发明名称 |
SYSTEM AND METHOD FOR USING SIGNATURES TO DETECT COMPUTER INTRUSIONS |
摘要 |
A system and method are disclosed for detecting intrusions in a host system on a network. The intrusion detection system comprises an analysis engine (302) configured to use continuation and apply forward- and backward-chaining using rules (306). Also provided are sensors (312), which communicate with the analysis engine using a metaprotocol in which the data packet comprises a 4-tuple. A configuration discovery mechanism locates host system files and communicates the locations to the analysis engine. A file processing mechanism matches contents of a deleted file to a directory or filename, and a directory processing mechanism extracts deallocated directory entries from a directory, creating a partial ordering of the entries. A signature checking mechanism computes the signature of a file and compares it to previously computed signatures (308). A buffer overflow attack detector compares access times of commands and their associated files. The intrusion detection system further includes a mechanism for checking timestamps to identify and analyze forward and backward time steps in a log file.
|
申请公布号 |
WO0117161(A1) |
申请公布日期 |
2001.03.08 |
申请号 |
WO2000US23948 |
申请日期 |
2000.08.30 |
申请人 |
RECOURSE TECHNOLOGIES, INC. |
发明人 |
MORAN, DOUGLAS, B. |
分类号 |
G06E1/00;G06E3/00;G06F1/12;G06F7/00;G06F9/26;G06F9/34;G06F9/44;G06F11/00;G06F11/30;G06F12/00;G06F12/02;G06F12/04;G06F12/08;G06F12/10;G06F12/14;G06F13/00;G06F15/18;G06F17/00;G06F17/30;G06G7/00;H02H3/05;H03K19/003;H04B1/74;H04L1/22;H04L9/00;H04L9/30;H04L9/32;H04L29/06;(IPC1-7):H04L9/00 |
主分类号 |
G06E1/00 |
代理机构 |
|
代理人 |
|
主权项 |
|
地址 |
|