Claims
- 1. A method of improving intrusion detection in a computing network, comprising steps of:
providing intrusion detection processing in an operating system kernel; providing an application program which makes use of the operating system kernel during execution; executing the application program; and selectively evaluating at least one incoming communication of the executing application program for an intrusion using the provided intrusion detection processing in the operating system kernel.
- 2. The method according to claim 1, wherein the selectively evaluating step operates within error-handling logic of a protocol stack running in the operating system kernel.
- 3. The method according to claim 1, further comprising the step of invoking a response action when the selectively evaluating step detects the intrusion.
- 4. The method according to claim 3, wherein the response action is determined by consulting intrusion detection policy information.
- 5. The method according to claim 3, wherein the step of invoking a response occurs in real time, responsive to the detected intrusion.
- 6. The method according to claim 4, wherein the intrusion detection policy information is stored in a network-accessible repository.
- 7. The method according to claim 1, wherein the selectively evaluating step further comprises comparing the incoming communication of the executing application program to one or more attack signatures.
- 8. The method according to claim 7, wherein at least one of the attack signatures is a class signature representing a class of attacks.
- 9. The method according to claim 1, wherein the selectively evaluating step further comprises comparing the incoming communication of the executing application program to one or more intrusion detection conditions.
- 10. The method according to claim 9, wherein the intrusion detection conditions are specified in intrusion detection rules.
- 11. The method according to claim 10, wherein each of the intrusion detection rules further comprises one or more actions to be taken when the conditions of the rule are matched.
- 12. The method according to claim 1, wherein the selectively evaluating step further comprises comparing current conditions to predetermined conditions which signal a potential intrusion.
- 13. The method according to claim 1, wherein the selectively evaluating step is provided as layer-specific intrusion detection logic within a protocol stack running in the operating system kernel.
- 14. The method according to claim 1, wherein the selectively evaluating step operates in an endpoint of a connection in the computing network.
- 15. The method according to claim 14, wherein the incoming communication of the executing application program is encrypted while traversing the connection.
- 16. A system for improving intrusion detection in a computing network, comprising:
an operating system kernel; an application program which makes use of the operating system kernel during execution; means for executing the application program; means for executing a protocol stack within the operating system kernel, wherein the protocol stack is augmented to perform intrusion detection processing; and means for selectively evaluating at least one incoming communication of the executing application program for an intrusion using the intrusion detection processing, by comparing current conditions to predetermined conditions which signal a potential intrusion.
- 17. The system according to claim 16, wherein the current conditions comprise contents of the incoming communication.
- 18. The system according to claim 17, wherein the current conditions further comprise a protocol state of the protocol stack when the incoming communication was evaluated.
- 19. A computer program product for improving intrusion detection in a computing network, the computer program product embodied on one or more computer-readable media and comprising:
computer-readable program code means for executing an application program which makes use of an operating system kernel during execution; computer-readable program code means for executing a protocol stack within the operating system kernel, wherein the protocol stack is augmented to perform intrusion detection processing; and computer-readable program code means for selectively evaluating at least one incoming communication of the executing application program for an intrusion using the intrusion detection processing, by comparing current conditions to predetermined conditions which signal a potential intrusion.
- 20. The computer program product according to claim 19, wherein the current conditions comprise contents of the incoming communication.
- 21. The computer program product according to claim 20, wherein the current conditions further comprise a protocol state of the protocol stack when the incoming communication was evaluated.
RELATED INVENTIONS
[0001] The present invention is related to the following commonly-assigned U.S. patents, all of which were filed on Dec. 5, 2001 and which are hereby incorporated herein by reference: U.S. Pat. No. ______ (Ser. No. 10/007,593), entitled “Kernel-Based Security Implementation”; U.S. Pat. No. ______ (Ser. No. 10/007,446), entitled “Policy-Driven Kernel-Based Security Implementation”; U.S. Pat. No. ______ (Ser. No. 10/007,582), entitled “Offload Processing for Secure Data Transfer”; and U.S. Pat. No. ______ (Ser. No. 10/007,581), entitled “Offload Processing for Security Session Establishment and Control”. These U.S. patents are referred to hereinafter as “the related inventions”. The present invention is also related to commonly-assigned U.S. Pat. No. ______ (Ser. No. ______), entitled “Intrusion Event Filtering and Generic Attack Signatures”, which was filed concurrently herewith.