PLUSKAL, Tomáš. Intrusion detection system based on process behavior rating. 2004, 50 pp.
Other formats:   BibTeX LaTeX RIS
Basic information
Original name Intrusion detection system based on process behavior rating
Authors PLUSKAL, Tomáš.
Edition 50 pp. 2004.
Other information
Type of outcome Book on a specialized topic
Confidentiality degree is not subject to a state or trade secret
WWW URL
Changed by Changed by: Mgr. Tomáš Pluskal, učo 9651. Changed: 26/10/2004 16:48.
Abstract
The goal of the work is to implement a kernel module for the FreeBSD operating system, performing a defined set of tests on every running process in the OS and rating results of these tests according to whether they correspond to a common benign process or to a process performing a dangerous or suspicious activity. An occurence of a process with a score exceeding a predefined threshold will be reported as a potential intrusion. Part of the work is to prepare a basic set of tests analyzing instantaneous properties of a process as well as its behaviour and unexpected changes in this behaviour in particular, and to determine suitable parameters used to rate results of these tests. The implemented tests focus on 3 types of common security problems: buffer overflow, symlink attack and denial of service. Parameter assignment is realized using a genetic algorithm. At the end, a possible future approach to developping such a detection system is proposed.
PrintDisplayed: 19/6/2024 16:05