| CPC H04L 63/1425 (2013.01) [G06F 16/152 (2019.01); H04L 63/1416 (2013.01)] | 17 Claims |
|
1. A method providing recognition of normal versus abnormal system behavior for improved intrusion detection, the method comprising:
generating, from at least one operating system kernel module at ring 0, a first file hash analysis for at least one file on a client node;
transmitting the first file hash analysis to an intrusion detection server configured to analyze file hash analyses;
generating, from the at least one operating system kernel module at ring 0, a second file hash analysis for the at least one file;
transmitting the second file hash analysis to the intrusion detection server;
comparing the first file hash analysis with the second file hash analysis to determine if an intrusion has occurred,
wherein if the first file hash analysis and the second file hash analysis are identical, generating a third file hash analysis for the at least one file; and,
wherein if the first file hash analysis and the second file hash analysis are not identical, generating and transmitting a secure notification to at least one mobile device, wherein the at least one mobile device is linked to the at least one operating system kernel via a secure and authenticated connection protocol; and
responsive to a determination that an abnormal system behavior has occurred, causing at least one mitigation activity to be executed at the client node.
|