Podrobný výpis o publikaci

The goal of the work is to implement a kernel module for the FreeBSD operating system, performing a defined set of tests on every running process in the OS and rating results of these tests according to whether they correspond to a common benign process or to a process performing a dangerous or suspicious activity. An occurence of a process with a score exceeding a predefined threshold will be reported as a potential intrusion. Part of the work is to prepare a basic set of tests analyzing instantaneous properties of a process as well as its behaviour and unexpected changes in this behaviour in particular, and to determine suitable parameters used to rate results of these tests. The implemented tests focus on 3 types of common security problems: buffer overflow, symlink attack and denial of service. Parameter assignment is realized using a genetic algorithm. At the end, a possible future approach to developping such a detection system is proposed.