Simple, state-based approaches to program-based anomaly detection
ACM Transactions on Information and System Security (TISSEC)
Specification-based anomaly detection: a new approach for detecting network intrusions
Proceedings of the 9th ACM conference on Computer and communications security
Synthesizing fast intrusion prevention/detection systems from high-level specifications
SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8
Anomaly detection in computer security and an application to file system accesses
ISMIS'05 Proceedings of the 15th international conference on Foundations of Intelligent Systems
Hi-index | 0.00 |
In this paper, we propose an intrusion detection and prevention system using sensor objects that are a kind of trap and are accessible only by the programs that are allowed by the system. Any access to the sensor object by disallowed programs or any transmission of the sensor object to outside of the system is regarded as an intrusion. In such case, the proposed system logs the related information on the process as well as the network connections, and terminates the suspicious process to prevent any possible intrusion. By implementing the proposed method as Loadable Kernel Module (LKM) in the Linux, it is impossible for any process to access the sensor objects without permission. In addition, the security policy will be dynamically applied at run time. Experimental results show that the security policy is enforced with negligible overhead, compared to the performance of the unmodified original system.