Modern viruses and worms are a significant threat to the security of information processing systems. Host-based intrusion detection systems provide an effective solution to detect worms once they penetrate system defenses. However, numerous worms are able to tamper with and disable intrusion detection systems.
A number of solutions have been offered to this problem, providing methodologies for ensuring that intrusion detection systems are functioning properly. For example, system integrity services are known which require monitored software agents, such as intrusion detection systems, to provide non-spoofable proof of proper functioning. These services, however, require modifications to the programming instructions for the monitored agent. Many software vendors are reluctant to make such modifications. Also, a large number of existing software agents, created prior to the advent of system integrity services, may be unable to provide the non-spoofable proof required for this technology.
Host agent measurement provides a further solution to the problem of worms and viruses disabling intrusion detection systems. Host agent measurement allows a process executing in an independent execution environment to periodically verify that a monitored software agent, such as an intrusion detection system, exists in the host memory in unmodified form. This methodology, however, does not provide any protection against attacks where the virus or worm does not actually modify the monitored agent, but simply disables the agent by tampering with the Operating System scheduler.