QNX anomaly detector
Options:
- conf_file
- The full path to the configuration file for the anomaly detector.
Description:
The anomaly detection utility monitors the system to detect anomalies in runtime
behavior, after learning the expected behavior and determining a system signature.
Unexpected behavioral changes could indicate that someone unauthorized is accessing
the system, perhaps with the intention of exploiting it. In the absence of a clear
attack pattern, the anomaly detector may notice something important that could be
otherwise overlooked.
Before anomalies can be detected, the expected
normal behavior of the system must be captured and defined. In this step, the
anomaly detector observes the operating system (at runtime) to train itself based on
guidance you provide in the configuration file. It starts by monitoring the processes
that are listed in the configuration file to learn how they are expected to behave. This
method of auto-training yields a system profile that is then used by the utility to
recognize abnormalities.
Components of the system calls (such as process identifiers
for the sender and receiver) are hashed into the profile that is used by the utility
on the current target. If you copy the profile to a new target, the utility loads it
automatically to use on the new target.
The detector tracks the state of the
system in operation against its expected state (the system signature). Anomalous
behavior includes illegal changes that merit your attention (such as those
perpetrated by an attacker) and require countermeasures.
The
qad utility places information into the following PPS
objects:
- control
- Reserved for future use.
- status
- Overall status.
- anom_count: Reserved for future use.
- pid_X: The state of process X.
- proc_anom: Reserved for future use.
- state: Always set to running.
- PID
- A PPS object is created for each monitored process, and the PID of the
process is used as the object name.
- anomalies: The number of anomalies detected.
- frozen: Yes, if the pile is frozen. Otherwise, no.
- last_mod_count: The number of system calls since last
modification.
- locality: Reserved for future use.
- normal_count: The value of train_count minus
last_mod_count. This number is used to decide when
the training is complete.
- path: The path to the binary.
- sequences: Training sequences that have been seen.
- state: Current state of the process.
- time_to_normal: Reserved for future use. Always set to
1000.
- train_count: The number of system calls seen during
training.
Note:
- You must be root to run this utility, and you must launch it from a
terminal window following system reboot.
- You can't trace events (for example, use the tracelogger
utility) and watch for anomalies concurrently as these actions rely on the
same underlying mechanism.
Configuration file settings:
The configuration file for the anomaly detector supports the following options:
- buf_size
- Reserved for future use. Set to 64.
- win_size
- The size of the sliding window used to track events. The window size ranges from 8
bytes to 32 bytes. The default is 8 bytes.
- mon_list
- The list of processes to observe. Each entry in this list requires these fields:
id, type,
win_size, and notify. (The
desc field is optional.)
- exl_list
- Reserved for future use. Set to [ ].
- prof_path
- The full path to the generated qad profile data.
- notify
- Reserved for future use. Set to 1.
- normal_wait
- The normal wait is measured in seconds. Use it to set the amount of time needed to
monitor a system and observe its full cycle of expected behavior. If
abnormal behavior is detected during the wait, the timer resets to zero and
the count restarts. This information is used in building the system
signature. The default wait is 180 seconds.
- id
- Identifies a process to monitor.
- type
- Type 2 is the only type supported, and it indicates that the
id field contains a path.
- desc
- Use this optional field for notes; for example, to describe why you are observing
this process (in 255 characters or less).
Example:
The following is an example of a configuration file ad.conf for the anomaly
detector:
{
"buf_size": 64,
"win_size": 8,
"mon_list": [
{
"id": "proc/boot/io-bluetooth",
"type": 2,
"desc": "something",
"win_size": 8,
"notify": 1
},
{
"id": "proc/boot/btman",
"type": 2,
"desc": "something",
"win_size": 8,
"notify": 1
}
],
"exc_list": [
],
"prof_path": "/home/myqnx6/qad_rootdir",
"notify": 1,
"normal_wait": 180
}