fupids2
FUPIDS stands for Fuzzy Userprofile Intrusion Detection System. fupids2 is a child of the FUPIDS project and based on its idea.
FUPIDS is able to detect accounts used by attackers who overtook such an account. But FUPIDS ran in OpenBSDs Kernelspace and was never applieed
in the kernel-code, so i wrote fupids2 as an userspace-version of FUPIDS. I tested fupids2 on Slackware-linux and OpenBSD but it is still beta.
But fupids2 has more features than FUPIDS has. fupids2 calculates an attacker level for every user on all linux/bsd (and hopefully unix systems
too) in your network. fupids2 does not only use the tool-using-behavior of every user like FUPIDS did, it also knows about the buildings and rooms
an user normaly uses. fupids2 knows if the user prefers to sit near the window, near the floor or in the backside of the workstation-rooms. But this
is not all: fupids2 knows at which times the user is normaly logged into the systems. All these things are included in the (beta) caluclation
of the attacker level.
Current News
19.12.2005 - I received an E-Mail from Steve Emms including grammar fixes for this website. Thank you!
16.12.2005 - fupids2-0.7beta is out. I implemented a neural network and an improved calculation algorithm. now most of the
old calculation-behavior is replaced. The detecting values are much better now and I also implemented a new datbase
file-format for the users. I also improved the logging. There are now 5 different attacker levels from 0 (low) to 4
(high).
12.12.2005 - Jennifer Steffens wrote a news-entry at snort.org about fupids2. And btw. I found two
files: a paper and a presentation from Phillip G. Bradford (Univ. of Alabama) about 'proactive computer-system forensic' including
a few things about FUPIDS (not fupids2, I mean FUPIDS, the first version) I have linked in my
Weblog.
09.12.2005 - fupids2-0.5beta is out. The code should now compile under Win32+Cygwin and 'Solaris Express, Nevada Build 21 (SPARC)'
too but i was unable to test it.
08.12.2005 - fupids2-0.4beta is out. I changed just the Makefile. It now should compile under MacOSX without problems too.
06.12.2005 - I'm very sorry, but I am an idiot and uploaded the old FUPIDS1 version
instead of fupids2 in the tgz-package because i used the wrong directory as parameter
for tar... Now the current version of fupids2 is available!
04.12.2005 - Sebastian fixed some grammar errors in the documentation.
03.12.2005 - first release of fupids2.
Supported Operating Systems
fupids2 should run all POSIX-compatible systems. I always test a version under OpenBSD and Linux, but a few other people have
also tested it under different operating systems. Here is a list of successfully tested operating systems+versions.
+ OpenBSD 3.0-3.8 (should work on 2.x too)
+ Linux 2.4 and 2.6 (older versions should work too too)
+ NetBSD 2.0.2 and NetBSD 3.0 RC5
+ FreeBSD 6-Release
+ MacOSX 10.3.9
+ possibly: Win32+cygwin, Solaris 8/9/10 x86 (with GNU-make and g++) and Solaris Express
Features
(all the listed features including FUPIDS' features are supported by fupids2)
+ FUPIDS calculates an "attacker level" for every user on your system. It will alert you via syslog if the attacker
levels becomes too high and uses an own logfile too.
+ FUPIDS has a profile of used programs for every user. If an user uses too many new programs in a short period of time, the attacker
level rises. This is because an attacker could overtake the account of this user and now uses some new compiled exploits, or an
editor the normal user never starts.
+ fupids2 has an improved attacker-level calculation system (beta) that includes the following things too (and not only the
program-using-behavior of the user):
- the time, the user normaly is logged in. fupids can detect if the user was never logged in for a special time
before
- the building, etage and room the user is normaly logged in from. if this behavior will change: fupids will detect
it.
- fupids knows if the user normaly sits in front, middle or back of a room and if he sits in the window, middle or
floor-side of a room. if this will change: fupids will detect it too.
+ fupids2 is able to collect network-wide data using the client-shellscript (included in the .tgz-file) and ssh
Documentation
+ fupids2 installation guide (included in the tgz-file)
+ my paper about human-oriented IDS. NOTE: This file does describe
the fupids-0.3beta version and not the current one. The whole calculation stuff isn't the current one.
TODO-List
+ developing a tcl/tk-GUI (or PHP) to make it easier for admins to find out which users currently have the highest attacker levels.
+ write a good and portable client
How you can help
+ my english is not very good. if you find errors in the documentation, website and so on, please tell me about that.
+ if you have ideas or wishes, tell me about it
Download
fupids2 v.0.7-beta is available as gzipped tar archive at freshmeat.net: download
(c) 2005 by steffen wendzel <cdp[@]doomed-reality[.]org>