B 2004

Intrusion detection system based on process behavior rating

PLUSKAL, Tomáš

Basic information

Original name

Intrusion detection system based on process behavior rating

Authors

PLUSKAL, Tomáš

Edition

50 pp. 2004

Other information

Type of outcome

Odborná kniha

Confidentiality degree

není předmětem státního či obchodního tajemství

References:

URL
Změněno: 26/10/2004 16:48, Mgr. Tomáš Pluskal

Abstract

V originále

The goal of the work is to implement a kernel module for the FreeBSD operating system, performing a defined set of tests on every running process in the OS and rating results of these tests according to whether they correspond to a common benign process or to a process performing a dangerous or suspicious activity. An occurence of a process with a score exceeding a predefined threshold will be reported as a potential intrusion. Part of the work is to prepare a basic set of tests analyzing instantaneous properties of a process as well as its behaviour and unexpected changes in this behaviour in particular, and to determine suitable parameters used to rate results of these tests. The implemented tests focus on 3 types of common security problems: buffer overflow, symlink attack and denial of service. Parameter assignment is realized using a genetic algorithm. At the end, a possible future approach to developping such a detection system is proposed.
Displayed: 5/11/2024 07:30