Kernal-based intrusion detection using bloom filters

a technology of bloom filter and intrusion detection, applied in the field of kernal-based intrusion detection using bloom filter, can solve the problems of network infrastructures that are vulnerable to attack, network devices that are more vulnerable to attack, network devices that are easily damaged, etc., and achieve the effect of facilitating real-time detection

Inactive Publication Date: 2011-07-21
VERIZON PATENT & LICENSING INC +1
View PDF19 Cites 10 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Benefits of technology

[0009]Kernel-based intrusion detection using Bloom filters is disclosed. In one of many possible embodiments, a Bloom filter is used to generate a Bloom filter data object. The Bloom filter data object contains data representative of expected system-call behavior associated with a computer program. The Bloom filter data object is embedded in an operating system (“OS”) kernel upon an invocation of the computer program. Actual system-call behavior is compared with the data in the Bloom filter data object. The comparisons facilitate real-time detection of actual system-call behavior that deviates from the expected system-call behavior and that may be indicative of intrusion attacks.

Problems solved by technology

Today, many network infrastructures (e.g., the Internet) are vulnerable to attack.
Even a single well-targeted data packet may be sufficient to cause an operating system of a network device to crash.
Moreover, network devices continue to become more vulnerable to attack as standardized protocols are adopted and implemented.
However, if a monitored system-call sequence is not found in the profile database, operation is considered to be anomalous, which may indicate an intrusion attempt.
Unfortunately, several shortcomings are apparent in existing system-call-based intrusion detection techniques.
For example, significant delays are inherent in these techniques and may make them impracticable for use with complex computer programs that are processed at high speeds.
In particular, it takes time to compare system calls tracked in the OS kernel with data of a profile database stored outside of the OS because communications must be sent back and forth between the OS kernel and the profile database.
Moreover, additional delays are introduced by the amount of time required to identify and access the appropriate profile database associated with a particular computer program.
Even additional time is required for searching the database, especially when the database is of large size due to the complexity of the particular computer program being monitored.
These and other delays tend to render conventional intrusion detection techniques impracticable for many applications, especially applications in which complex programs operate at high processing speeds or when the detection of intrusion attempts is time sensitive.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Kernal-based intrusion detection using bloom filters
  • Kernal-based intrusion detection using bloom filters
  • Kernal-based intrusion detection using bloom filters

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

I. Overview

[0016]A system and method for kernel-based intrusion detection using Bloom filters are disclosed. More specifically, the disclosed system and method (collectively the “intrusion detection system”) use Bloom filters to detect intrusions (e.g., attacks from external sources) into computers or networks by monitoring the behavior of computer programs and comparing the monitored actual behavior with predefined Bloom filter data to identify any anomalous behavior that may indicate an intrusion attempt. The predefined Bloom filter data is representative of “normal” computer program behavior, which refers to behavior that is expected during operation of the computer programs when not subject to intrusion attempts.

[0017]The intrusion detection system may monitor behavior of a computer program by tracking system calls or system-call sequences (collectively “system-call behavior”) initiated by the computer program. As mentioned above, system calls refer to mechanisms used by compute...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

Kernel-based intrusion detection using Bloom filters is disclosed. In one of many possible embodiments for detecting an intrusion attack, a Bloom filter is provided and used to generate a Bloom filter data object. The Bloom filter data object contains data representative of expected system-call behavior associated with a computer program. The Bloom filter data object is embedded in an operating system (“OS”) kernel upon an invocation of the computer program. Actual system-call behavior is compared with the data in the Bloom filter data object.

Description

RELATED APPLICATION[0001]This application claims priority under 35 U.S.C. §119(e) to U.S. Provisional Patent Application Ser. No. 60 / 556,425, by David P. Mankins, filed on Mar. 25, 2004, and entitled KERNEL-BASED COMPUTER IMMUNOLOGY WITH BLOOM FILTERS, the contents of which are hereby incorporated by reference in their entirety.FIELD[0002]Kernel-based intrusion detection using Bloom filters is disclosed.BACKGROUND OF THE INVENTION[0003]Today, many network infrastructures (e.g., the Internet) are vulnerable to attack. Indeed, attackers have access to a wide range of tools capable of degrading network performance or disabling network resources. Even a single well-targeted data packet may be sufficient to cause an operating system of a network device to crash. Moreover, network devices continue to become more vulnerable to attack as standardized protocols are adopted and implemented.[0004]Because vulnerability to attack is a significant concern to network communities, many techniques h...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(United States)
IPC IPC(8): G06F21/00
CPCG06F21/552G06F21/566G06F21/554
Inventor MANKINS, DAVID P.
Owner VERIZON PATENT & LICENSING INC
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products