www.delorie.com/gnu/docs/cfengine/cfengine-Anomalies_2.html   search  
 
Buy GNU books!


Anomaly detection with cfenvd and cfenvgraph

[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

1.1 An environment detector: cfenvd

The `cfenvd' program serves two purposes: as an anomaly detection engine and as a source of entropy for generating random numbers, such as for encryption keys. Although it is not a compulsory part of cfengine, it is highly recommended to run this daemon. It requires few resources and poses no vulnerability to the system. It will play an increasingly important role in future developments.

In cfengine 2.x, additional classes are automatically evaluated based on the state of the host, in relation to earlier times. This is accomplished by the additional `cfenvd' daemon, which continually updates a database of system averages and variances, which characterize "normal" behaviour. The state of the system is examined and compared to the database, and the state is classified in terms of the current level of activity, as compared to an average of equivalent earlier times. e.g.

 
RootProcs_low_dev2
netbiosssn_in_low_dev2
smtp_out_high_anomalous
www_in_high_dev3

The first of these tells us that the number of root processes is two standard deviations below the average of past behaviour, which might be fortuitous, or might signify a problem, such as a crashed server. The WWW item tells us that the number of incoming connections is three standard deviations above average. The smtp item tells us that outgoing smtp connections are more than three standard deviations above average, perhaps signifying a mail flood. The setting of these classes is transparent to the user, but the additional information is only visible to the privileged owner of the cfengine work-directory, where the data are cached.

Active incoming ports are also registered as "pin-portnumber", but this is mainly an experimental feature for future research. The resulting class list, obtained from exploring the environment of the system, and after parsing a configuration, looks something like this:

 
host% cfagent -p -v

[snip]

Defined Classes = ( any Thursday Hr14 Min24 Min20_25
Day19 July Yr2001 solaris examplehost 32_bit sunos_5_7
sunos_sun4u sunos_sun4u_5_7 sparc solaris2_7 129_0_0 
129_0_0_10 loghost OnTheHour peaktime DayTime 
examplehost_example_org longjob Setup_SSH_OK y MailHub 
percent_60 RootProcs_normal_dev2 nfsd_out_low_dev2 
pin-1554 pin-80 pin-21 pin-6011 pin-5308 pin-139 
pin-983 pin-10 )

[snip]
It is not yet known how the extra environment classes will be used in practice. One obvious possibility is to limit certain heavy-weight operations (such as file tree scans) when the host is very busy, and to increase the probability of their occurrence when the host is lightly loaded. See the example in section 11. It remains to be seen how users will respond to these possibilities.

1.2 Anomaly research  
1.3 cfenvgraph  
1.4 Starting with anomaly detection  


[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

  webmaster   donations   bookstore     delorie software   privacy  
  Copyright 2003   by The Free Software Foundation     Updated Jun 2003