Selectively monitoring of 'information flow' events??

Marcin Koziej creep at desk.pl
Thu Nov 24 15:38:08 GMT 2005 

Robert,

Thank You very much for a broad answer.

I'm prepearing myself for my master thesis about inteligent intrusion 
detection - I'd like to use an abstract model of computer system, where 
memory objects perform read or write operations on each other.
I'd like to use this data to train the IDS to detect yet unseen attacks. 
The techniques used will not be statistic-based, more propably using a 
semantic network and procedures to make generalised/specialised rules to 
detect suspicious activity/intrusion. T

Of course, I have two opposite goals - one to keep 'memory object' as 
abstract as possible, other is to describe objects to have context (e.g. 
a file in a directory context - I'm still not sure if there won't be 
problems with this, or with filename---vnode association) with which the
learning by geleralisation/specialisation will be possible.

Generally I want to provide the (Subject,Object,Operation) to userland 
application which could analyse it online or offline with AI techniques.

I was very impressed by abstractive approach used by MAC framework, 
which gives a good access to all kinds of objects (from taking a look 
into mac_*/ policies - policy operations can use all information which 
is availible to the kernel) - It is tempting to choose MAC as a perfect 
fit for this experiment.


The labels and access control of MAC modules is even more exciting, 
because there might be a feedback from the AI app to the module to track 
only object labeled 'tainted' or block activity detected as intrusion.

As for asynchronous operations and message tracking -- I think that for 
a start I'll just need the interaction patterns between system objects 
-- it just matters that one process done a write on a IPC object, which 
could be marked 'tainted', the read from the tainted IPC object would 
taint the reader... I am, however, beginning to work on this -- so this 
requirements might be not enough to build a functional ids. Another 
thing is, I might not underestand all the nuances which asynchronous 
operation brings (this will propably come up sooner or later).

Again, thanks for the reply,
best regards,

Marcin Koziej
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-audit" in the body of the message

More information about the trustedbsd-audit mailing list