HP Host Intrusion Detection System (HIDS) Product Identification, Purpose of Document, Glossary

Page 4

1.0INTRODUCTION

1.1Product Identification

Product Name: HP-UX HIDS

Product Number: HPUX-HIDS

Product Version/Release: 3.1

1.2 Purpose of Document

This document provides basic sizing and tuning guidelines for HP-UX Host Intrusion Detection System (HIDS). The sizing guidelines are generated using a purely artificial load-generating environment that generates a constant stream of system call audit records that HIDS processes (see Appendix A for details). Testing for these guidelines was performed on dedicated HP-UX servers. No other system activity was occurring during the tests. However, when deploying HIDS into production environments, be careful to assess system load generated by other applications, and factor the HIDS throughput requirements accordingly.

1.2 Intended Audience

The data provided in this document is intended to help customers effectively size and tune their systems running HIDS and to help the HP field force effectively size and tune customer configurations for deployment of HIDS.

1.3 Glossary

The following are definitions and acronyms used within this document.

Definitions

Agent - The HIDS sensor that detects intrusions.

Event - Any piece of information that is being analyzed by HIDS for intrusions. For example, system call audit records and login records are all delivered to HIDS as events.

Surveillance Group – A collection of one or more template instances where each instance is of a unique template type.

Surveillance Schedule – A collection of one or more surveillance groups where each group has its own set of template instances.

Template or Circuit – Intrusion detection logic that analyzes events. Detects the use of basic attack “building blocks” or patterns.

Template Instance – An instance of a template. For example, there can be several instances of the Modification of Files/Directories template, each of which monitors for the modification of different critical files or directories.

Template Type – Specifies which template logic a template instance implements (e.g., Modification of Files/Directories).

Template Properties – Configuration {name,value} tuples that are used to parameterize a template instance and change a template instance’s behavior at run time. Two template instances of the same template type have the same property names but with potentially different property values. If properties are modified for a surveillance schedule that is running, the schedule must be restarted for the new property values to take effect.

Acronyms

CPU Central Processing Unit

HIDS Host Intrusion Detection System – Refers to the HP-UX Host IDS product.

HP-UXHP’s flavor of Unix

IDDS Intrusion Detection Data Source - A kernel auditing subsystem on 11.11 and 11.23 specifically designed to provide a source of rich, on-line kernel audit data for HIDS.

HP Company Internal

Page 4 of 20

Page 3 Page 5
Image 4
Page 3 Page 5
Contents HP Company Internal Legal Notices Contents Product Identification Purpose of DocumentIntended Audience GlossaryProduct Overview Sizing and Tuning OverviewHP-UX Hids Deployments Sizing and Tuning Recommendations Sizing GuidelinesTuning Considerations Disk CapacityKernel Tuning System performance over security Executablestack Reference Documents/ Web sites Appendix a CPU Consumption CPU Consumption on PA Processors Way PAEvent/sec CPU Consumption on Itanium Processors Way IAWay IA Appendix B Resident Memory Consumption Memory Consumption on PA ProcessorsResident Memory KB Memory Consumption on Itanium Processors Way IA
Related manuals
Manual 55 pages 31.55 Kb Manual 270 pages 6.58 Kb
Top Page Image Contents