Dispatching Audit Data to User-Space IDSs

In a large-scale IDS, an ID wrapper may be used as a data-collection component that collects security-relevant data for intrusion analysis engines running in user space. Such scenario requires a very efficient mechanism for transferring a large amount of data from wrappers running in kernel space to user processes in a secure fashion. In addition, such mechanism should allow multiple intrusion detection systems to listen to the audit event data generated by possibly different ID wrappers. An audit event handler providing support for dispatching audit data to user processes is incorporated into the basic wrapper toolkit. An intrusion detection engine cooperating with an ID wrapper can register with the audit event handler for the event queue to which it wants to listen. When the cooperating ID wrapper collects relevant audit data and sends it to the audit event queue, the audit event handler dispatches the data to the registered intrusion detection engine. In this approach, the IDS thread calls a registered system call to register for some number of audit queues. The system call creates a pipe and returns the read end of the pipe. The IDS thread performs a select system call on the read end of the pipe, effectively blocking the process. The event handler writes the entire event structure for each audit event to the write end of the pipe. This method can promptly transfer events from the event handler to the waiting thread in a thread-safe manner and with little overhead.