OpenBSD Gains "Fuzzy" User Profiling IDS 54
NaveWeiss writes "According to the OpenBSD Journal, major work has been done on an innovative new OpenBSD feature termed 'fuzzy user profile' intrusion detection system' - or 'fupids.' According to Steffen Wendzel, the code 'creates profiles for every user who does an execve() syscall on obsd systems.'"
Comment removed (Score:5, Interesting)
Re:...noexec/ro on partitions... (Score:3, Interesting)
Does it log activity? (Score:4, Interesting)
He mentions that it sets a threshhold of user activity, such as using too many new programs within a limited space of time.
Any indication that it does some sort of observation of user activity (think bayesian learning for spam filters) to build profiles which, if exceeded by too high a metric within too short a time, would also trigger a log error?
Re:...noexec/ro on partitions... (Score:3, Interesting)
Taking this a step further, if it was not for the performance problem, could you not just put the executables on a CD (in a read-only drive of course), which could be updated only by having physical access, and a suitably equipped PC with writer to to the update.
Or, would this cause some undesireable effect as a result of configuring the OS to boot from CD?
Thinking a bit more, how about putting the lot in flash with the write disabled in hardware (keyswitch for example)? Would that achieve the same effect, or at least something useful?