__Not Yet Determined__


Adam Compton
Patrick LeBlanc
Meir Wasserman
Eric Haugh

Project Proposal

Our ECS 253 Project-Group has decided to work on an Intrusion Detection and Recovery Daemon. Our daemon process will be given as its primary resource, a read-only media (i.e. CD-ROM) that contains a file list and a "clean" copy of the files that are to be monitored. The daemon will periodically "wake-up" and scan the files in its file list. It will do some 1-way has of each file and compare the result to the hash of the "clean" files. If no discrepancy if found, it will go back to sleep to run later. If a discrepancy is found, it will:
  1. Quarantine the affected file in a safe location. This is done so that the System Security Officer may examine the corrupted file later.
  2. Delete the "corrupted" file and copy the "clean" file from the read-only media.
  3. Report the error to the System Security Officer. This report will look something like the following:
    1. Date and Time of the error
    2. Name of the file that was found to be corrupted
    3. The location in the file that the change occurred and what data was changed. Comparing both the corrupted and clean files and reporting any changes and the locations can do this.

A few concerns about the daemon have already arisen. The first of these was how to keep the daemon from being terminated. Our solution was to edit the kernel and insert code that would prevent a kill signal from being sent to our daemon. Another concern is how do we prevent the kernel itself from be edited and thus allowing our daemon to be terminated. By copying the kernel to the read-only media could solve this problem.

Send email to bishop@cs.ucdavis.edu.

Department of Computer Science
University of California at Davis
Davis, CA 95616-8562

Page last modified on 4/27/2000