The popularity of the Internet and the availability of a reliable underlying computer network have given rise to a great improvement in the effectiveness of dissemination and access of information over a wide area network. Employees in an enterprise, for example, may use an integrated system from different parts of the city and the world. The concomitant connectivity provided by the current communication technology has also given rise to problems such as unwanted intrusions that include attempts at accessing, maliciously manipulating, and disabling computer systems. Intrusion detection systems are thus built to detect such unauthorized and unwanted accesses before the integrity of the computer system is compromised. Checking every operation performed by a person manually is clearly inefficient and often impossible for an enterprise with a large number of employees. An automated intrusion detection system is thus used to detect various types of unauthorized access and operations performed on computer systems, which can compromise their security and dependability. These include attacks against services provided by the system, data driven attacks on applications, performing unallowable operations such as unpermissible software updates on the system as well as unauthorized logins and access to sensitive information.
There are many types of intrusion detection systems, each of which follows a different approach for intrusion detection.
Host-Based Intrusion Detection System (HIDS) monitors and analyzes the dynamic behavior and the state of a single computer and a distributed computing system or a computer network. A HIDS watches the system resources and keeps a record which programs are accessing them and what operations are being performed. If a program accesses any of the resources unexpectedly, the HIDS raises an alert. This can happen, for example, if a word-processing program suddenly starts to modify a system password database. In addition, the HIDS checks whether the stored information of a system appears as expected. The stored information of a system may be stored in a random access memory, in files of a file system, or elsewhere.
There are a few open source and commercially available HIDS, which enable system administrators to verify integrity of a computer system. Most of them require that a snapshot be created when an operating system is installed, and before the computer system is allowed to be connected to a network. By doing so, a trusted database of the file system containing the attributes of various software applications and the operating system, such as permissions and size, is created, and modifications dates and cryptographic hashes for associated files are saved. The database is created by way of a policy, defining parts of the computer system to be checked, and defining what is considered to be an unauthorized change. When the computer system is audited, a new snapshot is taken according to the defined policy. Then a sophisticated comparison between the original and the new snapshot is carried out to search for changes and generate change events in real time. These change events are subsequently checked by a human expert.
The challenge in Intrusion Detection systems is that a large volume of “uncategorized” change events is typically created. Change events are not inherently known to be acceptable or unacceptable without further correlation or human intervention. Changes can be correlated to other sources by using a variety of methods that include the following:                Manual user categorization and correlation with other systems, such as change control or patch management software;        Correlation with other previously accepted similar change events already accepted manually by a user; or        Correlation with other still outstanding unaccepted change events, often called event repetition.        
Despite the reduction in the number of change events by using the prior art methods mentioned above, a data volume generated by various remaining change events that need to be checked manually can be overwhelming.
Therefore there is a need in the industry for the development of an improved method and system for real time classification of events in a computer integrity system.