Introduction

Intrusion detection is a retrofit approach to enhancing the security of computer systems. It utilizes various audit data to identify activities that could compromise the security of a system. Traditionally, intrusion detection systems (IDS) are user-space applications that utilize audit data generated by audit systems (e.g., Solaris Basic Security Module (BSM)) or network sniffers to detect intrusive activities. The capabilities of these user-space IDSs are restricted by the quality of the audit data and the services provided by the operating systems. For instance, audit systems do not provide all the data required by IDSs, thus limiting the attacks that can be detected by the IDSs. In addition, audit systems offer rudimentary methods for selecting data to be logged. In particular, most audit systems do not support selection of a particular program to audit. Also, as the data is generated in the kernel, every time a system action has to be logged or analyzed, the information has to be transferred from kernel space to user space, causing a context switch, and increasing the load imposed on the system by the IDS. Thus, user-space IDSs suffer from high overheads and low efficiency, as well as long delay (in CPU cycles) in detecting intrusions. Lastly, user-space IDSs are not sufficiently protected by operating systems and cannot completely protect themselves. Our goal is to integrate ID functions into the kernel to remedy some of the problems arise in user-space intrusion detection. Specifically, we exploit the execution environment provided by Generic Software Wrappers [4] to enhance the intrusion detection and response capability of a system. An ID logic implemented as an ID wrapper can 1) selectively examine any parameters of system calls and the entire system state, 2) analyze a system call before or immediately after the call is executed, 3) analyze system calls inside the kernel, thus avoiding the overhead of transferring audit data from kernel space to user space, and 4) protect itself by denying intrusive operations. We have implemented several intrusion detection techniques, tested the ID wrappers using several existing attacks, and measured the performance of the ID wrappers. Our conclusion is that intrusion detection algorithms can be easily encoded as wrappers that perform efficiently inside the kernel. Also, ID wrappers can be configured and managed easily to support a coherent global intrusion detection and response policy. We envision that ID wrappers can be used individually to protect a system or as components of a large-scale intrusion detection system. The rest of the paper is organized as follows. Section 2 presents an overview of ID wrappers, focusing on the capability of ID wrappers provided by the Generic Software Wrapper Toolkit and our extensions to the toolkit for supporting intrusion detection. In section 3, we present how we implement various ID techniques--specification-based, signature-based, and sequence-based techniques--using wrappers. In section 4, we present our experiments for testing ID wrappers with simulated attacks. We also describe a composition experiment in which two ID wrappers employing two different techniques cooperate with another abstract wrapper that combines the findings of the two ID wrappers. In addition, we present the performance results of the ID wrappers, showing that intrusion detection functions can be executed, managed, and coordinated in the kernel with a minimal observed application performance penalty. Section 5 discusses related work. In section 6, we discuss the pros and cons of the kernel-resident intrusion detection approach as well as our experience in realizing this approach using Generic Software Wrappers. Section 7 provides the conclusion and suggests future research.