Check www.cfengine.org, it is not an IDS, but may bring to you some extra ideas, it's a massive configuration management tool, but it also have a great anomaly detection tool (at OS level off course), and there's also an anomaly detection project in an advanced state. Maybe you can grab some cool ideas from there.
BTW, good luck with you project! Ch.- [EMAIL PROTECTED] wrote: > hello, > im a computer science student and i have to do my graduation project > next > semester, i want to do it on anomaly IDS's. i have searched the > internet and > found little on that subject,here are my ideas on how to implement a > network > anomaly IDS,please correct me where im wrong or if u have any other > references or ideas i would be happy to hear from you: > the IDS will have 2 stages;first it will study the network traffic and > build > some kind of a database that keeps what should be marked as 'safe' and > after > collecting enough information it should start running and issue alerts > when > anomalies happen(network data will be compared to the database built in > the > first stage),this is the data im going to collect: > 1-information about each hostname,IP address,and MAC address.(i think > this > should stop ARP Poisoning attacks by comparing later traffic to the > database > of MAC addresses associated with IP addresses) > 2-ports open on each host and ports that each host connects to.the IDS > should issue an alert if the host opens a port which wasnt open before > or > tries to connect to a new port; with this i think that exploits that > use > bind or connectback shellcode should be stopped. > 3-times each host uses the network and which usernames it uses to > connect to > network resources; this should enable the IDS to detect if someone else > is > using the computer or using a different username. > > this is it :) i know that this is not near enough and that is why im > sending > this email, for example if someone uses an upload/exec shellcode in an > exploit i dont think that the IDS will detect it, or if a trojan > connects to > a common port(for example port 80) the IDS won't notice it. > another thing i want is to minimize false positives,which is an > important > thing.the main aim of the IDS will be to stop 0day attacks from > happening, > so if anyone has any ideas or any references i would really appreciate > it. > thank you, > > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > to learn more. > ------------------------------------------------------------------------ > > ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
