Solaris BSM data has been used in a number of studies for it's value as raw data in a number of IDS systems. In general, the major problem for all of these has been the application of this analysis to general user hosts. What I propose doing, is to attack the problem by looking at data from single function hosts such as firewalls, DNS and application servers. This way the range of expected behavior is far more clearly defined.
There are several ways to use system auditing data (BSM) to gather information about system intrusions and host misbehavior. These include statisitcal analysis, neural network based learning tools, state based monitoring and entropy tracking. An overall plan / background information will be presented with the hope that the best process will be used on both the production hosts and the array of lca's in the field. Since I am learning this information as I fill this site out, the data presented may change at times or be incorrect. This will be used, more or less, as a place to locate notes and findings.
A schematic tree of some ideas is seen below:
|
|
Note - this is a developing project. Not all links will lead to good data, and I am not using a spell check. Please be nice.
