Abstract
Intrusion detection systems have usually been developed using large host-based components. These components impose an extra load on the system where they run (sometimes even requiring a dedicated system) and are subject to tampering or disabling by an intruder. Additionally, intrusion detection systems have usually obtained information about host behavior through indirect means, such as audit trails or network packet traces. This potentially allows intruders to modify the information before the intrusion detection system obtains it, making it possible for an intruder to hide his activities. In this document I propose work that will attempt to show that it is possible to perform intrusion detection using small sensors embedded in a computer system. These sensors will look for signs of specific intrusions. They will perform target monitoring by observing the behavior of the system directly, instead of through an audit trail or other indirect means. Furthermore, by being built into the code of the operating system and its programs, they may not impose a considerable extra load on the host they monitor. I will also explore the possibility of applying a group of sensors built to detect known intrusions, to detecting new intrusions. If this is shown to be possible, it would be a step towards determining the types of data that need to be collected to successfully detect new intrusions. The work I propose is divided in four stages: a) building the necessary infrastructure for the implementation of the sensors, b) implementing sensors for detecting known intrusions, c) testing new attacks against the group of implemented sensors, and d) performing analysis on the data obtained in step (c) to determine if the existing sensors can be used to detect new attacks.
