From owner-freebsd-security@FreeBSD.ORG  Tue Oct 19 11:36:34 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 060DD16A4CE; Tue, 19 Oct 2004 11:36:34 +0000 (GMT)
Received: from r3p34.chello.upc.cz (r3p34.chello.upc.cz [213.220.207.34])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 5306843D3F; Tue, 19 Oct 2004 11:36:33 +0000 (GMT)
	(envelope-from plusik@pohoda.cz)
Received: from r3p34.chello.upc.cz (localhost [127.0.0.1])
	by r3p34.chello.upc.cz (8.12.10/8.12.10) with ESMTP id i9JBaWPu000970;
	Tue, 19 Oct 2004 13:36:32 +0200 (CEST)
	(envelope-from plusik@pohoda.cz)
Received: from localhost (plusik@localhost)i9JBaWBM000967;
	Tue, 19 Oct 2004 13:36:32 +0200 (CEST)
	(envelope-from plusik@pohoda.cz)
X-Authentication-Warning: r3p34.chello.upc.cz: plusik owned process doing -bs
Date: Tue, 19 Oct 2004 13:36:32 +0200 (CEST)
From: Tomas Pluskal <plusik@pohoda.cz>
X-X-Sender: plusik@localhost
To: freebsd-security@freebsd.org, freebsd-hackers@freebsd.org
Message-ID: <20041019133439.X604@localhost>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Subject: new intrusion detection system
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Oct 2004 11:36:34 -0000


Hello to all,

I have implemented a new type of intrusion detection system for my Master 
thesis. I would like to announce this information, in case anyone would be 
interested in this research.

The IDS system is designed as a kernel module for FreeBSD 5.2. It is inspired 
by the SpamAssassin program, which detects spam by applying a set of tests to 
every email message and counting a sum of point score generated by each test. 
My IDS system applies a set of tests to every running process in the OS and 
counts its score generated by the tests. Therefore, the purpose of the IDS is 
not to monitor the network traffic, but rather to monitor the process activity.

The current system status is a "working prototype" - it is not ready for 
production usage, but it may serve as a good base for an interesting 
research.

If you are interested in this topic, please read the details here: 
http://plusik.pohoda.cz/thesis/

Thanks,

Tomas