The present invention is particularly suited for, but by no means limited to, application in the field of computer system security. The background of the invention will therefore be described in the context of computer system security.
The literature and media abound with reports of successful violations of computer system security by both external attackers and internal users. These breaches occur through physical attacks, social engineering attacks, and attacks on the system software. In a system software attack, the intruder subverts or bypasses the security mechanisms of the system in order to gain unauthorized access to the system or to increase current access privileges. These attacks are successful when the attacker is able to cause the system software to execute in a manner that is typically inconsistent with the software specification and thus leads to a breach in security.
Intrusion detection systems monitor some traces of user activity to determine if an intrusion has occurred. The traces of activity c an be collated from audit trails or logs, network monitoring or a combination of both. Once the data regarding a relevant aspect of the behavior of the system are collected, the classification stage starts. Intrusion detection classification techniques can be broadly catalogued in the two main groups: misuse intrusion detection, and anomaly intrusion detection. The first type of classification technique searches for occurrences of known attacks with a particular “signature,” and the second type searches for a departure from normality. Some of the newest intrusion detection tools incorporate both approaches.
One known system for detecting an intrusion is the EMERALD™ program. EMERALD defines the architecture of independent monitors that are distributed about a network to detect intrusions. Each monitor performs a signature or profile analysis of a “target event stream” to detect intrusions and communicates such detection to other monitors on the system. The analysis is performed on event logs, but the structure of the logs is not prescribed and the timeliness of the analysis and detection of an intrusion depends on the analyzed system and how it chooses to provide such log data. By monitoring these logs, EMERALD can thus determine that at some point in the event stream recorded in the log, an intrusion occurred. However, the detection is generally not implemented in real time, but instead occurs at some interval of time after the intrusion. Also, this system does not allow monitoring of all types of software activity, since it is limited to operating system kernel events. It would be desirable to provide a real time intrusion detection paradigm that is applicable to monitoring almost any type of program.
A more general case of the intrusion detection problem is the problem of anomalous behavior detection. It is possible to detect anomalous behavior based on the measurement of program activity as control is passed among program control structures. As a system executes its customary activities, the behavior monitoring scheme should estimate a nominal system behavior. Departures from the nominal system profile will likely represent potential anomalous activity on the system. Since unwanted activity may be detected by comparison of the current system activity to that occurring during previous assaults on the system, it would be desirable to store profiles for recognizing these activities from historical data. Historical data, however, cannot be used to recognize new kinds of behavior. An effective security tool would be one designed to recognize assaults as they occur through the understanding and comparison of the current behavior against nominal system activity. The subject matter disclosed herein and in U.S. patent application Ser. No. 09/309,755, now U.S. Pat. No. 6,681,331, addresses these issues.
A modern software system is composed of a plurality of subcomponents called modules. Each program module generally implements a specific functional requirement. As the program executes, each module may call another module. Through a specific sequence of calls from one module to another, a higher level of functional granularity is achieved. Many times there is a very tight binding between the sequences of calls to program modules. That is, one module may always call another module. If this is the case, there is a high correlation between the activities of the two modules. They are bound so closely together that they interact as one functional unit. One goal of the present invention is to provide improved profiling techniques for use in analyzing interactions between and among program modules to identify anomalous behavior, e.g., in the field of computer security.
At a finer level of granularity, each program module has internal structure as represented by a flowgraph. There are many potential execution paths through each program module. By instrumenting the paths associated with the decision points within each module, not only can the observation of the interaction of program modules be made but the interactions within the program modules may be observed as well.