Tim Westran and Michael Mack and Richard J. Enbody
May, 2005
This paper describes a variation of a kernel-level Intrusion Detection System (IDS). In particular, it is real time so it could be described as an intrusion prevention system. In addition to looking at system calls as others have done, we also look at arguments to system calls as well as Process IDs (PIDs) and parent PIDs. Also, we focus on the “lowest-common-denominator” of attacks: elevation of privileges. Together, that focus and enrichment of the data dramatically reduces false positives—in fact, false positives have been eliminated for the attacks we have tested. Since our focus captures a class of host intrusions our technique will also flag unknown but related attacks. We tested the IDS with a variety of intrusions on a Linux machine while in use by a user and flagged in real time all the intrusions with no false positives.
You are granted permission for the non-commercial reproduction, distribution, display, and performance of this technical report in any format.