1. Technical Field
The present invention generally relates to detecting the use of software, and more specifically, to the dynamic detection of an intrusive anomalous use of computer software.
2. Description of the Related Art
The literature and media abound with reports of successful violations of computer system security by both external attackers and internal users. These breaches occur through physical attacks, social engineering attacks, and attacks on the system. In a system attack, the intruder subverts or bypasses the security mechanisms of the system in order to gain unauthorized access to the system or to increase current access privileges. These attacks are successful when the attacker is able to cause the system software to execute in a manner that is typically inconsistent with the software specification and thus leads to a breach in security.
Intrusion detection systems monitor some traces of user activity to determine if an intrusion has occurred. The traces of activity can be collated from audit trails or logs, network monitoring or a combination of both. Once the data regarding a relevant aspect of the behavior of the system are collected, the classification stage starts. Intrusion detection classification techniques can be broadly catalogued in the two main groups: misuse intrusion detection, and anomaly intrusion detection. The first type of classification technique searches for occurrences of known attacks having particular signatures, and the second type searches for a departure from normality. Some of the newest intrusion detection tools incorporate both approaches.
Some recent systems have employed dynamic software measurement techniques, but they either make a decision instantaneously (at every measurement), or they aggregate measurements (either by time or by number of observations) and perform analyses on aggregates. Techniques that make a decision at every measurement point should be very fast, because they can potentially be called thousands of times per second. This performance constraint severely limits the detection accuracy of such techniques. On the other hand, techniques that only consider aggregated system behavior can have a significant latency between the time of intrusion and the time of detection due to the aggregation delay.
There remains a need for improved techniques.