Using embedded sensors for detecting network attacks

Embedded sensors for intrusion detection consist of code added to the operating system and the programs of the hosts where monitoring will take place. The sensors check for specific conditions that indicate an attack is taking place, or an intrusion has occurred. Embedded sensors have advantages over other data collection techniques (usually implemented as separate processes) in terms of reduced host impact, resistance to attack, efficiency and effectiveness of detection. We describe the use of embedded sensors in general, and their application to the detection of specific network-based attacks. The sensors were implemented in the OpenBSD operating system, and our tests show a 100% success rate in the detection of the attacks for which sensors were instrumented. We discuss the sensors implemented and the results obtained, as well as current and future work in the area.

[1]  Markus G. Kuhn,et al.  Analysis of a denial of service attack on TCP , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[2]  Eugene H. Spafford,et al.  IDIOT - Users Guide , 1996 .

[3]  Eugene H. Spafford,et al.  Intrusion detection using autonomous agents , 2000, Comput. Networks.

[4]  David W. Baker,et al.  The Development of a Common Vulnerability Enumeration , 1999, Recent Advances in Intrusion Detection.

[5]  R. Power CSI/FBI computer crime and security survey , 2001 .

[6]  Eugene H. Spafford,et al.  An architecture for intrusion detection using autonomous agents , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[7]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[8]  Diego Zamboni,et al.  Data collection mechanisms for intrusion detection systems , 2000 .

[9]  S. M. Bellovin,et al.  Security problems in the TCP/IP protocol suite , 1989, CCRV.

[10]  Eugene H. Spafford,et al.  The design and implementation of tripwire: a file system integrity checker , 1994, CCS '94.

[11]  Douglas E. Comer,et al.  Internetworking with TCP/IP - Principles, Protocols, and Architectures, Fourth Edition , 1988 .

[12]  Todd L. Heberlein,et al.  Network intrusion detection , 1994, IEEE Network.

[13]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[14]  Douglas Comer,et al.  Internetworking with TCP/IP , 1988 .

[15]  Keith Bostic,et al.  The design and implementa-tion of the 4.4BSD operating system , 1996 .

[16]  Biswanath Mukherjee,et al.  A network security monitor , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[17]  Arthur B. Maccabe,et al.  The architecture of a network level intrusion detection system , 1990 .

[18]  Peter G. Neumann,et al.  EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances , 1997, CCS 2002.

[19]  Samuel J. Leffler,et al.  The design and implementation of the 4.3 BSD Unix operating system , 1991, Addison-Wesley series in computer science.

[20]  Intrusion Detection Systems and A View To Its Forensic Applications , .