new intrusion detection system

Brian Barto bartobri at comcast.net
Tue Oct 19 14:43:45 PDT 2004


Very interesting stuff. Certainly worth more investigation.

Something occurred to me while I read your thesis. Though maybe it was 
worth a mention. The TTL (time to live) could potentially cause the IDS 
module to be easily beaten. An attack could begin and immediately go 
into a sleep state with the intent to expire the TTL. Later resuming 
with it's actions going unnoticed.

I hope to see more on this. I think it is a very creative and useful 
idea.

Thanks,
Brian

On Oct 19, 2004, at 7:36 AM, Tomas Pluskal wrote:

>
> Hello to all,
>
> I have implemented a new type of intrusion detection system for my 
> Master thesis. I would like to announce this information, in case 
> anyone would be interested in this research.
>
> The IDS system is designed as a kernel module for FreeBSD 5.2. It is 
> inspired by the SpamAssassin program, which detects spam by applying a 
> set of tests to every email message and counting a sum of point score 
> generated by each test. My IDS system applies a set of tests to every 
> running process in the OS and counts its score generated by the tests. 
> Therefore, the purpose of the IDS is not to monitor the network 
> traffic, but rather to monitor the process activity.
>
> The current system status is a "working prototype" - it is not ready 
> for production usage, but it may serve as a good base for an 
> interesting research.
>
> If you are interested in this topic, please read the details here: 
> http://plusik.pohoda.cz/thesis/
>
> Thanks,
>
> Tomas
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to 
> "freebsd-security-unsubscribe at freebsd.org"
>



More information about the freebsd-hackers mailing list