Yeah, I saw this article on Slashdot. It is a big joke. The concept they are "introducing" is called "user profiling", and it is at least 20 years old. It is also at least as problematic as any other style of intrusion detection. Unless your users have very rigid behavior, this is going to be a far bigger mess than things like NIDS. Avoid at all possible costs, unless you are running a data sweat shop. Crispin Jimmy S. wrote: >Software predicts user behaviour to stop attacks > > >14:55 11 October 02 > >NewScientist.com news service > >New computer-monitoring software designed to second-guess the intentions of >individual system users could be close to perfect at preventing security >breaches, say researchers. > >Existing systems usually monitor the data flowing through whole networks and are >typically between 60 and 80 per cent reliable, the researchers say. Tests >simulating inside attacks indicate that the new software would be up to 94 per >cent reliable once implemented. > >The software generates a profile for each individual on a network by analysing >the specific commands they enter at their terminal. It then monitors their >activity and sounds the alarm on detecting suspicious behaviour. The finished >product will do this in real time. > >Monitoring simple user commands rather than network traffic means alarm settings >can be different for each user, increasing security. It also is much less >computationally intensive, according to Ramkumar Chinchani at Buffalo >University, who is developing the system with Shambhu Upadhyaya and colleagues. >This means more data can be analysed, allowing larger systems to be monitored in >real time. > > >Shrinking boundary > > >Whereas other real-time security systems define suspicious behaviour according >to a fixed set of rules, Chinchani says the new system would continually adjust >its view of normal and abnormal behaviour. Each time a user steps outside >boundary of normal activity, the boundary would be drawn in for the next time, >he says. > >"Once they step out of a region, it is either an intrusion or it is >indeterminate," Chinchani told New Scientist. "We try to shrink this diffuse >region as soon as possible." > >The researchers believe the system would work wherever user activity is fairly >uniform, suggesting it would well suited to high security military >installations. > >Bruce Schneier, head of US computer security firm Counterpane, says the research >is interesting but warns that a 94 percent success rate would be useless at >maintaining good security on its own. > >Chinchani admits that the real test will come when a fully functional system has >been developed. This will take another five months, he thinks: "Preliminary >experiments may not reflect any real world environment, so the success rate may >end up being higher or lower." > >The new system was outlined in a research paper presented at the military >conference MILCOM 2002, in California on 10 October. > >http://www.newscientist.com/news/news.jsp?id=ns99992913 > > >================================================ >Jimmy Sadri CISSP, jimmys@private >CCNP, CCDA, MCSA/MCSE >Systems Administrator/Webmaster webmaster@private >Network Engineer/Security Consultant 360-992-0525 >Myesn.com > > > -- Crispin Cowan, Ph.D. Chief Scientist, WireX http://wirex.com/~crispin/ Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Sat Oct 12 2002 - 12:58:43 PDT