Linux Kernel instant intrusion detection security enhancement-Introduction

Linux Kernel real-time Intrusion Detection security enhancement-introduction-general Linux technology-Linux programming and kernel information. The following is a detailed description. I. Introduction
Ice cubes

It is now recognized that there is no absolute method or absolutely secure system in the world to prevent hacker intrusion:
Software without vulnerabilities is a dream for us. Even popular programs or operating systems contain vulnerabilities that can be exploited by intruders.
Many software packages interact with components of other operating systems (function libraries or kernels.
For this reason, intrusion detection and how to handle intrusions have been extensively discussed and researched in the computer industry.
Many existing intrusion detection technologies are based on some analysis of audit and log files. The main idea is to search the entire system file and reference list to find malformed and unexpected system configuration changes. (For example, the user ID of a new user is 0 ). Another method is to periodically execute a program to compare the attributes of system files with the reference list. These processes are mainly used to deal with Trojan Trojans. Such a program seems to be not very dangerous to the system, but can give intruders the permissions needed to control the entire system.
The advantage of this program is that you do not need to enter the kernel part. For example, they do not need to modify system commands. However, they cannot immediately prevent intrusions, because in most cases, these results are generated after intruders attack.
All the destructive attacks against the system are implemented through some sensitive system calls. Therefore, real-time intrusion detection can protect your system from being damaged by attackers by monitoring every system call.
Here we create a function that can intercept and monitor special system calls at the kernel level. Our method requires minimal changes to the original internal structure of the system. Since the code for Unix-like systems is public, we can intercept system calls based on public kernel code and check whether the system calls are malicious according to the rules we set, provides intrusion detection and prevention.
The software is designed for the following purposes:
Detects malicious system calls before they are fully executed to prevent malicious intrusion attacks.
Allows a valid detection of System Call parameters.
Without changing the existing data structure and system of the system, an enhanced and secure operating system is implemented by extending the kernel functions.
Thanks for the real-time intrusion detection, because the original extended operating system can run malicious and legitimate processes of intruders together. With this system, we can analyze all the processes in the system and discover malicious processes and their relationships.
As an example of our technology, we have created a prototype for Detecting Buffer Overflow attacks before the attack is complete. An OS-based intrusion detection can provide some necessary functional options when Detecting Buffer Overflow.