Method and system for detecting intrusion into and misuse of a data processing system

摘要

A processing system intrusion and misuse detection system and method utilizes instructions for and steps of processing system inputs into events and processing the events with reference to a set of selectable misuses in a misuse engine to produce one or more misuse outputs. The system and method convert processing system generated inputs to events by establishing an event data structure that stores the event. The event data structure includes authentication information, subject information, and object information. Processing system audit trail records, system log file data, and system security state data are extracted from the processing system to form the event data structure. A signature data structure stores signatures that the misuse engine compares and matches to selectable misuses. The signature data structure includes an initial state for each selectable misuse, an end state for each selectable misuse, one or more sets of transition functions for each selectable misuse, and one or more states for each selectable misuse, which can include the end state or the initial state. Furthermore, a misuse output and an index are utilized so that for each selectable misuse element there is a mechanism for loading the signature data structure.