Skip to Main content Skip to Navigation

A basis for intrusion detection in distributed systems using kernel-level data tainting.

Christophe Hauser 1, 2, 3
Abstract : Modern organisations rely intensively on information and communicationtechnology infrastructures. Such infrastructures offer a range of servicesfrom simple mail transport agents or blogs to complex e-commerce platforms,banking systems or service hosting, and all of these depend on distributedsystems. The security of these systems, with their increasing complexity, isa challenge. Cloud services are replacing traditional infrastructures byproviding lower cost alternatives for storage and computational power, butat the risk of relying on third party companies. This risk becomesparticularly critical when such services are used to host privileged companyinformation and applications, or customers' private information. Even in thecase where companies host their own information and applications, the adventof BYOD (Bring Your Own Device) leads to new security relatedissues.In response, our research investigated the characterization and detection ofmalicious activities at the operating system level and in distributedsystems composed of multiple hosts and services. We have shown thatintrusions in an operating system spawn abnormal information flows, and wedeveloped a model of dynamic information flow tracking, based on taintmarking techniques, in order to detect such abnormal behavior. We trackinformation flows between objects of the operating system (such as files,sockets, shared memory, processes, etc.) and network packetsflowing between hosts. This approach follows the anomaly detection paradigm.We specify the legal behavior of the system with respect to an informationflow policy, by stating how users and programs from groups of hosts areallowed to access or alter each other's information. Illegal informationflows are considered as intrusion symptoms. We have implemented this modelin the Linux kernel (the source code is availableat, as a Linux Security Module (LSM), andwe used it as the basis for practical demonstrations. The experimentalresults validated the feasibility of our new intrusion detection principles.
Document type :
Complete list of metadata

Cited literature [77 references]  Display  Hide  Download
Contributor : Abes Star :  Contact
Submitted on : Monday, September 22, 2014 - 11:47:26 AM
Last modification on : Tuesday, June 15, 2021 - 4:28:07 PM
Long-term archiving on: : Tuesday, December 23, 2014 - 11:05:30 AM


Version validated by the jury (STAR)


  • HAL Id : tel-01066750, version 1


Christophe Hauser. A basis for intrusion detection in distributed systems using kernel-level data tainting.. Other. Supélec, 2013. English. ⟨NNT : 2013SUPL0013⟩. ⟨tel-01066750⟩



Record views


Files downloads