fupids2

FUPIDS stands for Fuzzy Userprofile Intrusion Detection System. fupids2 is a child of the FUPIDS project and based on its idea.

FUPIDS is able to detect accounts used by attackers who overtook such an account. But FUPIDS ran in OpenBSDs Kernelspace and was never applieed in the kernel-code, so I wrote fupids2 as an userspace-version of FUPIDS.

But fupids2 has more features than FUPIDS has. fupids2 calculates an attacker level for every user on all linux/bsd (and hopefully unix systems too) in your network. fupids2 does not only use the tool-using-behavior of every user like FUPIDS did, it also knows about the buildings and rooms an user normaly uses. fupids2 knows if the user prefers to sit near the window, near the floor or in the backside of the workstation-rooms. But this is not all: fupids2 knows at which times the user is normaly logged into the systems. All these things are included in the (beta) caluclation of the attacker level.

fupids2 supports most of FUPIDS' features too but adds a lot of new features:

• FUPIDS calculates an "attacker level" for every user on your system. It will alert you via syslog if the attacker levels becomes too high and uses an own logfile too.
• FUPIDS has a profile of used programs for every user. If an user uses too many new programs in a short period of time, the attacker level rises. This is because an attacker could overtake the account of this user and now uses some new compiled exploits, or an editor the normal user never starts.
• fupids2 has an improved attacker-level calculation system (beta) that includes the following things too (and not only the program-using-behavior of the user):
  • the time, the user normaly is logged in. fupids can detect if the user was never logged in for a special time before
  • the building, etage and room the user is normaly logged in from. if this behavior will change: fupids will detect it.
  • fupids knows if the user normaly sits in front, middle or back of a room and if he sits in the window, middle or floor-side of a room. if this will change: fupids will detect it too.
• fupids2 is able to collect network-wide data using the client-shellscript (included in the .tgz-file) and ssh
• fupids2 includes a script called fupidslog2html that generates a good html-logging analysis.

fupids2 should run all POSIX-compatible systems. I always test a version under OpenBSD and Linux, but a few other people have also tested it under different operating systems. Here is a list of successfully tested operating systems+versions.

• OpenBSD 3.0-3.8 (should work on 2.x too)
• Linux 2.4 and 2.6 (older versions should work too too)
• NetBSD 2.0.2 and NetBSD 3.0 RC5
• FreeBSD 6-Release
• MacOSX 10.3.9
• possibly: Win32+cygwin, Solaris 8/9/10 x86 (with GNU-make and g++) and Solaris Express

• fupids2 installation guide (included in the tgz-file)
• HoIDS and fupids2 presentation pdf
• my paper about human-oriented IDS. NOTE: This file does describe the fupids-0.3beta version and not the current one. The whole calculation stuff isn't the current one.

fupids2 v.0.8.5 is available as gzipped tar archive at freshmeat.net: download