Related Work

Balasubramaniyan et. al. [1] have proposed the use of autonomous agents for intrusion detection. They have developed an architecture for the autonomous ID agents. Our idea is similar to their agent idea in that ID wrappers can be viewed as kernel-resident ID agents. Their conjecture is that the performance of the agents can be improved if they are implemented inside the kernel. Our results support their conjecture; in particular, kernel-resident agents can be very efficient and impose very little performance penalty on a system. Sekar et. al. [11] have devised an efficient method of implementing a form of specification-based intrusion detection in the kernel. Some of the implementation strategies employed by Sekar's method are similar to those we have employed in ID wrappers. For example, both efforts associate individual kernel-resident state machines (``wrappers,'' in our terminology) with each application process under observation, using interposition techniques at the operating system's system call interface to enable these kernel-resident state machines to observe application process behavior at a fine-grained level of detail. Sekar's effort concentrates on the efficient implementation of a single form of specification-based intrusion detection, and has achieved a result which allows the intrusion detection system to handle multiple patterns with the same low overhead as a single pattern. Our effort, in contrast, has sought to produce a general framework for the implementation of multiple intrusion detection algorithms, as well as a convenient means for managing their simultaneous deployment and composition. Both our effort and Sekar's have observed favorably low overheads in terms of observed application performance degradation due to the use of kernel-resident intrusion detection. Sekar's technique resulted in overheads of no more than 1.5% in ftpd, telnetd, and httpd benchmarks documented in [2].