Combining Multiple Techniques using Composition

Our wrapper frameworks allow multiple ID wrappers to cooperate to enhance their performance. The Common Intrusion Detection Framework [6] discusses several ways ID components cooperate with each other. We performed an experiment in which two ID wrappers cooperates to reinforce each others findings. Figure 4 depicts the configuration. A sequence-based wrapper and a specification-based wrapper are used to wrap the imapd programs. Every system call performed by imapd will be intercepted by both wrappers (The order will be determined by the loading sequence). Each wrapper will analyze the operations of imapd individually and generate an abstract warning event to the abstract wrapper (Com_id) when they find an attack. The abstract wrapper judges the output from both Seq_id and Imapd_id and accepts it when both ID wrappers think the program is under an attack. In this case it will kill the process. We tested the composite ID wrappers using the imapd attack described in the last subsection. An interesting observation is that the two wrappers detect the attack at different system call. The Imapd_id detected the attack when the program executes a Bourne shell (at the execve system call). The Seq_id detected the attack several system calls after the execve system call. The abstract ID wrapper Com_id killed the process after it receives warning from both wrappers. Potentially, such configuration could reduce the false positive rate as the whole IDS will detect a false attack when both techniques produce a false positive. However, it could also cause some attacks to escape the detection if only one technique detects the attack. Thus, further research is needed to determine how to best combine different techniques.