Mechanism for automated kernel-based system defense (DEFMOD)
Publication Date: 2010-Dec-16
The IP.com Prior Art Database
A method and system for automated operating system/kernel based security violation detection and recovery defense (DEFMOD) is disclosed.
Page 01 of 2
Mechanism for automated kernel -based system defense (DEFMOD)
Disclosed is a method and system for automated operating system/kernel based security violation detection and recovery defense (DEFMOD).
Existing tools for detecting system security and intrusion events have some shortcomings: Many of these tools are specialized to only detect specific events; lack of configurability.
Most tools today will notify users or other systems of the security violation, but may not be able to take corrective action.
Most monitoring tools today run as nonprivileged/user applications that are often run by/as unprivileged users; user applications (whether invoked with privileged or unprivileged user accounts) can be deactivated or sabotaged if the system becomes root compromised.
Disclosed is an operating system or kernel-based system analyzer module that does the following:
Runs a series of scans to determine if any system security events have taken place.
Executes recovery steps if a security event is determined to have occurred.
Ensures that drastic measures may be taken to ensure minimal system compromise and increased resilience to future attack.
Although the disclosed method could be implemented in any operating system
hours; once a day, etc.), the scan script(s) would be called; they would be run in ascending order (level1 to level3); these scripts can run any number of other scripts, utils or applications.
If an event in any of the scripts fails, the corresponding reaction script is invoked (i.e. if scan1.sh fails, level1.sh is executed).
When the reaction script has terminated, all scan scripts are rerun
Security events are monitored
Starting/stopping/modification of a system service:
Firewall termination or modification
Use of an unauthorized TCP/UDP port
At the user-specified time interval (every 20 minutes; every 2
Addition/deletion/modification of a user or group
Overwriting a system tool or binary with a compromised version
Unauthorized changes to system configuration files
Other events could also be monitored
Failed network device or service
Some specific examples are presented:
This example defmod.conf configuration file is used in the three examples below: [NOTIFY]
DMIN firstname.lastname@example.org,email@example.com,firstname.lastname@example.org NET
, a UNIXTM based operating system is referenced as an example step-by-step implementation, where DEFMOD is compiled as part of the operating system.
Late in the kernel boot process (after filesystems are mounted, but before init is invoked), DEFMOD is loaded and the DEFMOD configuration file is read. The module also ensures that everything in /etc/defmod is owned by root and has permission of 0700.
DMIN email@example.com,firstname.lastname@example.org,email@example.com [/NOTIFY]