Real Time UNIX Kernel based Intrusion Detection System

K.E.A. Negm (UAE)


Intrusion Detection, Unix System Calls


Intrusion detection systems rely on a wide variety of observable data to distinguish between legitimate and illegal activities. Several new approaches for detecting malicious attacks on computer systems or malicious applications have emerged over the past several years. These techniques often rely on the fact that when a system is attacked from a remote location, damage can last only via system calls made by processes running on the target system. This factor has lead to an interest in developing infrastructures that enable secure interception and modification of system calls made by processes running on the target system. Most known approaches for solving this problem have relied on an in kernel approach, where the interception mechanisms as well as the intrusion detection systems are implemented within the operating system kernel. We explore an alternative approach that uses mechanisms provided by most variants of the UNIX operating system to implement system call interposition at user level, where the system calls made by one process are monitored by another process. This approach depends heavily on an optimized performance of the available infrastructure. In this research we present a solution that satisfactorily addresses these issues, and can thus lead to a platform for rapid development and deployment of robust intrusion detectors.

Important Links:

Go Back