Kernal-based intrusion detection using bloom filters

Abstract

Kernel-based intrusion detection using Bloom filters is disclosed. In one of many possible embodiments for detecting an intrusion attack, a Bloom filter is provided and used to generate a Bloom filter data object. The Bloom filter data object contains data representative of expected system-call behavior associated with a computer program. The Bloom filter data object is embedded in an operating system (“OS”) kernel upon an invocation of the computer program. Actual system-call behavior is compared with the data in the Bloom filter data object.

Description

RELATED APPLICATION[0001]This application claims priority under 35 U.S.C. §119(e) to U.S. Provisional Patent Application Ser. No. 60 / 556,425, by David P. Mankins, filed on Mar. 25, 2004, and entitled KERNEL-BASED COMPUTER IMMUNOLOGY WITH BLOOM FILTERS, the contents of which are hereby incorporated by reference in their entirety.FIELD[0002]Kernel-based intrusion detection using Bloom filters is disclosed.BACKGROUND OF THE INVENTION[0003]Today, many network infrastructures (e.g., the Internet) are vulnerable to attack. Indeed, attackers have access to a wide range of tools capable of degrading network performance or disabling network resources. Even a single well-targeted data packet may be sufficient to cause an operating system of a network device to crash. Moreover, network devices continue to become more vulnerable to attack as standardized protocols are adopted and implemented.[0004]Because vulnerability to attack is a significant concern to network communities, many techniques h...

AI Technical Summary

Benefits of technology

[0009]Kernel-based intrusion detection using Bloom filters is disclosed. In one of many possible embodiments, a Bloom filter is used to generate a Bloom filter data object. The Bloom filter data object contains data representative of expected system-call behavior associated with a computer program. The Bloom filter data object is embedded in an operating system (“OS”) kernel upon an invocation of the computer program. Actual system-call behavior is compared with the data in the Bloom filter data object. The comparisons facilitate real-time detection of actual system-call behavior that deviates from the expected system-call behavior and that may be indicative of intrusion attacks.

Problems solved by technology

Today, many network infrastructures (e.g., the Internet) are vulnerable to attack.

Even a single well-targeted data packet may be sufficient to cause an operating system of a network device to crash.

Moreover, network devices continue to become more vulnerable to attack as standardized protocols are adopted and implemented.

However, if a monitored system-call sequence is not found in the profile database, operation is considered to be anomalous, which may indicate an intrusion attempt.

Unfortunately, several shortcomings are apparent in existing system-call-based intrusion detection techniques.

For example, significant delays are inherent in these techniques and may make them impracticable for use with complex computer programs that are processed at high speeds.

In particular, it takes time to compare system calls tracked in the OS kernel with data of a profile database stored outside of the OS because communications must be sent back and forth between the OS kernel and the profile database.

Moreover, additional delays are introduced by the amount of time required to identify and access the appropriate profile database associated with a particular computer program.

Even additional time is required for searching the database, especially when the database is of large size due to the complexity of the particular computer program being monitored.

These and other delays tend to render conventional intrusion detection techniques impracticable for many applications, especially applications in which complex programs operate at high processing speeds or when the detection of intrusion attempts is time sensitive.

Images