Embedding policy-controlled ID sensors within host operation system security enforcement components for real time monitoring

This paper describes some attack and intrusion detection elements of a security architecture for distributed heterogeneous systems. The architecture concentrates on the level of the operating systems of the nodes involved and can also be retrofitted to existing COTS systems through the use of modular instrumentation extensions to the kernel and possibly the use of trusted coprocessor subsystems. The instrumentation provides both a reference monitor mechanism for active enforcement of security policies as well as sensor information for intrusion detection aspects, both of which occur under the control of a set of policies consistently enforced throughout distributed systems using external repositories. The reference monitor and intrusion detection mechanisms are controlled by policies defined in a first order theory permitting the abstract specification of subject, objects, and operations which are mapped to a given environment through the use of interpretations. This ensures a consistent enforcement of all applicable policies and permits the derivation of (consistent) additional rules based on automated deduction and can not only be used to model rule-based detection mechanisms but also to modulate the sensor output provided by the instrumentation within nodes. As an additional benefit, the use of predicates within the first order theory also permits a consistent view on observations at the time of data fusion.