Anatomy of a Real-time Intrusion Prevention System

Host intrusion prevention systems for both servers and end-hosts must address the dual challenges of accuracy and performance. Researchers have mostly focused on addressing the former challenge, suggesting solutions based either on exploit-based penetration detection or anomaly-based misbehavior detection, but yet stopping short of comprehensive solutions that leverage merits of both approaches. The second challenge, however, is rarely addressed; doing so comprehensively is important for practical usability, since these systems can introduce substantial overhead and cause system slowdown, more so when the system load is high. We present Rootsense, a holistic and real-time intrusion prevention system that combines the merits of misbehavior-based and anomaly-based detection. Four principles gover