User, process, and application tracking in an intrusion detection system

US 20040024864A1

(19) United States

(12) Patent Application Publication (io) Pub. No.: US 2004/0024864 Al

Porras et al. (43) Pub. Date: Feb. 5,2004

(54) USER, PROCESS, AND APPLICATION

TRACKING IN AN INTRUSION DETECTION
SYSTEM

(76) Inventors: Phillip Andrew Porras, Cupertino, CA
(US); Martin Wayne Fong, San

Francisco, CA (US)

Correspondence Address:
MOSER PATTERSON & SHERIDAN LLP
595 SHREWSBURY AVENUE-SUITE 100
SHREWSBURY, NJ 07702 (US)

(21) Appl. No.: 10/209,596

(22) Filed: Jul. 31, 2002

Publication Classification (51) Int. CI.7 G06F 15/173

(52) U.S. CI 709/224; 713/201

(57)

ABSTRACT

Preferred embodiments combine audit records with other relevant information to identify and track the users, processes or applications responsible for an attack. Information that identifies a user, process, or application may be associated with subsequent audit records related to the user or process session; this information may also be associated with IDS alerts related to the session. By reliably identifying the source of user and process sessions, the preferred embodiments make it possible to selectively target the sessions and applications that are related to an intrusion or attack.

Receive audit records and other information that may be useful in detecting or tracking suspicious activity

Associate the audit records with other relevant information

Provide the audit records and associated information to an analysis engine

Obtain the IP address of the source of a user or process session

Associate the source's IP address with an identifier of the session so that the source may be tracked