HP Host Intrusion Detection System (HIDS) 1.1Product Identification, 1.2 Purpose of Document, 1.2 Intended Audience, 1.3 Glossary, 1.0INTRODUCTION, CPU, HIDS, IDDS, Agent, Event, HP-UX, Acronyms

1.0INTRODUCTION

1.1Product Identification

Product Name: HP-UX HIDS

Product Number: HPUX-HIDS

Product Version/Release: 3.1

1.2 Purpose of Document

This document provides basic sizing and tuning guidelines for HP-UX Host Intrusion Detection System (HIDS). The sizing guidelines are generated using a purely artificial load-generating environment that generates a constant stream of system call audit records that HIDS processes (see Appendix A for details). Testing for these guidelines was performed on dedicated HP-UX servers. No other system activity was occurring during the tests. However, when deploying HIDS into production environments, be careful to assess system load generated by other applications, and factor the HIDS throughput requirements accordingly.

1.2 Intended Audience

The data provided in this document is intended to help customers effectively size and tune their systems running HIDS and to help the HP field force effectively size and tune customer configurations for deployment of HIDS.

1.3 Glossary

The following are definitions and acronyms used within this document.

•Agent - The HIDS sensor that detects intrusions.

•Event - Any piece of information that is being analyzed by HIDS for intrusions. For example, system call audit records and login records are all delivered to HIDS as events.

•Surveillance Group – A collection of one or more template instances where each instance is of a unique template type.

•Surveillance Schedule – A collection of one or more surveillance groups where each group has its own set of template instances.

•Template or Circuit – Intrusion detection logic that analyzes events. Detects the use of basic attack “building blocks” or patterns.

•Template Instance – An instance of a template. For example, there can be several instances of the Modification of Files/Directories template, each of which monitors for the modification of different critical files or directories.

•Template Type – Specifies which template logic a template instance implements (e.g., Modification of Files/Directories).

•Template Properties – Configuration {name,value} tuples that are used to parameterize a template instance and change a template instance’s behavior at run time. Two template instances of the same template type have the same property names but with potentially different property values. If properties are modified for a surveillance schedule that is running, the schedule must be restarted for the new property values to take effect.

•CPU Central Processing Unit

•HIDS Host Intrusion Detection System – Refers to the HP-UX Host IDS product.

•HP-UXHP’s flavor of Unix

•IDDS Intrusion Detection Data Source - A kernel auditing subsystem on 11.11 and 11.23 specifically designed to provide a source of rich, on-line kernel audit data for HIDS.