Kernel-level intrusion detection system for minimum packet loss

Supporting dynamic rule change with minimum packet loss is one of the key issues for intrusion detection. To detect intrusion, in general, Intrusion Detection System(IDS) has a copy step where P packet is captured at kernel level and it is used for detection in user level. While doing this job, the next packet cannot be captured because this procedure isn??t finished yet. This paper proposes the Kernel-level Intrusion Detection System(KIDS) which can detect various network attacks with minimum packet loss. This system is executed in kernel as a kernel program, and can detect intrusion at kernel level without copy step. Dynamic rule change is done quickly through appending and setting a delete mark operation. After this work, it is not needed to reboot a kernel and new type of network attack can be detected easily. With the help of this dynamic rule change, waiting time of detection process is minimized and its job can be continued as quickly as possible. Due to these features, the packet loss is greatly reduced.