首页>
外国专利>
Method and apparatus for content-based instrusion detection using an agile kernel-based auditor
Method and apparatus for content-based instrusion detection using an agile kernel-based auditor
展开▼
机译:使用基于敏捷内核的审计程序进行基于内容的入侵检测的方法和设备
展开▼
页面导航
摘要
著录项
相似文献
摘要
One embodiment of the present invention provides content-based intrusion detection for a computer system by using an agile kernel-based auditing system. This auditing system operates by receiving an audit specification that specifies target attributes to be recorded during an auditing process. The audit specification also specifies an auditing criterion that triggers recording of the target attributes. Upon receiving the audit specification, the auditing system is configured to record the target attributes during system calls whenever the auditing criterion is satisfied. Next, an application program is monitored by the auditing system to produce an audit log containing the recorded target attributes. This audit log is examined in order to detect patterns for intrusion detection purposes. In one embodiment of the present invention, configuring the auditing system involves compiling the audit specification to produce a kernel module, and then loading the kernel module into a kernel of an operating system. It also involves linking code from within the kernel module into system calls within the operating system. In one embodiment of the present invention, in response to detecting an event during the auditing process, the system dynamically adjusts the auditing system to change the auditing criterion and/or the target attributes for subsequent operation of the auditing system.
展开▼