Dynamic Kernel Monitoring for Attack Detection and Mitigation

Period of Performance: 09/24/2007 - 09/24/2008


Phase 1 SBIR

Recipient Firm

Computer Measurement Laboratory, Inc.
128 E Pine Avenue
Meridian, ID 83642
Principal Investigator


The activity of an OS kernel may be monitored dynamically in real time. As the kernel executes, the transition among the constituent components of the kernel will follow a predictable pattern representing the normal operation of the kernel. An attack on the operating system will induce a significant and immediately recognizable disturbance in this pattern of normal activity. The Attack Recognition and Mitigation (ARM) will monitor the kernel activity through the use of a security co-processor. This co-processor will operate in parallel with the main CPU to detect changes in the nominal execution patterns of the kernel. When departures from the normal execution patterns are detected, an interrupt on the main CPU can be created which will permit the analysis by a mitigation routine of the currently executing task that created the anomalous kernel activity. The security monitoring system represents a hybrid extension of the operating system kernel with an active security monitor and a software interrupt service routine to analyze and manage the specific nature of the attack on the OS kernel. The primary objective of ARM project is to create the infrastructure for an autonomic kernel protection system and then productize this infrastructure.