SoIDPS: Sensor Objects-Based Intrusion Detection and Prevention System and Its Implementation

摘要

In this paper, we propose an intrusion detection and prevention system using sensor objects that are a kind of trap and are accessible only by the programs that are allowed by the system. Any access to the sensor object by disallowed programs or any transmission of the sensor object to outside of the system is regarded as an intrusion. In such case, the proposed system logs the related information on the process as well as the network connections, and terminates the suspicious process to prevent any possible intrusion. By implementing the proposed method as Loadable Kernel Module (LKM) in the Linux, it is impossible for any process to access the sensor objects without permission. In addition, the security policy will be dynamically applied at run time. Experimental results show that the security policy is enforced with negligible overhead, compared to the performance of the unmodified original system.