Browse Prior Art Database

Mechanism for automated kernel-based system defense (DEFMOD)

IP.com Disclosure Number: IPCOM000202474D
Publication Date: 2010-Dec-16
Document File: 2 page(s) / 27K

Publishing Venue

The IP.com Prior Art Database

Abstract

A method and system for automated operating system/kernel based security violation detection and recovery defense (DEFMOD) is disclosed.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 56% of the total text.

Page 01 of 2

Mechanism for automated kernel -based system defense (DEFMOD)

Disclosed is a method and system for automated operating system/kernel based security violation detection and recovery defense (DEFMOD).

Existing tools for detecting system security and intrusion events have some shortcomings: Many of these tools are specialized to only detect specific events; lack of configurability.

Most tools today will notify users or other systems of the security violation, but may not be able to take corrective action.

Most monitoring tools today run as nonprivileged/user applications that are often run by/as unprivileged users; user applications (whether invoked with privileged or unprivileged user accounts) can be deactivated or sabotaged if the system becomes root compromised.

Disclosed is an operating system or kernel-based system analyzer module that does the following:
Runs a series of scans to determine if any system security events have taken place.

Executes recovery steps if a security event is determined to have occurred.

Ensures that drastic measures may be taken to ensure minimal system compromise and increased resilience to future attack.

Although the disclosed method could be implemented in any operating system

                                       hours; once a day, etc.), the scan script(s) would be called; they would be run in ascending order (level1 to level3); these scripts can run any number of other scripts, utils or applications.

Detection
If an event in any of the scripts fails, the corresponding reaction script is invoked (i.e. if scan1.sh fails, level1.sh is executed).

Reaction
When the reaction script has terminated, all scan scripts are rerun

Security events are monitored
Starting/stopping/modification of a system service:

Firewall termination or modification

1.

Use of an unauthorized TCP/UDP port

2.

At the user-specified time interval (every 20 minutes; every 2

Addition/deletion/modification of a user or group

Overwriting a system tool or binary with a compromised version

Unauthorized changes to system configuration files

Other events could also be monitored

Filesystem overflows

1.

Failed network device or service

2.

Some specific examples are presented:

This example defmod.conf configuration file is used in the three examples below: [NOTIFY]

SYS

A

    DMIN christy@us.ibm.com,sean@us.ibm.com,rosy@us.ibm.com NET

DB

                                                  , a UNIXTM based operating system is referenced as an example step-by-step implementation, where DEFMOD is compiled as part of the operating system.

Initialization
Late in the kernel boot process (after filesystems are mounted, but before init is invoked), DEFMOD is loaded and the DEFMOD configuration file is read. The module also ensures that everything in /etc/defmod is owned by root and has permission of 0700.

Scanning

3.

4.

5.

_

A

DMIN bob@us.ibm.com,betty@us.ibm.com,

jim@us.ibm.com

_

_

     DMIN ruth@us.ibm.com,frank@us.ibm.com,kevin@us.ibm.com [/NOTIFY]

[LEVEL1] n...