This dissertation introduces the concept of using internal sensors to
perform intrusion detection in computer systems. It shows its
practical feasibility and discusses its characteristics and related
design and implementation issues.
We introduce a classification of data collection mechanisms for
intrusion detection systems. At a conceptual level, these mechanisms
are classified as direct and indirect monitoring. At a practical
level, direct monitoring can be implemented using external or internal
sensors. Internal sensors provide advantages with respect to
reliability, completeness, timeliness and volume of data, in addition
to efficiency and resistance against attacks.
We introduce an architecture called ESP as a framework for building
intrusion detection systems based on internal sensors. We describe in
detail a prototype implementation based on the ESP architecture and
introduce the concept of embedded detectors as a mechanism for
localized data reduction.
We show that it is possible to build both specific (specialized for a
certain intrusion) and generic (able to detect different types of
intrusions) detectors. Furthermore, we provide information about the
types of data and places of implementation that are most effective in
detecting different types of attacks.
Finally, performance testing of the ESP implementation shows the
impact that embedded detectors can have on a computer system.
Detection testing shows that embedded detectors have the capability of
detecting a significant percentage of new attacks.