公开(公告)号：US20060085854A1

公开(公告)日：2006-04-20

申请号：US10967945

申请日：2004-10-19

申请人： Subhash Agrawal ,  Scott Wimer ,  Jonathan Young

发明人： Subhash Agrawal ,  Scott Wimer ,  Jonathan Young

IPC分类号： G06F12/14 ,  G06F11/36 ,  G06F11/00 ,  G06F11/22 ,  G06F11/30 ,  G06F11/32 ,  G06F11/34 ,  G06F12/16 ,  G06F15/18 ,  G08B23/00 ,  H04L9/00

CPC分类号： G06F21/55 ,  G06F21/552 ,  H04L63/1408

摘要： A method of detecting an intrusion into (or an anomaly in a behavior of) a target software system begins by instrumenting the target software system to generate behavior data representing a current observation or observation aggregate. The method then determines whether the current observation or observation aggregate warrants a second level examination; preferably, this determination is made by processing the current observation or observation aggregate through a first level detection algorithm that provides a first, provisional indication of a possible intrusion. If a result of executing the first level detection algorithm indicates that the current observation or observation aggregate warrants a second level examination, the method continues by processing the current observation or observation aggregate through at least one or more second level detection algorithms to provide a second, more definite, fine grain indication of a possible intrusion. The observation aggregates used by the first and second level detection algorithms may be the same or different. The first and second level detection algorithms may be executed in the same or different systems, machines or processors. The target software system operation may be suspended as the current observation or observation aggregate is processed through the one or more second level detection algorithms. A given action (e.g., sending an alert, logging the event, activating a countermeasure, or the like) may be taken if the result of the second level examination indicates a possible intrusion. Multiple algorithms may be executed together within a single examination level, with the individual results then analyzed to obtain a composite result or output indicative of intrusive or anomalous behavior.

摘要翻译： 检测目标软件系统（或其行为的异常）的入侵检测方法首先通过对目标软件系统进行测量以产生表示当前观察或观察聚合体的行为数据。 然后，该方法确定当前观察或观察总体是否需要进行二级检查; 优选地，通过提供可能入侵的第一临时指示的第一级检测算法处理当前观察或观察聚合来进行该确定。 如果执行第一级检测算法的结果指示当前观察或观察集合需要进行第二级检查，则该方法通过至少一个或多个第二级检测算法处理当前观察或观察聚合来继续，以提供第二级检测算法， 更明确的，可能入侵的细粒度迹象。 由第一和第二级检测算法使用的观测聚合可以相同或不同。 第一和第二级检测算法可以在相同或不同的系统，机器或处理器中执行。 目标软件系统操作可以由于通过一个或多个第二级检测算法来处理当前观察或观察聚合体而被暂停。 如果第二级检查的结果指示可能的入侵，则可以采取给定的动作（例如，发送警报，记录事件，激活对策等）。 多个算法可以在单个检查级别中一起执行，然后分析各个结果以获得指示入侵或异常行为的复合结果或输出。

公开(公告)号：US20060190218A1

公开(公告)日：2006-08-24

申请号：US11062667

申请日：2005-02-22

申请人： Subhash Agrawal ,  Ian Main ,  Galen Gawboy ,  Scott Wimer

发明人： Subhash Agrawal ,  Ian Main ,  Galen Gawboy ,  Scott Wimer

IPC分类号： G06F11/30

CPC分类号： G06F11/3466 ,  G06F11/3495 ,  G06F2201/865

摘要： A generic instrumentation framework comprises two primary systems: an instrumentation generation system, and a runtime system. The instrumentation generation system creates an instrumentation generator that is specific to the system or subsystem to be instrumented. Preferably, the instrumentation generator is created by an instrumentation generation engine, which receives as input a system descriptor. The system descriptor is a set of metadata that comprise an interface specification. The instrumentation generation engine reads the system descriptor, identifies the target system, and selects an appropriate instrumentation generator. Using the system descriptor, the instrumentation generator then creates an instrumentation “package” comprising the actual instrumentation code itself (an executable) together with an instrumentation descriptor, which describes a set of one or more instrumentation points in the target system. The target system is then available to be instrumented with the instrumentation code. At an appropriate time, such as system start up, a telemetry stream adapter of the runtime system loads in and initiates the instrumentation code. A telemetry stream reader of the runtime system reads telemetry stream data provided by the telemetry stream adapter. The telemetry is then made available to an analysis module, which also receives the instrumentation descriptor to facilitate a forensic analysis of the telemetry.

摘要翻译： 通用的仪器框架包括两个主要系统：仪表生成系统和运行时系统。 仪器生成系统创建一个特定于要进行仪器化的系统或子系统的仪表发生器。 优选地，仪表发生器由仪器生成引擎创建，该引擎作为输入接收系统描述符。 系统描述符是包含接口规范的一组元数据。 仪器生成引擎读取系统描述符，识别目标系统，并选择适当的仪器发生器。 使用系统描述符，仪表发生器随后创建一个包含实际仪器代码本身（可执行程序）的仪器“软件包”，以及描述目标系统中一组或多个仪表点的仪表描述符。 目标系统随后可用仪器仪表代码进行检测。 在适当的时间，例如系统启动时，运行系统的遥测流适配器加载并启动检测代码。 运行时系统的遥测流读取器读取由遥测流适配器提供的遥测数据流数据。 然后，遥测可用于分析模块，分析模块还接收仪器描述符，以便于进行遥测的法医分析。

公开(公告)号：US06560647B1

公开(公告)日：2003-05-06

申请号：US09262229

申请日：1999-03-04

申请人： Amr Hafez ,  Joseph Rocco ,  Subhash Agrawal

发明人： Amr Hafez ,  Joseph Rocco ,  Subhash Agrawal

IPC分类号： G06F15173

CPC分类号： H04L43/06 ,  H04L41/0681 ,  H04L41/0893 ,  H04L43/022 ,  H04L43/045 ,  H04L43/106 ,  H04L43/12

摘要： A system and method for summarizing metric data in a semantically correct way. The system preferably comprises a distributed computing environment, i.e., an enterprise, which comprises a plurality of interconnected computer systems. At least one of the computer systems is an agent computer system which collects raw data relating to one or more metrics, i.e., measurements of system resources on the agent computer system. A Universal Data Repository (UEDR) receives a set of data points representing metric data from one or more agent computer systems. The UDR summarizes the set of data points into a more compact yet meaningful form. In summarization, the UDR determines a data type of the set of data points, applies a summarization rule according to the data type, and then creates a summarized data structure which corresponds to the set of data points. The summarization rule varies according to the semantics of the data type. The UDR can summarize both raw data and data that has previously been summarized one or more times. So that the record of a particular process is never totally lost, process state changes are preserved throughout.

摘要翻译： 用于以语义正确的方式总结度量数据的系统和方法。 该系统优选地包括分布式计算环境，即包括多个互连的计算机系统的企业。 至少一个计算机系统是代理计算机系统，其收集与一个或多个度量有关的原始数据，即代理计算机系统上的系统资源的测量。 通用数据存储库（UEDR）从一个或多个代理计算机系统接收表示度量数据的一组数据点。 UDR将数据集合集成为一个更紧凑而有意义的形式。 总而言之，UDR确定数据点集合的数据类型，根据数据类型应用汇总规则，然后创建对应于该组数据点的汇总数据结构。 汇总规则根据数据类型的语义而变化。 UDR可以总结原来的数据和以前总结一次或多次的数据。 因此，特定进程的记录永远不会完全丢失，整个进程状态的改变都会被保留。

公开(公告)号：US06513065B1

公开(公告)日：2003-01-28

申请号：US09262194

申请日：1999-03-04

申请人： Amr Hafez ,  Joseph Rocco ,  Subhash Agrawal

发明人： Amr Hafez ,  Joseph Rocco ,  Subhash Agrawal

IPC分类号： G06F15173

CPC分类号： H04L43/00 ,  H04L43/022 ,  H04L43/045 ,  H04L43/106

摘要： A system and method for summarizing metric data with a plurality of levels of varying granularity. The system preferably comprises a distributed computing environment, i.e., an enterprise, which comprises a plurality of interconnected computer systems. At least one of the computer systems is an agent computer system which collects raw data relating to one or more metrics, i.e., measurements of system resources on the agent computer system. A Universal Data Repository (UDR) receives raw metric data from one or more agents. The UDR summarizes the raw data into a more compact yet meaningful form. The UDR can summarize both raw data and data that has previously been summarized one or more times, thus creating a plurality of levels of summarization. With each successive summarization, metric data become more compact, yet the data retain information and meaning. Each level of summarization is coarser in granularity and typically older than the previous level: the metric data representing a given period of time become more summarized and take up less space. So that the record of a particular process is never totally lost, process state changes are preserved throughout. The UDR preferably stores each level of summarization in a different file. When a file fills up to its configured maximum size, the oldest metric data from that file are summarized and pushed into the next coarsest file. When the coarsest file fills up, the oldest metric data from the coarsest file are deleted.

摘要翻译： 一种用于以多个不同粒度级别汇总度量数据的系统和方法。 该系统优选地包括分布式计算环境，即包括多个互连的计算机系统的企业。 至少一个计算机系统是代理计算机系统，其收集与一个或多个度量有关的原始数据，即代理计算机系统上的系统资源的测量。 通用数据存储库（UDR）从一个或多个代理接收原始度量标准数据。 UDR将原始数据总结为更紧凑而有意义的形式。 UDR可以总结原始数据和先前总结一次或多次的数据，从而创建多个级别的摘要。 随着每个连续的总结，度量数据变得更加紧凑，但数据保留信息和意义。 每个级别的摘要都是粒度较粗，通常比以前的级别更早：表示给定时间段的度量数据变得更加总结，占用更少的空间。 因此，特定进程的记录永远不会完全丢失，整个进程状态的改变都会被保留。 UDR优选地将每个级别的汇总存储在不同的文件中。 当文件填满其配置的最大大小时，该文件的最早的度量标准数据将被汇总并推送到下一个最粗糙的文件中。 当最粗的文件填满时，最粗的文件中的最旧的度量标准数据将被删除。