Abstract
In this paper we describe an interface between intrusion detection systems and trusted system components. The approach presented differs from conventional intrusion detection systems which are only loosely coupled to the components which they protect. We argue that a tighter coupling makes an IDS less vulnerable to desynchronization attacks, furnishes it with higher quality information and makes immediate and more fine grained responses feasible. Preliminary results show that this can be achieved through an external, nonspecific, voluntary reference monitor accessible to applications through a simple API. Reasonable performance can be maintained by moving most of the IDS functionality into the context of the trusted application.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
J. Abela, T. Debeaupuis, and E. Guttman. Universal format for logger messages. http://www.hsc.fr/gulp/, 1997.
S. Axelsson. The base-rate fallacy and its implications for the difficulty of intrusion detection. In Proceedings of the 6th ACM Conference on Computer and Communications security, pages 1–7, November 1999.
J. Balasubramaniyan, J. O. Garcia-Fernandez, E. H. Spafford, and Zamboni D. An architecture for intrusion detection using autonomous agents. Technical report, COAST Laboratory, June 1998.
M. Bishop. A standard audit trail format. In National Information Systems Security Conference, pages 136–145, October 1995.
J. Case, M. Fedor, M. Schoffstall, and J. Davin. A simple network management protocol. http://www.ietf.org/rfc/rfc1157.txt, 1990.
C. Chung, M. Gertz, and K. Levitt. DEMIDS: A misuse detection system for database systems. In Third Annual IFIP TC-11 WG11.5 Working Conference on Integrity and Control in Information Systems, 1999.
M. Erlinger, S. Staniford-Chen, et al. IETF intrusion detection working group. http://www.ietf.org/html.charters/idwg-charter.html, 1999.
T. Fraser. LOMAC: Low water-mark integrity protection for COTS environments. In Proceedings of the IEEE Symposium on Security and Privacy, pages 230–245, May 2000.
I. Goldberg, D. Wagner, R. Thomas, and E. Brewer. A secure environment for untrusted helper applications. In Proceedings of the 6th USENIX Security Symposium, pages 1–13, July 1996.
G. S. Goldszmidt. Distributed Management by Delegation. PhD thesis, Columbia University, 1996.
K. Ilgun. USTAT: A real-time intrusion detection system for unix. Master’s thesis, University of California, July 1992.
F. Kerschbaum, E. H. Spafford, and D. Zamboni. Using embedded sensors for detecting network attacks. In 1st ACM Workshop on Intrusion Detection Systems, November 2000.
M. Kirkwood and I. Lynagh. Firewall kit. http://ferret.lmh.ox.ac.uk/~weejock/fk/, 2000.
W. Lee, S. J. Stolfo, and K. Mok. Mining audit data to build intrusion detection models. In International Conference on Knowledge Discovery and Data Mining, September 1998.
A. Mounji. Languages and Tools for Rule-Based Distributed Intrusion Detection. PhD thesis, Universite de Namur, September 1997.
K. E. Price. Host-based misuse detection and conventional operating systems’ audit data collection. Master’s thesis, Purdue University, December 1997.
T. H. Ptacek and T. N. Newsham. Insertion, evasion and denial of service: Eluding network intrusion detection. Technical report, Secure Networks, 1998.
Rain Forrest Puppy. Whisker. http://www.wiretrip.net/rfp/, 1999.
M. K. Ranum and F. M. Avolio. A toolkit and methods for internet firewalls. In Proceedings of the USENIX Conference, pages 37–44, 1994.
J. Riordan and D. Alessandri. Target naming and service apoptosis. In Proceedings of the 3rd Workshop on Recent Advances in Intrusion Detection, pages 217–225, October 2000.
V. Samar and R. Schemers. Unified login with pluggable authentication modules (PAM), October 1995.
D. Song. Fragrouter. http://www.anzen.com/research/nidsbench/, 1999.
The Open Group. Distributed Audit Service (XDAS) Base. The Open Group, 1997.
The Open Group. Systems Management: Event Management Service. The Open Group, 1997.
W. Venema. TCP wrapper, network monitoring, access control and booby traps. In Proceedings of the 3rd USENIX Security Symposium, pages 85–92, September 1992.
I. Welch and R. Stroud. Reflection as a mechanism for enforcing security policies in mobile code. In Proceedings of the 6th European Symposium on Research in Computer Security, October 2000.
M. Zelem, M. Pikula, and M. Ockajak. Medusa DS9 security system. http://medusa.fornax.sk/, 1999.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2001 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Welz, M., Hutchison, A. (2001). Interfacing Trusted Applications with Intrusion Detection Systems. In: Lee, W., Mé, L., Wespi, A. (eds) Recent Advances in Intrusion Detection. RAID 2001. Lecture Notes in Computer Science, vol 2212. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45474-8_3
Download citation
DOI: https://doi.org/10.1007/3-540-45474-8_3
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-42702-5
Online ISBN: 978-3-540-45474-8
eBook Packages: Springer Book Archive