qad

QNX anomaly detector

Syntax:

qad conf_file

Runs on:

QNX Neutrino

Options:

conf_file
The full path to the configuration file for the anomaly detector.

Description:

The anomaly detection utility monitors the system to detect anomalies in runtime behavior, after learning the expected behavior and determining a system signature. Unexpected behavioral changes could indicate that someone unauthorized is accessing the system, perhaps with the intention of exploiting it. In the absence of a clear attack pattern, the anomaly detector may notice something important that could be otherwise overlooked.

Before anomalies can be detected, the expected normal behavior of the system must be captured and defined. In this step, the anomaly detector observes the operating system (at runtime) to train itself based on guidance you provide in the configuration file. It starts by monitoring the processes that are listed in the configuration file to learn how they are expected to behave. This method of auto-training yields a system profile that is then used by the utility to recognize abnormalities.

Components of the system calls (such as process identifiers for the sender and receiver) are hashed into the profile that is used by the utility on the current target. If you copy the profile to a new target, the utility loads it automatically to use on the new target.

The detector tracks the state of the system in operation against its expected state (the system signature). Anomalous behavior includes illegal changes that merit your attention (such as those perpetrated by an attacker) and require countermeasures.

The qad utility places information into the following PPS objects:
control
Reserved for future use.
status
Overall status.
  • anom_count: Reserved for future use.
  • pid_X: The state of process X.
  • proc_anom: Reserved for future use.
  • state: Always set to running.
PID
A PPS object is created for each monitored process, and the PID of the process is used as the object name.
  • anomalies: The number of anomalies detected.
  • frozen: Yes, if the pile is frozen. Otherwise, no.
  • last_mod_count: The number of system calls since last modification.
  • locality: Reserved for future use.
  • normal_count: The value of train_count minus last_mod_count. This number is used to decide when the training is complete.
  • path: The path to the binary.
  • sequences: Training sequences that have been seen.
  • state: Current state of the process.
  • time_to_normal: Reserved for future use. Always set to 1000.
  • train_count: The number of system calls seen during training.
Note:
  • You must be root to run this utility, and you must launch it from a terminal window following system reboot.
  • You can't trace events (for example, use the tracelogger utility) and watch for anomalies concurrently as these actions rely on the same underlying mechanism.

Configuration file settings:

The configuration file for the anomaly detector supports the following options:

buf_size
Reserved for future use. Set to 64.
win_size
The size of the sliding window used to track events. The window size ranges from 8 bytes to 32 bytes. The default is 8 bytes.
mon_list
The list of processes to observe. Each entry in this list requires these fields: id, type, win_size, and notify. (The desc field is optional.)
exl_list
Reserved for future use. Set to [ ].
prof_path
The full path to the generated qad profile data.
notify
Reserved for future use. Set to 1.
normal_wait
The normal wait is measured in seconds. Use it to set the amount of time needed to monitor a system and observe its full cycle of expected behavior. If abnormal behavior is detected during the wait, the timer resets to zero and the count restarts. This information is used in building the system signature. The default wait is 180 seconds.
id
Identifies a process to monitor.
type
Type 2 is the only type supported, and it indicates that the id field contains a path.
desc
Use this optional field for notes; for example, to describe why you are observing this process (in 255 characters or less).

Example:

The following is an example of a configuration file ad.conf for the anomaly detector:

{
    "buf_size": 64,
    "win_size": 8,
    "mon_list": [
        {
            "id": "proc/boot/io-bluetooth",
            "type": 2,
            "desc": "something",
            "win_size": 8,
            "notify": 1
        },
        {
            "id": "proc/boot/btman",
            "type": 2,
            "desc": "something",
            "win_size": 8,
            "notify": 1
        }
    ],
    "exc_list": [
    ],
    "prof_path": "/home/myqnx6/qad_rootdir",
    "notify": 1,
    "normal_wait": 180
}