Information Flow Control for Intrusion Detection Derived From MAC Policy
Most of today's MAC implementations can be turned into permissive mode, where no enforcement is performed but alerts are raised instead. This behavior is very close to an anomaly IDS except that the system is configured through a MAC policy. MAC implementations such as SELinux and AppArmor come with a default policy including real life and practical rules ready to be used as is or as a basis for a custom policy. In this paper, the authors first propose an extension of IDS based on information flow control. They address issues concerning programs execution and improve its expressiveness in terms of security policy.