Abstract - Security Symposium - 2000
Detecting and Countering System Intrusions Using Software Wrappers
Calvin Ko, Timothy Fraser, Lee Badger, and Douglas Kilpatrick, NAI Labs, Network Associates, Inc.
This paper introduces an approach that integrates intrusion detection (ID) techniques with software wrapping
technology to enhance a system's ability to defend against intrusions. In particular, we employ the NAI Labs
Generic Software Wrapper Toolkit to implement all or part of an intrusion detection system as ID wrappers. An
ID wrapper is a software layer dynamically inserted into the kernel that can selectively intercept and analyze
system calls performed by processes as well as respond to intrusive events. We have implemented several ID
wrappers that employ three different major intrusion detection techniques. Also, we have combined different ID
techniques by composing ID wrappers at run-time. We tested the individual and composed ID wrappers using
several existing attacks and measured their impact on observed application performance. We conclude that
intrusion detection algorithms can be easily encoded as wrappers that perform efficiently inside the kernel. Also,
kernel-resident ID wrappers can be easily managed, allowing cooperation among multiple combined techniques
to enforce a coherent global ID policy. In addition, intrusion detection algorithms can benefit from the extra
data made accessible by wrappers.