__Not Yet Determined__
Members
Adam Compton
Patrick LeBlanc
Meir Wasserman
Eric Haugh
Project Proposal
Our ECS 253 Project-Group has decided to work on an Intrusion
Detection and Recovery Daemon. Our daemon process will be given
as its primary resource, a read-only media (i.e. CD-ROM) that
contains a file list and a "clean" copy of the files that are to
be monitored. The daemon will periodically "wake-up" and scan the
files in its file list. It will do some 1-way has of each file
and compare the result to the hash of the "clean" files. If no
discrepancy if found, it will go back to sleep to run later. If
a discrepancy is found, it will:
- Quarantine the affected file in a safe location. This is done
so that the System Security Officer may examine the corrupted file
later.
- Delete the "corrupted" file and copy the "clean" file from the
read-only media.
- Report the error to the System Security Officer. This report
will look something like the following:
- Date and Time of the error
- Name of the file that was found to be corrupted
- The location in the file that the change occurred and what data
was changed. Comparing both the corrupted and clean files and
reporting any changes and the locations can do this.
A few concerns about the daemon have already arisen. The first of
these was how to keep the daemon from being terminated. Our solution
was to edit the kernel and insert code that would prevent a kill
signal from being sent to our daemon. Another concern is how do
we prevent the kernel itself from be edited and thus allowing our
daemon to be terminated. By copying the kernel to the read-only
media could solve this problem.
Send email to
bishop@cs.ucdavis.edu.
Department of Computer Science
University of California at Davis
Davis, CA 95616-8562
Page last modified on 4/27/2000