Abstract: One embodiment of the present invention provides a system that detects denial-of-service attacks by using an execution profile for a kernel of a server computer system. The system produces a run-time execution profile by gathering statistics related to execution of a protocol stack within the kernel, wherein the protocol stack processes packets received from client computer systems. Next, the system compares the run-time execution profile with a normal execution profile, wherein the normal execution profile is representative of execution when the server is not subject to a denial-of-service attack. If the run-time execution profile deviates from the normal execution profile, the system indicates that a denial-of-service attack is taking place.

Abstract: One embodiment of the present invention provides content-based intrusion detection for a computer system by using an agile kernel-based auditing system. This auditing system operates by receiving an audit specification that specifies target attributes to be recorded during an auditing process. The audit specification also specifies an auditing criterion that triggers recording of the target attributes. Upon receiving the audit specification, the auditing system is configured to record the target attributes during system calls whenever the auditing criterion is satisfied. Next, an application program is monitored by the auditing system to produce an audit log containing the recorded target attributes. This audit log is examined in order to detect patterns for intrusion detection purposes. In one embodiment of the present invention, configuring the auditing system involves compiling the audit specification to produce a kernel module, and then loading the kernel module into a kernel of an operating system.

Abstract: One embodiment of the present invention provides a system that automatically generates a valid behavior specification for use in an intrusion detection system for a computer system. The system operates by receiving an exemplary set of system calls that includes positive examples of valid system calls, and possibly negative examples of invalid system calls. The system automatically constructs the valid behavior specification from the exemplary set of system calls by selecting a set of rules covering valid system calls. This set of rules is selected to cover all positive examples in the exemplary set of system calls without covering negative examples. Moreover, the process of selecting a rule for the valid behavior specification involves using an objective function that seeks to maximize the number of positive examples covered by the rule while seeking to minimize the number of possible system calls covered by the rule.

Abstract: One embodiment of the present invention provides a providing policy-driven intrusion detection system for a networked computer system. This system operates by receiving a global policy for intrusion detection for the networked computer system. This global policy specifies rules in the form of a global security condition for the networked computer system and a global response to be performed in response to the global security condition. The system compiles the global policy into local policies for local regions of the networked computer system. Each local policy specifies at least one rule in the form of a local security condition for an associated local region of the networked computer system and a local response to be performed in response to the local security condition. The system communicates the local policies to local analyzers that control security for the local regions. A local analyzer compiles a local policy into specifiers for local sensors in a local region associated with the local analyzer.

Abstract: One embodiment of the present invention provides a system that detects a macro virus in a computer system by statically analyzing macro operations within a document. The system operates by receiving the document containing the macro operations. The system locates the macro operations within the document, and performs a flow analysis on the macro operations within the document to determine associated values for variables within the macro operations. Next, the system compares the macro operations including the associated values for variables against a profile containing information about suspect macro operations and associated values for variables to determine whether the document contains suspect macro operations. If so, the system informs a user that the document contains suspect macro operations. In one embodiment of the present invention, after informing the user, the system receives instructions from the user specifying an action to take with regards to the document.

Abstract: One embodiment of the present invention provides a system that detects denial-of-service attacks by using an execution profile for a kernel of a server computer system. The system produces a run-time execution profile by gathering statistics related to execution of a protocol stack within the kernel, wherein the protocol stack processes packets received from client computer systems. Next, the system compares the run-time execution profile with a normal execution profile, wherein the normal execution profile is representative of execution when the server is not subject to a denial-of-service attack. If the run-time execution profile deviates from the normal execution profile, the system indicates that a denial-of-service attack is taking place.

Abstract: One embodiment of the present invention provides a system that automatically generates a valid behavior specification for use in an intrusion detection system for a computer system. The system operates by receiving an exemplary set of system calls that includes positive examples of valid system calls, and possibly negative examples of invalid system calls. The system automatically constructs the valid behavior specification from the exemplary set of system calls by selecting a set of rules covering valid system calls. This set of rules is selected to cover all positive examples in the exemplary set of system calls without covering negative examples. Moreover, the process of selecting a rule for the valid behavior specification involves using an objective function that seeks to maximize the number of positive examples covered by the rule while seeking to minimize the number of possible system calls covered by the rule.