Very interesting stuff. Certainly worth more investigation.
Something occurred to me while I read your thesis. Though maybe it was worth a mention. The TTL (time to live) could potentially cause the IDS module to be easily beaten. An attack could begin and immediately go into a sleep state with the intent to expire the TTL. Later resuming with it's actions going unnoticed.
I hope to see more on this. I think it is a very creative and useful idea.
Thanks, Brian
On Oct 19, 2004, at 7:36 AM, Tomas Pluskal wrote:
Hello to all,
I have implemented a new type of intrusion detection system for my Master thesis. I would like to announce this information, in case anyone would be interested in this research.
The IDS system is designed as a kernel module for FreeBSD 5.2. It is inspired by the SpamAssassin program, which detects spam by applying a set of tests to every email message and counting a sum of point score generated by each test. My IDS system applies a set of tests to every running process in the OS and counts its score generated by the tests. Therefore, the purpose of the IDS is not to monitor the network traffic, but rather to monitor the process activity.
The current system status is a "working prototype" - it is not ready for production usage, but it may serve as a good base for an interesting research.
If you are interested in this topic, please read the details here: http://plusik.pohoda.cz/thesis/
Thanks,
Tomas
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
