RE: HIDS - new technologies ?

From: Lawless, Tim (tim.lawless@eds.com)
Date: 07/11/02

Previous message: Detmar Liesen: "RE: HIDS - new technologies ?"
Maybe in reply to: Kunal Rupera: "HIDS - new technologies ?"
Next in thread: Stephanie Miller: "Re: HIDS - new technologies ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Lawless, Tim" <tim.lawless@eds.com>
To: "'kunal@geosofttech.net'" <kunal@geosofttech.net>
Date: Thu, 11 Jul 2002 16:51:54 -0400

There has been some work on doing intrusion detection systems that are
based on system calls.

For the Linux environment, for example I am aware of three or four such
systems that
have stuff available publicly for Linux.

Cylant Secure (http://cylant.com) is a HIDS that places sensors in side
the system calls
to monitor the occurrence of certain system calls within processes. It
also pays attention
to the data passed to these system calls. The last time I looked at this
system (about a
year ago) the system was in beta but showed great promise. Its
analytical engine for analyzing
the system calls was outside the system so had some latency between the
events that it
detected and the actual detection (and response). I believe since then
it is now also
on the FreeBSD platform.

A more finely grained HIDS is based on the work of Stephanie Forrest at
UNM
and her work on Auto-Immune System for Computers. On the surface the
work
of Cylant may appear similar to Forrest's work, but the mechanisms they
are
using to achieve the same ends differ. A pointer to information on this
work
is located at http://www.cs.unm.edu/~immsec/publications/abstracts.htm.
The PH kernel module is an implementation of these methods that use
sequences
of system calls to determine if a violation of system security has
occurred.
I believe there is some work to implement this system on the OpenBSD
platform.

The third is a project that I have been playing with, the StJude
Project. The
goal is to develop a system that could detect root level compromises
on protected systems, and respond to terminate the root level
compromises
before they occur. It is more coarsely grained then the previous two
products,
and more focused in purpose. The whole of the IDS, including the
analytical
engine are located in the kernel. In contrast to the previous two
systems,
StJude is not statistical anomaly detection, but rather rule-based
anomaly
detection that uses a markov-chain-like[1] model of system behavior to
predict
when a event occurs that would transition the system into a compromised
state.

Information on StJude can be found on
http://www.sourceforge.net/projects/stjude
(There is no pretty webpage for this project).

[1] Markov-chain-like because of one rule in the model exists to
prohibit the
escalation of privilege by only allowing loss of privilege. In a way
its similar
to the * principle in Bell-Lapadula.

Tim Lawless, CISSP
EDS Global Information Assurance Services
* Tim.Lawless@eds.com

The Views and Opinions Expressed within this document do not
necessairly represent the views and opinions held by EDS GIAS, or EDS.

-----Original Message-----
From: Kunal Rupera [mailto:kunal@geosofttech.net]
Sent: Wednesday, July 10, 2002 4:13 PM
To: focus-ids@securityfocus.com
Subject: HIDS - new technologies ?

Hello everyone ..!
Currently host based intrusion detection systems usually
consists of programs like Sentinel or Tripwire which do file integrity
checks using various checksumming algorithms. Now there are some new
upcoming technologies like HIDS based on system calls.
http://imsafe.sourceforge.net/ <---- to quote a very crude example..
something on these lines but not exactly the way imsafe functions. Now
would it be possible to make a HIDS that is based on system calls? . to
site a example, most windows based anti viral programs hook the I/O
calls and do not let a infected.exe get executed. so would it be
possible to write a program which monitors for executable files and when
one is executed, checks if it contains "bad" signatures and allows or
prevents that executable file from getting executed? . {this applies to
*nix platforms} so that exploits (mostly local root buffer overflows)
can be prevented from running? .. ofcourse such HIDS systems would have
the limitations that most NIDS systems have eg. encrypted payload to
site one of them... etc.. but wont it be effective for most cases?
Views/Flames/Ideas/Help/Links/Discussions. all welcome... :)..

Kunal
Unix System Administrator
Sun Certified Solaris Administrator

application/x-pkcs7-signature attachment: smime.p7s

Previous message: Detmar Liesen: "RE: HIDS - new technologies ?"
Maybe in reply to: Kunal Rupera: "HIDS - new technologies ?"
Next in thread: Stephanie Miller: "Re: HIDS - new technologies ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Real world experience with HIDS
... I'm not an HIDS vendor, but I do develop the OSSEC ... probably automate to install via scripts (no official ... integrity checking and rootkit detection. ...
(Focus-IDS)
RE: using HIDS for change control
... If you just want to monitor changes, ... If you want active detection and file change detection, ... Does anyone on this list know of a sponsor that is using HIDS to monitor ... with real-world attacks from CORE IMPACT. ...
(Focus-IDS)