Distributed Intrusion Detection System)” Proc. 14th Nat'l Computer Security Conf., Washington, D.C. (October 1991) describes one example of an expert system signature analysis model that detects misuse by looking for one specific event within a specific system context.
In general, a computer event detection system is designed to protect a computer installation, with which it is associated, against abnormal computer actions of users (i.e., both insiders who are entitled to use the computer installation normally and outsiders who have intruded into the computer installation), whenever such actions are likely to give rise directly or indirectly to a breach of confidentiality, of integrity, and/or of availability of data and services from the computer installation.
The direct financial impact of computer misuse is very high and increasing. The National Institute of Justice (NIJ), for example, estimates the cost of computer misuse in the U.S. during 1993 to range from $500 million to $5 billion dollars. In addition, NIJ estimates that $2.1 billion was lost in the same period from telephone service fraud through illegally manipulating telephone company computer systems. In fact, virtually every sector of modern commerce and government, from banking to national defense, depends on the security of processing systems on which the sectors rely. As an increasing number of organizations connect their internal networks to outside public networks (e.g. the Internet, “National Information Infrastructure”, etc.), the potential importance of misuse increases. This is because vulnerability increases with increased exposure.
Processing system misuse detection and reporting research has been funded by U.S. government agencies who have concerns for the confidentiality of their computer systems. Researchers have generally been associated with large research organizations or national laboratories. These institutions have required detailed knowledge of technical computer security, known threats and vulnerabilities, protection mechanisms, standard operational procedures, communications protocols, details of various systems' audit trails, and legal investigation of computer crimes.
A computer event detection system, as mentioned above, is designed to detect abnormal computer actions constituting intrusions of insiders and a fortiori of intruding outsiders, and also to detect the people involved in such intrusions or suspected of being so involved.
Numerous present-day computer installations, whether they have centralized processor units or are they organized in networks of interconnecting geographically distributed processor units, have various access points for serving their users. The number of such points and the ease with which they are often accessible, as well as the requirements necessary for running such computer installations, have the drawback of facilitating attempts at intrusion by people who are not authorized users, and attempts by users of any kind, whether acting alone or in concert, to perform potentially harmful computer operations.
It is known that detecting intrusions into a computer installation and identifying the users performing illegal actions can be attempted by an approach that is statistical or neural, as mentioned above, or based on an expert system, as also mentioned above.
U.S. Pat. No. 5,557,742 (Smaha et al.), incorporated herein by reference, describes a method and system for detecting intrusion and misuse of data processing systems. The system uses processing system inputs, which include processing system audit trail records, system log file data, and system security state data information to detect and report processing system intrusions and misuses. A misuse selection mechanism allows the detection system to analyze the process inputs for a selected subset of misuses. The processing system inputs are then converted into states that are compared, through the misuse engine, to a predefined set of states and transitions until a selected misuse is detected. Once a misuse has been detected, an output mechanism generates a signal for use by a notification and storage mechanism. The detection system then generates a text-based output report for a user to view or store.
A number of false positives is minimized by creating signatures from undesirable activities including known attack outcomes, known system vulnerabilities and known attack procedures. Misuse is only reported upon a direct match to a known misuse signature; the probability of falsely reporting a misuse is reduced over the previous anomaly detection mechanisms. The signatures are generated by a programmer and are loadable at program initiation. System programmers are capable of creating their own misuse signatures from their particular known attack procedures, attack outcomes, and known system vulnerabilities. The misuse signatures are deterministic, unlike expert systems. The system does not use statistical analysis.
U.S. Pat. No. 5,621,889 (Lermuzeaux, et al.), incorporated herein by reference, describes a facility for detecting intrusions and possibly suspect users, by making use of streams of surveillance data relating to the operation of a computer installation and in particular to the actions of users of the installation, wherein the actions take place at installation level. The detection facility involves modeling a target as constituted by the computer installation and its users and also their respective behaviors by making use of previously acquired knowledge and rules and by making use of a symbolic representation using a semantic network; comparing the modeled behavior of the installation and its users with normal behavior expected for the same conditions as modeled by the behavior rules and security rules contained in a knowledge base, and inferring therefrom either an anomaly object in the event of at least one of
Drake David L.
Webster David J.
Brobeck Phleger & Harrison LLP
Intrusion.com, Inc.
Jack Todd
Peeso Thomas R.
LandOfFree
Event detection does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Event detection, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Event detection will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2956760