The present invention is particularly suited for, but by no means limited to, application in the field of computer system security. The background of the invention will therefore be described in the context of computer system security.
A modern software system is composed of a plurality of subcomponents called modules. Each of these program modules is generally used to implement one or more functional software requirements. As the program executes, each module may call another module. In other words, the modules interact with one another. The specific manner in which program modules interact will be determined by external stimuli to the program. These stimuli are the result of a user's interaction with the system. A user's behavior in his interaction with the program induces a behavioral response of the program in terms of the execution patterns of the modules that comprise the program.
When a software system, such as an operating system, is placed in a highly constrained context such as a web server or a file server, the variation in the behavior of the software in response to the operating environment is typically very small. When there are anomalous variations in the steady state behavior of the system, it is reasonable to suppose that the way that the system is being used has changed. There has been a change in the behavior of the system, therefore there must have been a change in the behavioral characteristics of the system user or users. This work can be used as a methodology for the representation of normal system behavior in terms of the statistical representation of program module interactions.
If the normal or steady state behavior of a system can be represented mathematically, then it will be possible to identify departures from this normal or steady state behavior. These departures from normal represent possible deliberate misuses of the system. The greater the departure from normal behavior, the more egregious the external behavior may be.
The literature and media abound with reports of successful violations of computer system security by both external attackers and internal users. These breaches occur through physical attacks, social engineering attacks, and attacks on the system software. In a system software attack, the intruder subverts or bypasses the security mechanisms of the system in order to gain unauthorized access to the system or to increase current access privileges. These attacks are successful when the attacker is able to cause the system software to execute in a manner that is typically inconsistent with the software specification and thus leads to a breach in security.
Intrusion detection systems monitor some traces of user activity to determine if an intrusion has occurred. The traces of activity can be collated from audit trails or logs, network monitoring or a combination of both. Once the data regarding a relevant aspect of the behavior of the system are collected, the classification stage starts. Intrusion detection classification techniques can be broadly catalogued in the two main groups: misuse intrusion detection, and anomaly intrusion detection. The first type of classification technique searches for occurrences of known attacks with a particular “signature,” and the second type searches for a departure from normality. Some of the newest intrusion detection tools incorporate both approaches.
One known system for detecting an intrusion is the EMERALD™ program. EMERALD defines the architecture of independent monitors that are distributed about a network to detect intrusions. Each monitor performs a signature or profile analysis of a “target event stream” to detect intrusions and communicates such detection to other monitors on the system. The analysis is performed on event logs, but the structure of the logs is not prescribed and the timeliness of the analysis and detection of an intrusion depends on the analyzed system and how it chooses to provide such log data. By monitoring these logs, EMERALD can thus determine that at some point in the event stream recorded in the log, an intrusion occurred. However, the detection is generally not implemented in real time, but instead occurs at some interval of time after the intrusion. Also, this system does not allow monitoring of all types of software activity, since it is limited to operating system kernel events. It would be desirable to provide a real time intrusion detection paradigm that is applicable to monitoring almost any type of program.
A more general case of the intrusion detection problem is the problem of anomalous behavior detection. It is possible to detect anomalous behavior based on the measurement of program activity as control is passed among program control structures. As a system executes its customary activities, the behavior monitoring scheme should establish a nominal system behavior profile. Departures from the nominal system profile will likely represent potential anomalous activity on the system. Since unwanted activity may be detected by comparison of the current system activity to that occurring during previous assaults on the system, it would be desirable to store profiles for recognizing these activities from historical data. Historical data, however, cannot be used to recognize new kinds of behavior. An effective security tool would be one designed to recognize assaults as they occur through the understanding and comparison of the current behavior against nominal system activity. The subject matter disclosed herein and in the above-cited related patent applications addresses these issues.