Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenBSD Gains "Fuzzy" User Profiling IDS

Posted by timothy on from the and-who-the-hell-are-you dept.

NaveWeiss writes "According to the OpenBSD Journal, major work has been done on an innovative new OpenBSD feature termed 'fuzzy user profile' intrusion detection system' - or 'fupids.' According to Steffen Wendzel, the code 'creates profiles for every user who does an execve() syscall on obsd systems.'"

6 of 54 comments (clear)

  1. Re:Link? by OldMiner · · Score: 3, Informative

    Oh, it really is hard to click on the link on the linked page, or, even worse, search Google for FUPIDS and find the page in, as he puts it, "my poor English". Pretty sparse on details when you get to it anyhow. Use the source, Luke.

    --
    You like splinters in your crotch? -Jon Caldara
  2. Courtest of Babelfish by thelaw · · Score: 3, Informative

    FUPIDS (fuzzy user of profiles intrusion detection system) is a Patch for the OpenBSD -- Kernel. FUPIDS produces user profiles and supervises their activities. Momentarily is limited to the evaluation of the programs used by the user, however still by some intelligent ueberwachungsstrategien will extend. Which I still planned at nice features experience one as soon as I it programmed and/or for any reasons directly into the ton DO -- list on the project side wrote.

    babelfish.

    --
    -- http://www.cerastes.org
  3. ...noexec/ro on partitions... by Hobart · · Score: 4, Interesting

    Another good move along these lines, I think, might be to mount all partitions as noexec, and mount all the partitions with executable content as read-only...

    --
    o/~ Join us now and share the software ...
    1. Re:...noexec/ro on partitions... by tiger99 · · Score: 3, Interesting
      I wonder how that would compare to a well-known badly broken OS, where you can't even make some executable files, and dlls, RO without breaking everything. Keeping all the executable stuff in RO partitions has its attractions, if it is possible to work that way.

      Taking this a step further, if it was not for the performance problem, could you not just put the executables on a CD (in a read-only drive of course), which could be updated only by having physical access, and a suitably equipped PC with writer to to the update.

      Or, would this cause some undesireable effect as a result of configuring the OS to boot from CD?

      Thinking a bit more, how about putting the lot in flash with the write disabled in hardware (keyswitch for example)? Would that achieve the same effect, or at least something useful?

  4. Does it log activity? by fuzzybunny · · Score: 3, Interesting


    He mentions that it sets a threshhold of user activity, such as using too many new programs within a limited space of time.

    Any indication that it does some sort of observation of user activity (think bayesian learning for spam filters) to build profiles which, if exceeded by too high a metric within too short a time, would also trigger a log error?

    --
    Cole's Law: Thinly sliced cabbage
  5. Fupids is not in OpenBSD's tree by OttoM · · Score: 3, Informative
    The summary suggests fupids is imported into the OpenBSD tree.

    This is not true. Fupids is work by a single person, who is not an OpenBSD developer. At this point in time, nothing suggests it will be put into the OpenBSD tree.