Realtime Intrusion-Forensics: A First Prototype Implementation (based on a stack-based NIDS)

The function of a Network Intrusion Detection System (NIDS) is to identify any misuse and abnormal behavior determined as an attack to a network segment or network host. The proposed concept is a pump-in-the-stack approach. This means, that NIDS-features are integrated into the network stack of our operating systems. Using the native stack is important, since this is the only place in our operating systems where we can get access to all packets (passing the stack) in realtime quality. The idea is to make use of already existing knowledge about state transitions, memory content, header information, and packet payload. This is very similar to stack hardening. But while hardening mechanisms are limited to block malicious traffic (violating RFC793), the proposed approach is to collect as much evidence as possible and to do some simple forensic analysis. Knowing that IPv4 is not suitable to collect information about the actual source of an attack, but there is no real difference to traditional IPv4 based forensic analyses. In addition to simple stack hardening mechanisms, the advantage of the proposed approach is to start forensic analysis long time before the host is going to become a “pathologic case”. Maybe that collecting forensic evidence and the preservation of collected information is inappropriate in the case of intrusion detection systems (IDS). But IDSs are the most likely candidates (at least in the absence of alternatives) to collect forensically pristine evidentiary data, if realor nearly realtime behaviour is required [1]. To verify this statement, two prototypes were built (representing the two most popular categories of operating systems) and stack-based intrusion detection mechanisms have been integrated into the network stack.