公开(公告)号：US20060085854A1

公开(公告)日：2006-04-20

申请号：US10967945

申请日：2004-10-19

申请人： Subhash Agrawal ,  Scott Wimer ,  Jonathan Young

发明人： Subhash Agrawal ,  Scott Wimer ,  Jonathan Young

IPC分类号： G06F12/14 ,  G06F11/36 ,  G06F11/00 ,  G06F11/22 ,  G06F11/30 ,  G06F11/32 ,  G06F11/34 ,  G06F12/16 ,  G06F15/18 ,  G08B23/00 ,  H04L9/00

CPC分类号： G06F21/55 ,  G06F21/552 ,  H04L63/1408

摘要： A method of detecting an intrusion into (or an anomaly in a behavior of) a target software system begins by instrumenting the target software system to generate behavior data representing a current observation or observation aggregate. The method then determines whether the current observation or observation aggregate warrants a second level examination; preferably, this determination is made by processing the current observation or observation aggregate through a first level detection algorithm that provides a first, provisional indication of a possible intrusion. If a result of executing the first level detection algorithm indicates that the current observation or observation aggregate warrants a second level examination, the method continues by processing the current observation or observation aggregate through at least one or more second level detection algorithms to provide a second, more definite, fine grain indication of a possible intrusion. The observation aggregates used by the first and second level detection algorithms may be the same or different. The first and second level detection algorithms may be executed in the same or different systems, machines or processors. The target software system operation may be suspended as the current observation or observation aggregate is processed through the one or more second level detection algorithms. A given action (e.g., sending an alert, logging the event, activating a countermeasure, or the like) may be taken if the result of the second level examination indicates a possible intrusion. Multiple algorithms may be executed together within a single examination level, with the individual results then analyzed to obtain a composite result or output indicative of intrusive or anomalous behavior.

摘要翻译： 检测目标软件系统（或其行为的异常）的入侵检测方法首先通过对目标软件系统进行测量以产生表示当前观察或观察聚合体的行为数据。 然后，该方法确定当前观察或观察总体是否需要进行二级检查; 优选地，通过提供可能入侵的第一临时指示的第一级检测算法处理当前观察或观察聚合来进行该确定。 如果执行第一级检测算法的结果指示当前观察或观察集合需要进行第二级检查，则该方法通过至少一个或多个第二级检测算法处理当前观察或观察聚合来继续，以提供第二级检测算法， 更明确的，可能入侵的细粒度迹象。 由第一和第二级检测算法使用的观测聚合可以相同或不同。 第一和第二级检测算法可以在相同或不同的系统，机器或处理器中执行。 目标软件系统操作可以由于通过一个或多个第二级检测算法来处理当前观察或观察聚合体而被暂停。 如果第二级检查的结果指示可能的入侵，则可以采取给定的动作（例如，发送警报，记录事件，激活对策等）。 多个算法可以在单个检查级别中一起执行，然后分析各个结果以获得指示入侵或异常行为的复合结果或输出。

公开(公告)号：US20060190218A1

公开(公告)日：2006-08-24

申请号：US11062667

申请日：2005-02-22

申请人： Subhash Agrawal ,  Ian Main ,  Galen Gawboy ,  Scott Wimer

发明人： Subhash Agrawal ,  Ian Main ,  Galen Gawboy ,  Scott Wimer

IPC分类号： G06F11/30

CPC分类号： G06F11/3466 ,  G06F11/3495 ,  G06F2201/865

摘要： A generic instrumentation framework comprises two primary systems: an instrumentation generation system, and a runtime system. The instrumentation generation system creates an instrumentation generator that is specific to the system or subsystem to be instrumented. Preferably, the instrumentation generator is created by an instrumentation generation engine, which receives as input a system descriptor. The system descriptor is a set of metadata that comprise an interface specification. The instrumentation generation engine reads the system descriptor, identifies the target system, and selects an appropriate instrumentation generator. Using the system descriptor, the instrumentation generator then creates an instrumentation “package” comprising the actual instrumentation code itself (an executable) together with an instrumentation descriptor, which describes a set of one or more instrumentation points in the target system. The target system is then available to be instrumented with the instrumentation code. At an appropriate time, such as system start up, a telemetry stream adapter of the runtime system loads in and initiates the instrumentation code. A telemetry stream reader of the runtime system reads telemetry stream data provided by the telemetry stream adapter. The telemetry is then made available to an analysis module, which also receives the instrumentation descriptor to facilitate a forensic analysis of the telemetry.

摘要翻译： 通用的仪器框架包括两个主要系统：仪表生成系统和运行时系统。 仪器生成系统创建一个特定于要进行仪器化的系统或子系统的仪表发生器。 优选地，仪表发生器由仪器生成引擎创建，该引擎作为输入接收系统描述符。 系统描述符是包含接口规范的一组元数据。 仪器生成引擎读取系统描述符，识别目标系统，并选择适当的仪器发生器。 使用系统描述符，仪表发生器随后创建一个包含实际仪器代码本身（可执行程序）的仪器“软件包”，以及描述目标系统中一组或多个仪表点的仪表描述符。 目标系统随后可用仪器仪表代码进行检测。 在适当的时间，例如系统启动时，运行系统的遥测流适配器加载并启动检测代码。 运行时系统的遥测流读取器读取由遥测流适配器提供的遥测数据流数据。 然后，遥测可用于分析模块，分析模块还接收仪器描述符，以便于进行遥测的法医分析。