A Kernel Level VFS Logger for Building Efficient File System Intrusion Detection System

For any file, the modification, access and creation date and time stamp (MAC DTS) is a major parameter, which if preserved properly can be used to gain crucial evidence about activities on the file. Activities on a file system is generally protected by access control mechanism specific to the operating system; discretionary or mandatory access control mechanism being the most common ones. Generally, access control mechanisms deal with allow or deny a based rule (for access to a file) which even extends to role based access control in some cases. This directly implies that access protection mechanism is generally tightly coupled with almost all operating systems. Still, intrusion is a common phenomenon. This paper analyzes and measures the performance of our previously defined approach for efficient file system intrusion detection system. This paper also establishes how this approach can be complementary to existing access control mechanism for Linux kernel 2.6.x.