|
Abstract : |
This paper details the design and implementation of a host-based intrusion detection system (Hewlett-Packard?s Praesidium IDS/9000) and a specialized kernel data source which supplies customized data to the IDS. Instead of the common attack-signature matching used in most other intrusion detection systems, IDS/9000 performs real-time monitoring of the system looking for misuse actions that are indicative of either attack or system policy violations. These misuse actions are called building blocks. As part of the design and implementation, a new kernel data source was developed specifically to aid in intrusion detection. We describe the desired characteristics of an Intrusion Detection Data Source (IDDS) which is provided separately from the normal C2 audit subsystem. This new auditing subsystem provides customized audit records tailored to the needs of the intrusion detection system. Performance measurements are provided, and we also discuss some of the alternative uses of IDS/9000 that were discovered during the testing phase. 1, |
