Ok, I just want to ask if this exists or not.
Sometimes it is nessesary to block the PC from other users. But sometimes people forget to do this (to press Ctrl-Alt-Delete and chhose Block). It will be great if a progrm could detect herself if there are another user currently availible. So for example, the typing speed is rather different, doulble click, ...
If this exists - where to see it 'naturally'?
Posted on 2002-01-06 13:07:05 by Maestro
Cool Idea. Like a stylistic use type fingerprint. Sounds pretty complex. I'd like to see it done myself.
Posted on 2002-01-06 13:49:24 by rdaneel
What can substitute Neural Networks in analyzing various facts?
What should I use if I should analyze various fact with no relation to each other? Just NN? What are other AI technologies but NN?

2Rdaneel: Ok! I am glad that I am not alone. I began to think that I am the only person who thinks that that is real thing to do.

I have just one problem: wha factors should I pay attention when analyzing log of instrusion? I know some: the keyboard spelling/speed, the started programs, tools; modifying special files, ... What else? Please, help!!
Posted on 2002-01-06 15:59:15 by Maestro
This has been done in a few anomaly detection systems with some success. I don't have specific paper titles handy at the moment, but Terran Lane did some work on this at purdue. Some of his papers can be found at
http://www.ai.mit.edu/people/terran/research/publist.html

and you can probably also find some other research at http://cerias.purdue.edu

I'm sure a couple of commercial host-based IDSs do this, but i don't know of any right off the top of my head.

As to what you should look for that is a very good question. There really is no set thing you can look at. What you are wanting to do is to learn a users behavior, but a million things can affect what a user is doing. Plus you run the risk of your program learning malicious behavior as normal behavior. Amoroso's book talks about this some.

Also, the process that is doing this monitoring can always be killed, modified, or bypassed altogether.

You also have to worry about the amount of data you store. You can quickly fill up disks if its even a moderately busy system.

If you are interested in IDS i would recommend subscribing to the focus-ids mailing list on security focus. Someone there might be able to tell you about a publicly available system that does the kind of monitoring you are interested in.

By the way...you are definitely not alone wanting this...not even close to it.
Posted on 2002-01-06 20:06:35 by purdue6985