1. Field of the Invention
The present invention relates computer security and intrusion detection systems. More specifically, the present invention relates to a method and an apparatus for providing content-based intrusion detection using an agile kernel-based auditor.
2. Related Art
As computers become increasingly more interconnected, it is becoming progressively harder to safeguard computer systems from attacks launched across computer networks. Several types of attacks, such as buffer overflow attacks, and attacks that make unauthorized modifications to data objects, can be detected by examining data that is being read to and/or written from security critical files or network connections.
Unfortunately, existing intrusion detection systems cannot reliably detect these types of attacks because they do not possess the ability to examine data that is being read or written during system calls.
For example, an existing auditing system may record system call parameters or attributes of subjects and objects involved in the system calls. However, existing auditing systems do not record data that is being read from or written to files or network connections because the volume of data that is read or written is prohibitively large.
Some network sniffers can collect data being read from and/or written to files across a network. However, network sniffers cannot gather information regarding accesses to local files. Furthermore, network sniffers can suffer performance and packet-loss problems if they try to collect this type of data because as mentioned previously the volume is prohibitively large. Also, encryption is increasingly being used to protect the privacy of data transmitted across networks. Consequently, network sniffers will eventually be unable to obtain useful audit data.
Hence, what is needed is a method and apparatus for monitoring systems calls that gathers read and/or write data for intrusion detection purposes without encountering problems in handling large volumes of data.
Another problem is that existing auditing systems are not configured to collect information for specific intrusion detection systems. Existing auditing systems are typically developed by operating system developers, who do not necessarily know what types of data are required by intrusion detection systems.
Consequently, existing auditing systems are not configured to gather parameters and/or other attributes that are required by an intrusion detection system. Furthermore, an intrusion detection system may require different types of data to be gathered at different times.
Hence, what is needed is a method and an apparatus that can be configured to selectively gather specific system call information for an intrusion detection system.