Computer security has become an increasingly important aspect of today’s digital world. Computer security, or information security, is necessary to protect our data, money, and even identity. Part of this protection is knowing if and when a system is under attack. An Intrusion Detection System (IDS) does just that. It detects when an intrusion or other malicious attack has occurred and allows actions to be taken that will prevent or repair damage.
The goal of this project was to fully implement the Linux kernel using the Linux Instrumentation Tool (LIT) so that computer intrusions may be detected based on the frequency of kernel module calls. In the past, the modules concerning networking functions were implemented and the system has been shown that it is be able to produce data. Completion of this project shows that we are able to collect data from the entire kernel, and also suggests further work to be done in the area of detection algorithms.
It should be noted that our intention was to create a library of attack data which may be used for the creation of attack signatures. These signatures could then be used for detection. The recovery process after or during an attack is outside the scope of this research.
The advantage of a system based on system calls is that it is faster and more dependable than IDS based on other variables. The data readout is nearly real-time and produces very little overhead, therefore allowing users to continue working at their normal pace. System calls are also exponentially harder to fake or hide. In order for any program to work it must use these calls, and since the IDS is embedded inside the kernel itself, these calls cannot be hidden.
During our research we considered other variables which could be taken into account: system logs, timestamps, etc. While some of these would act as an added benefit for forensic analysis after an attack, they did not offer any advantages while attempting to detect on ongoing attack in real time. It is for this reason that our system is only concerned with module call frequency, the number of times a module was called within a set time interval.
Background and Significance
To better understand the concepts of this research, we must begin by first defining some important terms that will be used to describe objects, techniques, etc. Beginning with our most basic notion we have the operating system. This, the programs running on it, and the data contained are what the IDS is designed to protect (Operating System, 2008).
An operating system (OS) is the software that manages the resources of a computer and provides programmers with an interface used to access those resources. An operating system processes system data and user input, and responds by allocating and managing tasks and internal system resources as a service to users and programs of the system. An operating system performs basic tasks such as controlling and allocating memory, prioritizing system requests, controlling input and output devices, facilitating computer networking and managing files.
The variety and variability of operating systems makes it difficult to design cross-compatible systems. Therefore this aspect was ignored in our research. The resulting system depends on the Linux kernel. The kernel is the core component of the OS and was the key focus of our work. Below is the definition as well as a graphical depiction of how the kernel works. Here, it is fairly clear that the kernel essentially acts as a middleman between the software and the hardware. It is for this reason that implementing the IDS inside the kernel is so advantageous (Kernel 2008).
… the kernel is the central component of most computer operating systems (OS). Its responsibilities include managing the system’s resources (the communication between hardware and software components). As a basic component of an operating system, a kernel provides the lowest-level abstraction layer for the resources (especially memory, processors and I/O devices) that application software must control to perform its function. It typically makes these facilities available to application processes through inter-process communication mechanisms and system calls.