US20110179488A1 - Kernal-based intrusion detection using bloom filters - Google Patents
Kernal-based intrusion detection using bloom filters Download PDFInfo
- Publication number
- US20110179488A1 US20110179488A1 US13/025,906 US201113025906A US2011179488A1 US 20110179488 A1 US20110179488 A1 US 20110179488A1 US 201113025906 A US201113025906 A US 201113025906A US 2011179488 A1 US2011179488 A1 US 2011179488A1
- Authority
- US
- United States
- Prior art keywords
- bloom filter
- computer program
- data object
- computer
- filter data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Abstract
Description
- This application claims priority under 35 U.S.C. §119(e) to U.S. Provisional Patent Application Ser. No. 60/556,425, by David P. Mankins, filed on Mar. 25, 2004, and entitled KERNEL-BASED COMPUTER IMMUNOLOGY WITH BLOOM FILTERS, the contents of which are hereby incorporated by reference in their entirety.
- Kernel-based intrusion detection using Bloom filters is disclosed.
- Today, many network infrastructures (e.g., the Internet) are vulnerable to attack. Indeed, attackers have access to a wide range of tools capable of degrading network performance or disabling network resources. Even a single well-targeted data packet may be sufficient to cause an operating system of a network device to crash. Moreover, network devices continue to become more vulnerable to attack as standardized protocols are adopted and implemented.
- Because vulnerability to attack is a significant concern to network communities, many techniques have been developed to defend networks and computers (collectively “networks”) from malicious attacks. For example, “computer immunology” is a term used to describe computer-based intrusion detection techniques inspired by biological immune systems. Such intrusion detection techniques are typically designed to detect computing anomalies to identify intrusions into a network. To elaborate, it is a widely accepted theory that a biological immune system is able to distinguish “self” from “other” through clues made up of proteins. In computer immunology, similar theories are applied to networks to distinguish “anomalous” behavior from “normal” behavior. “Normal” behavior may be defined differently but generally refers to observable and acceptable behavior characteristics expected of networks when not under attack. “Anomalous” behavior then refers to any deviation from the defined normal behavior. The detection of anomalous behavior is used to identify intrusion attacks, which tend to cause computer programs to take unusual execution paths.
- Several immunology-inspired intrusion detection techniques involve the tracking of system calls to monitor the behavior of computer programs. System calls refer to mechanisms used by computer programs to request service from the operating system (“OS”) of a computer. System calls invoke low-level OS routines that allow the OS to perform restricted actions such as accessing hardware devices (e.g., processors, input and output devices, memory) and other shared machine resources (collectively “shared resources”). Accordingly, the OS (typically the kernel of the OS) is able to allocate and control the shared resources of a computer to fulfill requests received from computer programs.
- Conventional system-call-based intrusion detection techniques typically compare monitored system-call sequences with a predefined set of normal system-call sequences to identify occurrences of anomalous sequences. To define the set of normal system-call sequences, sequences of system calls are tracked for a particular computer program as it operates under test conditions (e.g., when the computer or network is not under attack). The tracked system-call sequences are inserted into a database to form a profile of system-call sequences that are considered to be normal operations of the particular program. When the same program operates under real circumstances (e.g., the possibility of attack exists), system-call sequences are monitored and used to identify potential intrusions. In particular, the monitored system-call sequences are compared with the predefined normal system-call sequences stored in the profile database. As long as the monitored system-call sequences have a match in the profile database, operation is considered to be normal. However, if a monitored system-call sequence is not found in the profile database, operation is considered to be anomalous, which may indicate an intrusion attempt.
- Unfortunately, several shortcomings are apparent in existing system-call-based intrusion detection techniques. For example, significant delays are inherent in these techniques and may make them impracticable for use with complex computer programs that are processed at high speeds. In particular, it takes time to compare system calls tracked in the OS kernel with data of a profile database stored outside of the OS because communications must be sent back and forth between the OS kernel and the profile database. Because of the sizes of traditional profile databases, it has been impracticable to store them in the OS kernel, which has strict size requirements because, typically, it is continuously operating in main memory.
- Moreover, additional delays are introduced by the amount of time required to identify and access the appropriate profile database associated with a particular computer program. Even additional time is required for searching the database, especially when the database is of large size due to the complexity of the particular computer program being monitored. These and other delays tend to render conventional intrusion detection techniques impracticable for many applications, especially applications in which complex programs operate at high processing speeds or when the detection of intrusion attempts is time sensitive.
- Kernel-based intrusion detection using Bloom filters is disclosed. In one of many possible embodiments, a Bloom filter is used to generate a Bloom filter data object. The Bloom filter data object contains data representative of expected system-call behavior associated with a computer program. The Bloom filter data object is embedded in an operating system (“OS”) kernel upon an invocation of the computer program. Actual system-call behavior is compared with the data in the Bloom filter data object. The comparisons facilitate real-time detection of actual system-call behavior that deviates from the expected system-call behavior and that may be indicative of intrusion attacks.
- In some embodiments, the expected system-call behavior is generated automatically from system calls monitored at the OS kernel during operation of the computer program under training conditions. In some embodiments, training conditions include isolation of the computer program from intrusion attacks. In some embodiments, an alert is issued in response to a detection of anomalous system-call behavior.
- The present disclosure will be more fully understood upon reading the following detailed description in conjunction with the accompanying drawings.
- The accompanying drawings illustrate various embodiments and are a part of the specification. The illustrated embodiments are merely examples and do not limit the scope of the disclosure. Throughout the drawings, identical reference numbers designate identical or similar elements.
-
FIG. 1 is a block diagram illustrating an exemplary intrusion detection system implemented in an example of a computer, according to one embodiment. -
FIG. 2 is a flowchart illustrating an example of a process for defining normal system-call behavior under training conditions, using the intrusion detection system ofFIG. 1 . -
FIG. 3 is a flowchart illustrating an example of a process for detecting intrusion attempts by monitoring system-call behavior, using the intrusion detection system ofFIG. 1 . - A system and method for kernel-based intrusion detection using Bloom filters are disclosed. More specifically, the disclosed system and method (collectively the “intrusion detection system”) use Bloom filters to detect intrusions (e.g., attacks from external sources) into computers or networks by monitoring the behavior of computer programs and comparing the monitored actual behavior with predefined Bloom filter data to identify any anomalous behavior that may indicate an intrusion attempt. The predefined Bloom filter data is representative of “normal” computer program behavior, which refers to behavior that is expected during operation of the computer programs when not subject to intrusion attempts.
- The intrusion detection system may monitor behavior of a computer program by tracking system calls or system-call sequences (collectively “system-call behavior”) initiated by the computer program. As mentioned above, system calls refer to mechanisms used by computer programs to request service from the operating system (“OS”) of a computer. First, normal (i.e., expected) system-call behavior is defined by monitoring system-call behavior during operation of the computer program under training conditions (e.g., when the computer program is not subject to intrusion attacks). The intrusion detection system then uses a Bloom filter to generate a Bloom filter data object containing data representative of the normal system-call behavior. The generation of the Bloom filter data object will be described in detail further below.
- When the computer program is invoked under “real” (i.e., actual) circumstances, meaning the program may be subject to intrusion attempts, the Bloom filter data object is embedded in the OS kernel of the computer and used to identify any anomalous behavior of the computer program. More specifically, the intrusion detection system is able to compare actual system-call behavior with the data in the Bloom filter data object. Anomalous behavior is identified when the actual system-call behavior does not have a match in the Bloom filter data object. The intrusion detection system may respond to a detection of anomalous behavior in a wide variety of ways, including issuing an alert.
- By using a Bloom filter to represent predefined normal behavior of a computer program, the intrusion detection system is able to detect anomalous behavior in real time. More specifically, the Bloom filter provides a mechanism for compactly storing data in a structure that is small enough to be practicably embedded in the OS kernel. By embedding the Bloom filter data object in the OS kernel, the intrusion detection system is able to compare actual program behavior monitored in the OS kernel with predefined normal program behavior, without having to access data outside of the OS kernel. This allows comparisons to be performed at the operating system level of a computer in real time. The intrusion detection system is therefore not hindered by delays associated with identifying and accessing databases outside of the operating system.
-
FIG. 1 is a block diagram illustrating an example of anintrusion detection system 100 implemented in anexemplary computer 110. As shown inFIG. 1 , thecomputer 110 includes an operating system (“OS”)kernel 120 configured to interfacecomputer programs 130 with sharedresources 140. Theintrusion detection system 100 includes amonitoring subsystem 150, abuild subsystem 160, and areport subsystem 170 configured to interact with theOS kernel 120. Theintrusion detection system 100 further includes aBloom filter 175 accessible to thebuild subsystem 160 and themonitoring subsystem 150. Further, a Bloom filter data object 180 may be embedded in theOS kernel 120 as shown inFIG. 1 . Each of the components shown inFIG. 1 will now be described in detail. - While an exemplary implementation of the
intrusion detection system 100 is shown inFIG. 1 , those skilled in the art will recognize that the exemplary components illustrated in the Figure are for purposes of illustration and are not intended to be limiting. Indeed, those skilled in the art will recognize that other alternative hardware environments may be used in other embodiments. For example, theintrusion detection system 100 may be implemented in a distributed fashion over a network of computing devices. - A. Computer
- As shown in
FIG. 1 , thecomputer 110 may include theintrusion detection system 100,computer programs 130, and sharedresources 140. TheOS kernel 120 may be part of an operating system (not shown) operating on thecomputer 110. Thecomputer 110 is meant to be defined broadly as any computing device or combination of computing devices. Thecomputer 110 may include one or more general purpose computers capable of running a wide variety of different software applications or one or more specialized devices limited to particular functions. Thecomputer 110 may include a networking device or combination of networking devices including, but in no way limited to, a router, server, switch, and gateway. Thecomputer 110 may include any type, number, form, or configuration of processors, memory, memory management units, buses, computer-readable mediums, peripheral devices, operating systems, andOS kernels 120. Thecomputer 110 may also include bio-computers or other intelligent devices (e.g., artificially intelligent device). In many embodiments, thecomputer 110 is in the form of one or more network servers. - B. Shared Resources
- The shared
resources 140 refer to any resources of thecomputer 110 that may be shared betweendifferent computer programs 130 and/or different users. For example, sharedresources 140 may include, but are not limited to, processors, memory, memory management units, hardware components, buses, input and output ports, input and output devices, peripherals, display devices, communication ports, network interfaces, and the like. As known to those skilled in the art, allocation of the sharedresources 140 betweendifferent computer programs 130 and users may be controlled by theOS kernel 120. - C. Computer Programs
-
Computer programs 130 refer to any set or sets of instructions capable of being executed by thecomputer 110. Thecomputer programs 130 typically include predefined sets of instructions (e.g., executable images) that determine specific actions to be performed by thecomputer 110 when one or more of thecomputer programs 130 are executed by thecomputer 110. Thecomputer programs 130 may include, but are not limited to, application programs, system programs, network server programs, and any programs having set-user-ID (“SUID”) privileges, which will be understood by those skilled in the art. - D. OS Kernel
- As known to those skilled in the art, the operating system (“OS”)
kernel 120 is typically the core part of an operating system (not shown) of acomputer 110. TheOS kernel 120 is generally loaded into main memory (not shown) whenever the operating system of thecomputer 110 is operating. As will be understood by those skilled in the art, theOS kernel 120 is configured to control essential and privileged services generally provided by the operating system of thecomputer 110, including communicating with sharedresources 140 such as hardware components. - In particular, the
OS kernel 120 is configured to interface thecomputer programs 130 with the sharedresources 140. As anyparticular computer program 130 is invoked for execution by thecomputer 110, thecomputer program 130 is typically loaded into the main memory of thecomputer 110. As thecomputer program 130 is executed, system calls are initiated in accordance with the set of instructions defined by thecomputer program 130. As known to those skilled in the art, system calls refer to mechanisms used bycomputer programs 130 to request service from the operating system of thecomputer 110. TheOS kernel 120 receives system calls and responds by invoking low-level operating system (“OS”) routines that allow the operating system to perform restricted actions such as accessing the sharedresources 140. Accordingly, theOS kernel 120 is able to allocate and control the sharedresources 140 of thecomputer 120 to fulfill requests (e.g., system calls) initiated bycomputer programs 130. Because theOS kernel 120 responds to system calls, it is convenient to monitor the system calls at theOS kernel 120. - E. Intrusion Detection System
- The
intrusion detection system 100 may include one or more sets of instructions (e.g., software processes) embodied or otherwise carried on a medium that can be read by thecomputer 110. The medium carrying the instructions of theintrusion detection system 100 can be part of or otherwise communicatively coupled to thecomputer 110 and can include any suitable form of computer-readable medium or media. In preferred embodiments, the instructions are embodied within an operating system (not shown) of thecomputer 110. By being embodied within the operating system, theintrusion detection system 100 reduces delays associated with monitoring system calls in theOS kernel 120 because processing can be performed within the operating system. In some embodiments, theintrusion detection system 100 may be embodied within theOS kernel 120 to reduce delays even further. However, in alternative embodiments, theintrusion detection system 100 may be embodied outside of the operating system and loaded into main memory during execution. - As mentioned above, the
intrusion detection system 110 is able to monitor behavior ofcomputer programs 130 by tracking system-call behavior in theOS kernel 120. From the monitored system-call behavior, theintrusion detection system 110 is able to identify potential intrusion attacks that have caused anomalous system-call behavior to occur. Exemplary functionalities of theintrusion detection system 100 will now be described in greater detail with reference to themonitoring subsystem 150, thebuild subsystem 160, theBloom filter 175, and thereport subsystem 170. - 1. Monitoring Subsystem
- The
monitoring subsystem 150 is configured to monitor behavior of thecomputer programs 130. Any observable indicators of program behavior may be tracked by themonitoring subsystem 150. In preferred embodiments, themonitoring subsystem 150 is configured to monitor system calls occurring in theOS kernel 120. The system calls can be associated with their initiating computer program(s) 130. A rolling log of system calls may be maintained. - In many embodiments, the
monitoring subsystem 150 may use the rolling log of system calls to monitor system-call sequences occurring in theOS kernel 120. The size (“k”) of the system-call sequences may be any suitable predetermined number of system calls. The sequence size may be application specific and may be selected to optimize intrusion detection for any specific application of theintrusion detection system 100. - To illustrate the monitoring of system-call sequences, consider an exemplary trace of system calls contained in a rolling log of system calls. If the trace includes the system calls “open, read, mmap, mmap, open,” a window of predetermined size k may be slid across the trace to determine each k-size sequence present in the trace. For example, if it is assumed that k=3, the following sequences are contained in the trace: “open, read, mmap,” “read, mmap, mmap,” and “mmap, mmap, open.” Such sequences may be monitored and used to determine whether a potential intrusion has occurred.
- More specifically, the
monitoring subsystem 150 may monitor system-call sequences and compare the monitored sequences with predefined normal system-call sequences to determine whether an anomalous sequence of system calls has occurred in theOS kernel 120, as mentioned above. For example, during operation of aparticular computer program 130, themonitoring subsystem 150 may observe a system-call sequence of “read, mmap, read.” Themonitoring subsystem 150 may then compare this system-call sequence with the predefined normal system-call sequences. If a match is not found, the observed system-call sequence is determined to be anomalous and may indicate an intrusion attempt. Themonitoring subsystem 150 may use system-call sequences to detect intrusions in accordance with any techniques known to those of ordinary skill in the art. Merely by way of example, themonitoring subsystem 150 may be configured to use any of the known techniques described in “Computer Immunology,” by S. Forrest, S. Hofineyr, and A. Somayaji, Communications of the ACM, Vol. 40, No. 10, pp. 88-96 (1997), the contents of which are hereby incorporated by reference in their entirety. This article is hereinafter referred to as the Forrest article. - As mentioned above, the
monitoring subsystem 150 is able to compare monitored system-call behavior with predefined normal system-call behavior. Normal system-call behavior may be defined by thebuild subsystem 160 and represented in a Bloom filter data object 180, as described below. - 2. Build Subsystem
- The
intrusion detection system 100 is capable of defining what is to be considered normal (i.e., expected) behavior of thecomputer programs 130. As mentioned above, normal behavior (e.g., expected system-call behavior) refers to behavior that is expected to be initiated bycomputer programs 130 when not subject to intrusion attacks. To define normal behavior, aparticular computer program 130 may be invoked and operated under training conditions in order to determine a set of operations initiated by thecomputer program 160. The training conditions may include a configuration in which thecomputer program 130 is isolated from any potential intrusion (e.g., thecomputer 110 may be offline). As thecomputer program 130 is operated under training conditions, themonitoring subsystem 150 is able to monitor the behavior of thecomputer program 130 in any of the ways described above, including monitoring system-call behavior at theOS kernel 120. - The
build subsystem 160 is configured to use the program behavior monitored during training conditions to generate a data profile representative of the observed normal behavior caused by aparticular computer program 130. This may be performed using any technique known to those skilled in the art. For example, thebuild subsystem 160 may form a profile database containing unique system-call sequences of a predetermined size (“k”) (e.g., unique sequences of six system calls) as described in the Forrest article, the contents of which have been incorporated herein by reference in their entirety. Such a profile of system-call sequences defines a set of normal system-call sequences that may be used as a basis of comparison to identify any deviations from the normal sequences. - The
build subsystem 160 is configured to store the generated profiles of normal program behavior (e.g., sets of unique system-call sequences) compactly by using theBloom filter 175. As known to those skilled in the art,Bloom filters 175 include data structures that are well-suited for compactly storing data for use in membership tests. In particular, thebuild subsystem 160 may use theBloom filter 175 to generate a particular Bloom filter data object 180 from a profile of normal program behavior. Accordingly, the generated Bloom filter data object 180 will contain data representative of the normal behavior expected of aparticular computer program 130. - The
build subsystem 160 may generate Bloom filter data objects 180 using any technique known to those skilled in the art. Merely by way of example, thebuild subsystem 160 may utilizeBloom filters 175 utilizing a known technique as described in “Single-Packet IP Traceback,” by A. Snoeren et al., IEEE/ACM Transactions on Networking (TON), Vol. 10, No. 6, pp. 721-734 (2002), the contents of which are hereby incorporated by reference in their entirety. This article will hereinafter be referred to as the Snoeren article. Using the technique described in the Snoeren article, thebuild subsystem 160 is able to encode each unique system-call sequence associated with expected operation of acomputer program 130 into a particular Bloom filter data object 180, which may be in the form of a bit vector. TheBloom filter 175 and the generation of the Bloom filter data object 180 will be described in detail below. - With the
Bloom filter 175, thebuild subsystem 160 is able to compactly store data representative of predefined normal program behavior. The compactness of the data allows theintrusion detection system 100 to detect intrusions in real time by embedding the compact Bloom filter data object 180 in the OS kernel, where system-call behavior can be tracked and compared with the data in the Bloom filter data object 180 without having to communicate outside of the operating system level of thecomputer 110. - The
build subsystem 160 may be configured to associate a generated Bloom filter data object 180 to itscorresponding computer program 130. In particular, thebuild subsystem 160 may cause the Bloom filter data object 180 to be appended to the executable image of thecomputer program 130 in a manner that will cause the Bloom filter data object 180 to be automatically embedded in theOS kernel 120 upon invocation of thecomputer program 130. Thecomputer program 130 may be assigned an identifier, which is designed to indicate to the operating system of thecomputer 110 that monitoring of the behavior of thecomputer program 130 should be initiated. Upon thecomputer program 130 being invoked for operation, the identifier is recognized, and the appended Bloom filter data object 180 is automatically loaded in theOS kernel 120 for use in the monitoring of the behavior of thecomputer program 130. - The
intrusion detection system 100 may be configured to automatically generate Bloom filter data objects 180 forcomputer programs 130 and then automatically use the Bloom filter data objects 180 to monitor system-call behavior in theOS kernel 120, thereby allowing intrusions to be detected in real time. - 3. Bloom Filter
- Examples of
Bloom filters 175, Bloom filter data objects 180, and associated trade-offs between speed and accuracy of the Bloom filters 175 will now be described in detail. TheBloom filter 175 may be in the form of any known Bloom filter. As known to those skilled in the art, theBloom filter 175 generally consists of two components: a set of hash functions and a bit vector (e.g., the Bloom filter data object 180) of a given length. The length of the bit vector and the number of hash functions (“h”) may be pre-selected depending on speed and memory constraints, as well as the tolerable error rate, of an application. - Any suitable number h of independent and uniform hash functions may be employed to encode predetermined unique system-call sequences into the bit vector. The
build subsystem 160 may employ any such suitable known hash functions. Using the hash functions, thebuild subsystem 160 computes a predetermined number of distinct values for each system-call sequence, and uses these values to index the bit vector. The indexed bits of the bit vector are set to a value of one to represent the encoded system-call sequence. The hash functions are also used to index the bit vector to search for a match to a particular piece of input data, such as a monitored system-call sequence. Preferably, high-quality hash functions are used in theBloom filter 175 to help guarantee that output is equally distributed over all possible values in the bit vector, which helps to minimize the occurrence of false positives. False positives will be described in more detail below. - In general, while a large bit vector generally requires more memory than a small bit vector, a large bit vector tends to produce lower error rates. Accordingly, it should be understood that the Bloom filter data object 180 is not limited to any particular type or size of data structure and may be configured based on application-specific requirements or preferences. The
build subsystem 160 may be configured to generate a Bloom filter data object 180 of any suitable size, including small sizes such as approximately two kilobytes (“2 KB”) or three kilobytes (“3 KB”). The Bloom filter data object 180 may be in the form of a bit vector or bitmap data object. - To illustrate the trade-off that exists between the pre-selected size of the Bloom filter data object 180 and the resultant error rate, it is helpful to understand that the compactness of
Bloom filters 175 comes from throwing data away to represent the data in a compressed format. The compression of the data creates the possibility that false positives will occur when the Bloom filter data object 180 is searched for a match to a specific piece of input data. False positives refer to occurrences in which aBloom filter 175 reports the existence of a match when in fact no such match is actually contained in the Bloom filter data object 180. As known to those skilled in the art, one feature ofBloom filters 175 is the ability to be configured to have a specific probability (“P”) of a false positive occurring. - The probability P of a false positive is generally based on the size of the bit vector, the number and quality of hash functions, and the amount of input provided to the
Bloom filter 175. For example, if it is assumed that one-thousand-twenty-four (1,024) sextuples of unique system-call sequences (i.e., sequences of six system calls) will be hashed to a 2 KB bit vector, the false positive probability P can be computed as a function of the number of hash functions h. A 2 KB bit vector includes sixteen-thousand bits (“16 Kb”), meaning that about h/16 of the bits of the bit vector has a value of one (“1”). The bits having values of one represent the one-thousand-twenty-four (1,024) sextuples. The probability P of a false positive may then be computed according to the following equation: -
- The number of hash functions h may be varied to produce different false positive probabilities P. For example, four hash functions produces a probability P of
-
- or 1/256, five hash functions produces a probability P of 1/335, six hash functions produces a probability P of 1/360 and seven hash functions produces a probability P of 1/326.
- The probability P of false positives may be reduced by increasing the size of the bit vector. For example, if it is assumed that one-thousand-twenty-four (1,024) sextuples of unique system-call sequences will be hashed to a 3 KB bit vector, the probability P of false positives may be computed according to the following equation:
-
- Again, the number of hash functions h may be varied to produce different false positive probabilities P. For example, three hash functions produces a probability P of 1/512 four hash functions produces a probability P of 1/1296, five hash functions produces a probability P of 1/2548, six hash functions produces a probability P of 1/4096, and ten hash functions produces a probability P of 1/6819. Thus, for some applications, it may be desirable to use a 3 KB bit vector instead of a 2 KB bit vector in order to decrease the chances of experiencing false positives.
- While the use of
Bloom filters 175 may introduce a possibility of false positives, this may be outweighed in many applications by the increases in processing speed that result from being able to detect intrusions at the operating system level of thecomputer 110. The amount of available main memory on a computer is crucial because it determines howmany computer programs 130 can be executed at one time and how much data can be readily available to aparticular program 130. However, in many computers, the amount of memory required by a particular Bloom filter data object 180 (e.g., 3 KB) will be a small memory outlay that may easily fit in the process structure of theOS kernel 120, thereby allowing real-time detection of intrusion attacks. - In some network embodiments of the
intrusion detection system 100, the size of the Bloom filter data object 180 may be reduced even further when multiple network devices are configured to work together to identify intrusion attacks. In particular, when several network devices generate separate Bloom filter data objects 180, are monitored together, and are subject only to attacks that affect each of the network devices within a small amount of time, it is likely that at least one of the network devices would detect a false positive that is produced by another device. Thus, the sizes of the Bloom filter data objects 180 may be reduced because the different network devices can work together to identify false positives. - 4. Report Subsystem
- The report subsystem 170 may be configured to respond to a detection of anomalous program behavior. For example, the
monitoring subsystem 150 may notify thereport subsystem 170 of a detection of anomalous program behavior. The report subsystem 170 may respond by issuing an alert indicating that anomalous behavior has been detected. The alert may be issued to a user or operating system of thecomputer 110. Theintrusion detection system 100 may issue an alert and allow execution of detected anomalous behavior to proceed. - In some embodiments, the
report subsystem 170 may be configured to automatically invoke predetermined actions designed to protect thecomputer 110 or to analyze the nature and/or source of the detected intrusion. For example, thereport subsystem 170 may initiate a process for determining a source of an intrusive data packet in accordance with the techniques described in the Snoeren article, the contents of which have been incorporated by reference in their entirety. -
FIG. 2 is a flowchart illustrating an example of a process for defining normal system-call behavior under training conditions. WhileFIG. 2 illustrates exemplary steps according to one embodiment, other embodiments may omit, add to, and/or modify any of the steps shown inFIG. 2 . - The process of
FIG. 2 begins by monitoring behavior of acomputer program 130 under training conditions atstep 210. Step 210 may be performed in any of the ways discussed above, including monitoring system-call behavior at theOS kernel 120 when thecomputer program 130 is not subject to intrusion attacks. - At
step 220, a profile Bloom filter data object 180 is built from the monitored behavior. Step 220 may be performed in any of the ways described above, including using theBloom filter 175 to generate the Bloom filter data object 180, which will contain data representative of predefined normal behavior. In many embodiments, the normal behavior is defined in the form of k-size sequences of system calls. - At
step 230, the generated Bloom filter data object 180 is associated with thecomputer program 130. As discussed above, this may be accomplished by appending the Bloom filter data object 180 to the executable image of thecomputer program 130. In some embodiments,steps 210 through 230 may be performed automatically to generate the Bloom filter data object 180 in an automated fashion, without requiring user intervention. - With the Bloom filter data object 180 being appended to the executable image of the
computer program 130, theintrusion detection system 100 is prepared to detect intrusion attempts by monitoring the behavior of thecomputer program 130 when it is executed.FIG. 3 is a flowchart illustrating an example of a process for detecting intrusion attempts by monitoring system-call behavior. WhileFIG. 3 illustrates exemplary steps according to one embodiment, other embodiments may omit, add to, and/or modify any of the steps shown inFIG. 3 . - The process of
FIG. 3 begins by loading the Bloom filter data object 180 into theOS kernel 120 upon invocation of thecomputer program 130 atstep 310. Step 310 may be performed in any of the ways described above, including recognizing an identifier associated with thecomputer program 130 and loading the Bloom filter data object 180 as part of the executable image of thecomputer program 130. - At
step 320, behavior of the computer program is monitored as it is executed by thecomputer 110. Step 320 may be performed in any of the ways discussed above. For example, themonitoring subsystem 150 may monitor system-call behavior at theOS kernel 120. - At
step 330, the monitored behavior is compared with data in the Bloom filter data object 180. Step 330 may be performed by themonitoring subsystem 150, which may use theBloom filter 175 to search the Bloom filter data object 180 to determine whether a match exists for any particular set of monitored behavior (e.g., a system-call sequence). - At
step 340, an alert is issued in response to a determination that the Bloom filter data object 180 does not contain a match for the monitor behavior. As mentioned above, the alert may be issued to the operating system or user of thecomputer 110. The alert is intended to notify a user or thecomputer 110 of the detection of anomalous behavior being initiated by thecomputer program 110. Any appropriate predefined action may be performed in response to the alert. - In conclusion, the use of one or
more Bloom filters 175 to represent predefined normal computer program behavior enables theintrusion detection system 100 to detect intrusion attempts in real-time. Bloom filter data is stored in a format small enough to be practicably embedded in theOS kernel 120, where computer program behavior is monitored. This allows theintrusion detection system 100 to perform monitoring and detection functions at the operating system level. Accordingly, intrusion detections can be performed quickly, without having to access data outside of the operating system. - The
intrusion detection system 100 may be used to monitor a wide variety of different types ofcomputer programs 130 in different applications. For example, theintrusion detection system 100 may be configured to monitor network server programs. In other embodiments, theintrusion detection system 100 may be configured to detect attempts to “get root” on acomputer 110 that allows users to log in. This can be done by monitoringcomputer programs 130 having a set-user-ID (“SUID”) and being owned by the root. Because checks for anomalous behavior are performed at the operating system level, theintrusion detection system 100 is flexible and may be used to monitor many kinds ofdifferent computer programs 130 from long-lived network server programs to programs providing interactive command features. - The preceding description has been presented only to illustrate and describe embodiments of the invention. It is not intended to be exhaustive or to limit the invention to any precise form disclosed. The invention may be practiced otherwise than is specifically explained and illustrated without departing from its spirit or scope. It is intended that the scope of the invention be defined by the following claims.
Claims (21)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/025,906 US20110179488A1 (en) | 2004-03-25 | 2011-02-11 | Kernal-based intrusion detection using bloom filters |
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US55642504P | 2004-03-25 | 2004-03-25 | |
US11/088,151 US7900194B1 (en) | 2004-03-25 | 2005-03-23 | Kernel-based intrusion detection using bloom filters |
US13/025,906 US20110179488A1 (en) | 2004-03-25 | 2011-02-11 | Kernal-based intrusion detection using bloom filters |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/088,151 Continuation US7900194B1 (en) | 2004-03-25 | 2005-03-23 | Kernel-based intrusion detection using bloom filters |
Publications (1)
Publication Number | Publication Date |
---|---|
US20110179488A1 true US20110179488A1 (en) | 2011-07-21 |
Family
ID=43617421
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/088,151 Expired - Fee Related US7900194B1 (en) | 2004-03-25 | 2005-03-23 | Kernel-based intrusion detection using bloom filters |
US13/025,906 Abandoned US20110179488A1 (en) | 2004-03-25 | 2011-02-11 | Kernal-based intrusion detection using bloom filters |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/088,151 Expired - Fee Related US7900194B1 (en) | 2004-03-25 | 2005-03-23 | Kernel-based intrusion detection using bloom filters |
Country Status (1)
Country | Link |
---|---|
US (2) | US7900194B1 (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120207046A1 (en) * | 2009-09-01 | 2012-08-16 | Nec Europe Ltd. | Method for monitoring a network and network including a monitoring functionality |
US20130254885A1 (en) * | 2012-03-14 | 2013-09-26 | Matthew G. DEVOST | System and method for detecting potential threats by monitoring user and system behavior associated with computer and network activity |
US8938805B1 (en) * | 2012-09-24 | 2015-01-20 | Emc Corporation | Detection of tampering with software installed on a processing device |
JP2015132927A (en) * | 2014-01-10 | 2015-07-23 | 日本電気株式会社 | Information processing system, information processing device, monitoring device, monitoring method, and program |
US20160196422A1 (en) * | 2012-12-24 | 2016-07-07 | Grg Banking Equipment Co., Ltd. | Method and apparatus for controlling invoking of hardware instruction |
US20220237284A1 (en) * | 2021-01-27 | 2022-07-28 | Nokia Solutions And Networks Oy | Information security |
Families Citing this family (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8595834B2 (en) * | 2008-02-04 | 2013-11-26 | Samsung Electronics Co., Ltd | Detecting unauthorized use of computing devices based on behavioral patterns |
DE102010006572A1 (en) * | 2010-02-02 | 2011-08-04 | Giesecke & Devrient GmbH, 81677 | Method for executing an application |
US8959577B2 (en) * | 2012-04-13 | 2015-02-17 | Cisco Technology, Inc. | Automatic curation and modification of virtualized computer programs |
US9372989B2 (en) * | 2013-02-15 | 2016-06-21 | Systems of Information Security 2012 | Robust malware detector |
US9424420B2 (en) | 2013-08-02 | 2016-08-23 | Red Hat, Inc. | Restricting application binary interfaces |
CN104252604B (en) * | 2014-09-01 | 2017-04-26 | 苏州锐盾信息科技有限公司 | Database based building block system type dynamic encryption method |
US10659479B2 (en) * | 2015-03-27 | 2020-05-19 | Mcafee, Llc | Determination of sensor usage |
CN105405150B (en) * | 2015-10-21 | 2019-04-30 | 东方网力科技股份有限公司 | Anomaly detection method and device based on fusion feature |
US10241847B2 (en) * | 2016-07-19 | 2019-03-26 | 2236008 Ontario Inc. | Anomaly detection using sequences of system calls |
US10970393B1 (en) * | 2018-12-18 | 2021-04-06 | Altiris, Inc. | Probabilistic set membership using bloom filters |
FR3091106B1 (en) * | 2018-12-20 | 2021-02-12 | Commissariat Energie Atomique | Formal communications supervision system |
CN114244618B (en) * | 2021-12-22 | 2023-11-10 | 北京天融信网络安全技术有限公司 | Abnormal access detection method and device, electronic equipment and storage medium |
Citations (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5634058A (en) * | 1992-06-03 | 1997-05-27 | Sun Microsystems, Inc. | Dynamically configurable kernel |
US5867710A (en) * | 1995-09-05 | 1999-02-02 | Motorola, Inc. | Portable microkernel operating system verification and testing |
US20020138755A1 (en) * | 2001-02-06 | 2002-09-26 | Ko Cheuk W. | Automatically generating valid behavior specifications for intrusion detection |
US6463583B1 (en) * | 1999-04-08 | 2002-10-08 | Novadigm, Inc. | Dynamic injection of execution logic into main dynamic link library function of the original kernel of a windowed operating system |
US20040054924A1 (en) * | 2002-09-03 | 2004-03-18 | Chuah Mooi Choo | Methods and devices for providing distributed, adaptive IP filtering against distributed denial of service attacks |
US20040243828A1 (en) * | 2003-05-30 | 2004-12-02 | Aguilera Marcos K. | Method and system for securing block-based storage with capability data |
US20040255032A1 (en) * | 2003-06-13 | 2004-12-16 | Danieli Damon V. | Limiting interaction between parties in a networked session |
US20050022009A1 (en) * | 2003-06-05 | 2005-01-27 | Aguilera Macros K. | System and method for preventing replay attacks |
US20050081220A1 (en) * | 2003-09-26 | 2005-04-14 | Victor Yodaiken | Systems and methods for dynamically linking application software into a running operating system kernel |
US20050114687A1 (en) * | 2003-11-21 | 2005-05-26 | Zimmer Vincent J. | Methods and apparatus to provide protection for firmware resources |
US20050132179A1 (en) * | 2003-12-16 | 2005-06-16 | Microsoft Corporation | Applying custom software image updates to non-volatile storage in a failsafe manner |
US20050229254A1 (en) * | 2004-04-08 | 2005-10-13 | Sumeet Singh | Detecting public network attacks using signatures and fast content analysis |
US7024694B1 (en) * | 2000-06-13 | 2006-04-04 | Mcafee, Inc. | Method and apparatus for content-based instrusion detection using an agile kernel-based auditor |
US7162741B2 (en) * | 2001-07-30 | 2007-01-09 | The Trustees Of Columbia University In The City Of New York | System and methods for intrusion detection with dynamic window sizes |
US7222366B2 (en) * | 2002-01-28 | 2007-05-22 | International Business Machines Corporation | Intrusion event filtering |
US20080016568A1 (en) * | 2004-01-13 | 2008-01-17 | Peter Szor | Refining Behavioral Detections for Early Blocking of Malicious Code |
US7568197B1 (en) * | 2004-03-12 | 2009-07-28 | Sun Microsystems, Inc. | Method and apparatus for interposing kernel symbols |
US8374986B2 (en) * | 2008-05-15 | 2013-02-12 | Exegy Incorporated | Method and system for accelerated stream processing |
US8516455B2 (en) * | 2011-06-14 | 2013-08-20 | International Business Machines Corporation | Dynamic loading of kernel extensions |
-
2005
- 2005-03-23 US US11/088,151 patent/US7900194B1/en not_active Expired - Fee Related
-
2011
- 2011-02-11 US US13/025,906 patent/US20110179488A1/en not_active Abandoned
Patent Citations (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5634058A (en) * | 1992-06-03 | 1997-05-27 | Sun Microsystems, Inc. | Dynamically configurable kernel |
US5867710A (en) * | 1995-09-05 | 1999-02-02 | Motorola, Inc. | Portable microkernel operating system verification and testing |
US6463583B1 (en) * | 1999-04-08 | 2002-10-08 | Novadigm, Inc. | Dynamic injection of execution logic into main dynamic link library function of the original kernel of a windowed operating system |
US7024694B1 (en) * | 2000-06-13 | 2006-04-04 | Mcafee, Inc. | Method and apparatus for content-based instrusion detection using an agile kernel-based auditor |
US20020138755A1 (en) * | 2001-02-06 | 2002-09-26 | Ko Cheuk W. | Automatically generating valid behavior specifications for intrusion detection |
US7162741B2 (en) * | 2001-07-30 | 2007-01-09 | The Trustees Of Columbia University In The City Of New York | System and methods for intrusion detection with dynamic window sizes |
US7222366B2 (en) * | 2002-01-28 | 2007-05-22 | International Business Machines Corporation | Intrusion event filtering |
US20040054924A1 (en) * | 2002-09-03 | 2004-03-18 | Chuah Mooi Choo | Methods and devices for providing distributed, adaptive IP filtering against distributed denial of service attacks |
US20040243828A1 (en) * | 2003-05-30 | 2004-12-02 | Aguilera Marcos K. | Method and system for securing block-based storage with capability data |
US20050022009A1 (en) * | 2003-06-05 | 2005-01-27 | Aguilera Macros K. | System and method for preventing replay attacks |
US20040255032A1 (en) * | 2003-06-13 | 2004-12-16 | Danieli Damon V. | Limiting interaction between parties in a networked session |
US20050081220A1 (en) * | 2003-09-26 | 2005-04-14 | Victor Yodaiken | Systems and methods for dynamically linking application software into a running operating system kernel |
US20050114687A1 (en) * | 2003-11-21 | 2005-05-26 | Zimmer Vincent J. | Methods and apparatus to provide protection for firmware resources |
US20050132179A1 (en) * | 2003-12-16 | 2005-06-16 | Microsoft Corporation | Applying custom software image updates to non-volatile storage in a failsafe manner |
US20080016568A1 (en) * | 2004-01-13 | 2008-01-17 | Peter Szor | Refining Behavioral Detections for Early Blocking of Malicious Code |
US7568197B1 (en) * | 2004-03-12 | 2009-07-28 | Sun Microsystems, Inc. | Method and apparatus for interposing kernel symbols |
US20050229254A1 (en) * | 2004-04-08 | 2005-10-13 | Sumeet Singh | Detecting public network attacks using signatures and fast content analysis |
US8374986B2 (en) * | 2008-05-15 | 2013-02-12 | Exegy Incorporated | Method and system for accelerated stream processing |
US8516455B2 (en) * | 2011-06-14 | 2013-08-20 | International Business Machines Corporation | Dynamic loading of kernel extensions |
Non-Patent Citations (1)
Title |
---|
Microsoft Press, "Microsoft® Compuer Dictionary", March 15, 2002 page 363 [online] [retrieved on 2013-09-16]. Retrieved from <http://techbus.safaribooksonline.com/0735614954/ch11X2ludGVybmFsX0J2ZGVwRmxhc2hSZWFkZXI/eG1saWQ9MDczNTYxNDk1NC8zNjM=> * |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120207046A1 (en) * | 2009-09-01 | 2012-08-16 | Nec Europe Ltd. | Method for monitoring a network and network including a monitoring functionality |
US8953472B2 (en) * | 2009-09-01 | 2015-02-10 | Nec Europe Ltd. | Method for monitoring a network and network including a monitoring functionality |
US20130254885A1 (en) * | 2012-03-14 | 2013-09-26 | Matthew G. DEVOST | System and method for detecting potential threats by monitoring user and system behavior associated with computer and network activity |
US9117076B2 (en) * | 2012-03-14 | 2015-08-25 | Wintermute, Llc | System and method for detecting potential threats by monitoring user and system behavior associated with computer and network activity |
US8938805B1 (en) * | 2012-09-24 | 2015-01-20 | Emc Corporation | Detection of tampering with software installed on a processing device |
US20160196422A1 (en) * | 2012-12-24 | 2016-07-07 | Grg Banking Equipment Co., Ltd. | Method and apparatus for controlling invoking of hardware instruction |
JP2015132927A (en) * | 2014-01-10 | 2015-07-23 | 日本電気株式会社 | Information processing system, information processing device, monitoring device, monitoring method, and program |
US10282239B2 (en) | 2014-01-10 | 2019-05-07 | Nec Corporation | Monitoring method |
US20220237284A1 (en) * | 2021-01-27 | 2022-07-28 | Nokia Solutions And Networks Oy | Information security |
EP4036740A1 (en) * | 2021-01-27 | 2022-08-03 | Nokia Solutions and Networks Oy | Information security |
Also Published As
Publication number | Publication date |
---|---|
US7900194B1 (en) | 2011-03-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7900194B1 (en) | Kernel-based intrusion detection using bloom filters | |
US6134664A (en) | Method and system for reducing the volume of audit data and normalizing the audit data received from heterogeneous sources | |
CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
US20160019388A1 (en) | Event correlation based on confidence factor | |
US20140310808A1 (en) | Detection of Stealthy Malware Activities with Traffic Causality and Scalable Triggering Relation Discovery | |
CN112602081A (en) | Enhancing network security and operational monitoring with alarm confidence assignment | |
TWI703454B (en) | Method and device for determining data abnormality | |
US8527760B2 (en) | Determining trust data for devices in a network | |
EP3272097B1 (en) | Forensic analysis | |
CN112385196A (en) | System and method for reporting computer security incidents | |
US11451563B2 (en) | Dynamic detection of HTTP-based DDoS attacks using estimated cardinality | |
US20210367958A1 (en) | Autonomic incident response system | |
CN113132393A (en) | Abnormality detection method, abnormality detection device, electronic apparatus, and storage medium | |
KR102311997B1 (en) | Apparatus and method for endpoint detection and response terminal based on artificial intelligence behavior analysis | |
Sallay et al. | Intrusion detection alert management for high‐speed networks: current researches and applications | |
CN110955890B (en) | Method and device for detecting malicious batch access behaviors and computer storage medium | |
EP4111660A1 (en) | Cyberattack identification in a network environment | |
US20230385342A1 (en) | Automatic Incident Dispatcher | |
CN112769815B (en) | Intelligent industrial control safety monitoring and protecting method and system | |
CN114900375A (en) | Malicious threat detection method based on AI graph analysis | |
US20220006832A1 (en) | System and method for automatic forensic investigation | |
US11126713B2 (en) | Detecting directory reconnaissance in a directory service | |
CN114707144A (en) | Virtual machine escape behavior detection method and device | |
US11184369B2 (en) | Malicious relay and jump-system detection using behavioral indicators of actors | |
Baich et al. | Machine Learning for IoT based networks intrusion detection: a comparative study |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: BBNT SOLUTIONS LLC, MASSACHUSETTS Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MANKINS, DAVID P.;REEL/FRAME:029224/0041 Effective date: 20050322 Owner name: VERIZON CORPORATE SERVICES GROUP INC., NEW YORK Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MANKINS, DAVID P.;REEL/FRAME:029224/0041 Effective date: 20050322 Owner name: BBN TECHNOLOGIES OPERATING CORP., MASSACHUSETTS Free format text: MERGER;ASSIGNOR:BBNT SOLUTIONS LLC;REEL/FRAME:029224/0095 Effective date: 20051122 Owner name: BBN TECHNOLOGIES CORP., MASSACHUSETTS Free format text: CHANGE OF NAME;ASSIGNOR:BBN TECHNOLOGIES OPERATING CORP.;REEL/FRAME:029228/0302 Effective date: 20051201 Owner name: RAYTHEON BBN TECHNOLOGIES CORP., MASSACHUSETTS Free format text: CHANGE OF NAME;ASSIGNOR:BBN TECHNOLOGIES CORP.;REEL/FRAME:029228/0342 Effective date: 20091027 |
|
AS | Assignment |
Owner name: VERIZON PATENT AND LICENSING INC., NEW JERSEY Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:VERIZON CORPORATE SERVICES GROUP INC.;REEL/FRAME:033421/0403 Effective date: 20140409 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |