Data

Tools

Indexes

Applications

Experiments

Open Source Science

kspids

A kernel-based IDS for Linux. KSPIDS monitors especially system calls.

https://github.com/cdpxe/kspids

Science Score: 44.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
    Found CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
    Found .zenodo.json file
  • DOI references
  • Academic publication links
  • Committers with academic emails
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (12.8%) to scientific vocabulary

Keywords

anomaly-detection hids host-monitoring ids information-forensics information-security intrusion-detection kernel kernel-hardening kernel-module linux linux-hardening linux-kernel linux-kernel-module linux-security linux-security-module monitoring security-hardening security-tools user-monitoring
Last synced: 4 months ago · JSON representation ·

Repository

A kernel-based IDS for Linux. KSPIDS monitors especially system calls.

Basic Info
Statistics
  • Stars: 2
  • Watchers: 2
  • Forks: 1
  • Open Issues: 1
  • Releases: 0
Topics
anomaly-detection hids host-monitoring ids information-forensics information-security intrusion-detection kernel kernel-hardening kernel-module linux linux-hardening linux-kernel linux-kernel-module linux-security linux-security-module monitoring security-hardening security-tools user-monitoring
Created almost 6 years ago · Last pushed over 1 year ago
Metadata Files
Readme License Citation

README.md

KSPIDS

PoC code for a simple user-based intrusion detection system for the Linux kernel. I wrote this code as an undergraduate student in 2008. It was designed for Linux 2.6. I hope it is still of use. More of my research projects and papers can be found on my website.

KSPIDS stands for Kernel Service Profile Intrusion Detection System. It is a kernel code patch for Linux systems that monitors the programs a service user (e.g. www-data) uses. It alerts you if - for example - your www-data user now executes something like /bin/sh. Please note that KSPIDS is based on my other project FUPIDS.

Features

Here is a list of KSPIDS' features:

  • KSPIDS calculates an attacker level for every user (with uid 1...999) on your system. It will alert you via syslog if the attacker levels becomes high.
  • KSPIDS has a profile of used executables for service accounts. If such a user uses too many new programms within a short time, the attacker level will raise. This is done because an attacker could overtake the account of a user and then uses some new compiled exploits or an editor the normal user never starts.
  • If a user who never did anything before (for example uucp) is now active on your system, KSPIDS will notice and report it.
  • An attacker cannot kill the KSPIDS system because it is kernel code. The attacker can also not unload an LKM because the code is directly implemented in the Linux kernel.
  • KSPIDS is transparent for users, i.e. no user will notice the presence of KSPIDS.

Installation

Patch your kernel with the KSPIDS patch, activate the option "Security / KSPIDS" in your kernel configuration, recompile the kernel, and boot it (but make sure to backup your previous kernel and make sure you can boot the other kernel, too (in the case something went wrong!).

Results

You need to calibrate KSPIDS via kspids.c. If you skip this part, you will maybe see too many attack warnings or even not a single one.

Demo output

Here you can see a typical simulated attack: The user mysql (used to execute the MySQL database daemon) was "exploited" and can now execute something like /bin/echo what lets KSPIDS print out new log messages:

Here you can see how the attacker level decreases after some time due to "normal" behavior:

Owner

  • Name: Steffen Wendzel
  • Login: cdpxe
  • Kind: user
  • Location: Worms, Germany

Professor at HS Worms, author of several books on InfoSec and Linux. OSS developer. #Networking #BSD #InformationHiding #Steganography #ReplicationStudies

Citation (CITATION.cff) 

cff-version: 1.2.0
message: "If you use this software, please cite it as below."
authors:
- family-names: "Wendzel"
  given-names: "Steffen"
  orcid: "https://orcid.org/0000-0002-1913-5912"
title: "KSPIDS: Kernel Service Profile Intrusion Detection System"
version: 1.0.0
date-released: 2008-05-09
url: "https://github.com/cdpxe/KSPIDS"
preferred-citation:
  type: software
  authors:
  - family-names: "Wendzel"
    given-names: "Steffen"
    orcid: "https://orcid.org/0000-0002-1913-5912"
  title: "KSPIDS: Kernel Service Profile Intrusion Detection System"
  year: 2008

GitHub Events

Total
  • Fork event: 1
Last Year
  • Fork event: 1

Committers

Last synced: 5 months ago

All Time
  • Total Commits: 7
  • Total Committers: 1
  • Avg Commits per committer: 7.0
  • Development Distribution Score (DDS): 0.0
Past Year
  • Commits: 1
  • Committers: 1
  • Avg Commits per committer: 1.0
  • Development Distribution Score (DDS): 0.0
Top Committers
Name Email Commits
Steffen Wendzel c****e 7

Issues and Pull Requests

Last synced: 4 months ago

All Time
  • Total issues: 1
  • Total pull requests: 0
  • Average time to close issues: N/A
  • Average time to close pull requests: N/A
  • Total issue authors: 1
  • Total pull request authors: 0
  • Average comments per issue: 1.0
  • Average comments per pull request: 0
  • Merged pull requests: 0
  • Bot issues: 0
  • Bot pull requests: 0
Past Year
  • Issues: 0
  • Pull requests: 0
  • Average time to close issues: N/A
  • Average time to close pull requests: N/A
  • Issue authors: 0
  • Pull request authors: 0
  • Average comments per issue: 0
  • Average comments per pull request: 0
  • Merged pull requests: 0
  • Bot issues: 0
  • Bot pull requests: 0
View more stats
Top Authors
Issue Authors
  • jhjacobs81 (1)
Pull Request Authors
Top Labels
Issue Labels
Pull Request Labels