Conclusion and Future Work

We have described our effort to enhances IDS capability by exploiting the execution environment offered by software wrappers. In order to take advantage of the potential for increased functionality and performance in kernel-resident intrusion detection systems, we have begun the development of a Generic Software Wrapper-based ID support framework, and have explored this framework's ability to ease the implementation, management and simultaneous composed deployment of three major intrusion-detection algorithms. We have described our ID-support extensions to the basic Generic Software Wrapper Toolkit, and how these extensions eased the implementation of our prototype ID wrappers. Based on our experience and the results of our performance benchmarks, we predict that many ID techniques can be efficiently implemented as kernel-resident wrappers. In all of our benchmarks, the overall observed application performance penalty associated with the use of our ID wrappers never exceeded 7.4%. In addition to increased efficiency, ID wrappers derive several other benefits from their kernel-resident Generic Software Wrapper-based implementation. First, the interposition capability of the wrappers system provides ID wrappers with a greater range of fine-grained event data than is available to user-space techniques which must rely upon log-based audit data. All system calls and their parameters are visible to ID wrappers. Second, this interposition capability and the generality of the C-based wrapper implementation language allows wrappers to respond to intrusive events as they occur, with a broad range of response functionality. Finally, using the wrapper framework, kernel-resident ID components can be configured and managed easily to enforce a global ID policy and possibly to interoperate with large scale IDS running in user space. Our most promising direction for future research concerns the composition of multiple intrusion detection wrappers at run-time. The ability to simultaneously apply multiple complimentary intrusion detection techniques to the same event stream appears to present a potential means of providing more accurate detection. Another promising direction involves utilization of wrapper's ability to examine data read/written to specific files or connection endpoints (e.g., sockets) to detect attacks that cannot be spotted by just looking at parameters of system calls. Other directions include cooperation with large-scale intrusion detection systems, the development of distributed ID wrappers, and efforts to improve the trust-worthiness and safety of the kernel-resident ID module.