Using internal sensors and embedded detectors for intrusion detection¹

Article type: Research Article

Authors: Kerschbaum, Florian | Spafford, Eugene H. | Zamboni, Diego^{; *}

Affiliations: Center for Education and Research in Information Assurance and Security, 1315 Recitation Building, Purdue University, West Lafayette, IN 47907-1315, USA. E-mail: kerschf@cerias.purdue.edu, spaf@cerias.purdue.edu, zamboni@cerias.purdue.edu

Correspondence: [*] Corresponding author.

Note: [1] Portions of this work were supported by sponsors of CERIAS.

Abstract: We introduce the concept of using internal sensors to perform intrusion detection in computer systems. We show its practical feasibility and discuss its characteristics, related design and implementation issues. We introduce a classification of data collection mechanisms for intrusion detection systems. At a conceptual level, these mechanisms are classified as direct and indirect monitoring. At a practical level, direct monitoring can be implemented using external or internal sensors. Internal sensors provide advantages with respect to reliability, completeness, timeliness and volume of data, in addition to efficiency and resistance against attacks. We introduce an architecture called ESP as a framework for building intrusion detection systems based on internal sensors. We describe in detail a prototype implementation based on the ESP architecture and introduce the concept of embedded detectors as a mechanism for localized data reduction. Our implementation shows that it is possible to build both specific (specialized for a certain intrusion) and generic (able to detect different types of intrusions) detectors. Performance testing of the ESP implementation shows the impact that embedded detectors can have on a computer system. Detection testing shows that embedded detectors have the capability of detecting a significant percentage of new attacks.

DOI: 10.3233/JCS-2002-101-203

Journal: Journal of Computer Security, vol. 10, no. 1-2, pp. 23-70, 2002