Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenBSD Gains "Fuzzy" User Profiling IDS

Posted by timothy on from the and-who-the-hell-are-you dept.

NaveWeiss writes "According to the OpenBSD Journal, major work has been done on an innovative new OpenBSD feature termed 'fuzzy user profile' intrusion detection system' - or 'fupids.' According to Steffen Wendzel, the code 'creates profiles for every user who does an execve() syscall on obsd systems.'"

4 of 54 comments (clear)

  1. ...noexec/ro on partitions... by Hobart · · Score: 4, Interesting

    Another good move along these lines, I think, might be to mount all partitions as noexec, and mount all the partitions with executable content as read-only...

    --
    o/~ Join us now and share the software ...
    1. Re:...noexec/ro on partitions... by anthonyrcalgary · · Score: 2, Interesting

      That would be a major pita if they did it by default...

      --
      When someone might yell at me, it has to be OpenBSD.
    2. Re:...noexec/ro on partitions... by tiger99 · · Score: 3, Interesting
      I wonder how that would compare to a well-known badly broken OS, where you can't even make some executable files, and dlls, RO without breaking everything. Keeping all the executable stuff in RO partitions has its attractions, if it is possible to work that way.

      Taking this a step further, if it was not for the performance problem, could you not just put the executables on a CD (in a read-only drive of course), which could be updated only by having physical access, and a suitably equipped PC with writer to to the update.

      Or, would this cause some undesireable effect as a result of configuring the OS to boot from CD?

      Thinking a bit more, how about putting the lot in flash with the write disabled in hardware (keyswitch for example)? Would that achieve the same effect, or at least something useful?

  2. Does it log activity? by fuzzybunny · · Score: 3, Interesting


    He mentions that it sets a threshhold of user activity, such as using too many new programs within a limited space of time.

    Any indication that it does some sort of observation of user activity (think bayesian learning for spam filters) to build profiles which, if exceeded by too high a metric within too short a time, would also trigger a log error?

    --
    Cole's Law: Thinly sliced cabbage