Terena Title Logo  
decoration line

navigation button: home navigation button: programme navigation button: meetings navigation button: social navigation button: registration navigation button: venue navigation button: credits navigation button: contacts navigation button: sponsorship navigation button: search
decoration line

TERENA Logo small


The function of a Network Intrusion Detection System (NIDS) is to identify any
misuse and abnormal behavior determined as an attack to a network segment or a
dedicated host. The proposed concept is a NIDS, based on the pump-in-the-stack
approach. This means, that the NIDS is integrated into the network stack of our
operating systems.
Using the native stack is important, since this is the only place in our operating
systems where we can get realtime access to all network packets passing the stack.
The idea is to make use of already existing knowledge about state transitions,
memory content, header information, and packet payload. This is very similar to the
stack hardening approach. But while hardening mechanisms are limited to block
malicious traffic (violating RFC793), the proposed approach is to collect as much
evidence as possible about all intrusive attacks and to start some simple forensic
analysis. Knowing that IPv4 is not really suitable to collect information about the
actual source of an attack, there is no big difference to traditional IPv4 based
forensic analyses. But in addition to simple stack hardening mechanisms, the
advantage of the proposed approach is to start forensic analysis long time before the
host is going to become a “pathologic case”.
Maybe collecting forensic evidence and the preservation of collected information is
inappropriate in the case of intrusion detection systems (IDS). But IDSs are the most
likely candidates (at least in the absence of alternatives) to collect forensically
pristine evidentiary data, if real- or nearly realtime behaviour is required [1].
To verify this statement, two prototypes were built (representing the two most
popular categories of operating systems) and stack-based intrusion detection
mechanisms have been integrated into the network stack to verify, if the proposed
mechanism is appropriate in terms of collecting forensic evidences.


  • Udo Payer, IAIK, University of Technology Graz (AT)


  • Udo Payer, IAIK, University of Technology Graz (AT)

This presentation is part of session "Recent Results III" which starts at Tuesday, June 8 @ 14:00


Home | Programme | Meetings | Social | Registration | Venue | Credits | Contacts | Sponsorship | Search back to top
Last modified on the 15th 2004f June 2004 - 12:35