RE: HIDS - new technologies ?

From: Brennen Reynolds (bereynolds@ucdavis.edu)
Date: 07/11/02


Date: Wed, 10 Jul 2002 21:16:23 -0700
From: Brennen Reynolds <bereynolds@ucdavis.edu>
To: kunal@geosofttech.net, focus-ids@securityfocus.com

Kunal,

        While it is not a commercial IDS by any means, systrace
(http://www.citi.umich.edu/u/provos/systrace/) by Niels Provos does what you
are describing. A profile is created of acceptable system calls and if an
anomaly is detected an appropriate action is taken. I believe he has
implemented in on several BSD platforms and is currently porting it to
Linux.

Brennen Reynolds
Graduate Researcher
Security & Network Lab
University of California, Davis

-----Original Message-----
From: Kunal Rupera [mailto:kunal@geosofttech.net]
Sent: Wednesday, July 10, 2002 1:13 PM
To: focus-ids@securityfocus.com
Subject: HIDS - new technologies ?

Hello everyone ..!
        Currently host based intrusion detection systems usually consists of
programs like Sentinel or Tripwire which do file integrity checks using
various checksumming algorithms. Now there are some new upcoming
technologies like HIDS based on system calls.
http://imsafe.sourceforge.net/ <---- to quote a very crude example..
something on these lines but not exactly the way imsafe functions. Now would
it be possible to make a HIDS that is based on system calls? . to site a
example, most windows based anti viral programs hook the I/O calls and do
not let a infected.exe get executed. so would it be possible to write a
program which monitors for executable files and when one is executed, checks
if it contains "bad" signatures and allows or prevents that executable file
from getting executed? . {this applies to *nix platforms} so that exploits
(mostly local root buffer overflows) can be prevented from running? ..
ofcourse such HIDS systems would have the limitations that most NIDS systems
have eg. encrypted payload to site one of them... etc.. but wont it be
effective for most cases?
Views/Flames/Ideas/Help/Links/Discussions. all welcome... :)..

Kunal
Unix System Administrator
Sun Certified Solaris Administrator



Relevant Pages

  • RE: HIDS - new technologies ?
    ... Subject: HIDS - new technologies? ... Unix System Administrator ... Sun Certified Solaris Administrator ...
    (Focus-IDS)
  • RE: HIDS - new technologies ?
    ... While the technology emerging in the HIDS arena is gaining ground..has ... anyone actually seen market demand for a HIDS deployment? ... Subject: HIDS - new technologies? ... We are doing pure intrusion detection, ...
    (Focus-IDS)
  • Re: HIDS - new technologies ?
    ... We are doing pure intrusion detection, ... > technologies like HIDS based on system calls. ... >Unix System Administrator ...
    (Focus-IDS)