Fuzzy Userprofile IDS 2 0.8.5
fupids2 is a so-called human oriented IDS based on the FUPIDS project.
FUPIDS is able to detect accounts used by attackers who overtook such an account.
But FUPIDS ran in OpenBSDs Kernelspace and was never applyed in the kernel-code, so i wrote fupids2 as an userspace-version of FUPIDS. I tested fupids2 on Slackware-linux and OpenBSD but it is still beta.
But fupids2 has more features as FUPIDS had. fupids2 calculates an attacker level for every user on all linux/bsd (and hopefully unix systems too) in your network. fupids2 does not only use the tool-using-behavior of every user like FUPIDS did, it also knows about the buildings and rooms an user normaly uses.
fupids2 knows if the user prefers to sit near the window, near the floor or in the backside of the workstation-rooms. But this is not all: fupids2 knows at which times the user is normaly logged into the systems. All these things are included in the (beta) caluclation of the attacker level.
Here are some key features of "Fuzzy Userprofile IDS":
· FUPIDS calculates an "attacker level" for every user on your system. It will alert you via syslog if the attacker levels becomes too high and uses an own logfile too.
· FUPIDS has a profile of used programmes for every user. If an user uses to much new programms in a short time, the attacker level raise. this is because an attacker could overtake the account of this user and now uses some new compiled exploits or an editor the normal user never starts.
· fupids2 has an improved attacker-level calculation system (beta) that includes the following things too (and not only the program-using-behavior of the user):
· the time, the user normaly is logged in. fupids can detect if the user was never logged in for a special time before
· the building, etage and room the user is normaly logged in from. if this behavior will change: fupids will detect it.
· fupids knows if the user normaly sits in front, middle or back of a room and if he sits in the window, middle or floor-side of a room. if this will change: fupids will detect it too.
· fupids2 is able to collect network-wide data using the client-shellscript (included in the .tgz-file) and ssh
What's New in This Release:
· This release includes the 'day of the week' input in the calculation of the attacker level.
· It can detect accounts that are used on unusual days in this way.