Hi!
Perimeter defense is dead. We have to assume that our systems are infiltrated. Instead, we might be able to check that there was a breach...
]project-open[ already contains a - kind of - intrusion detection system that sends out alert messages if certain argument validation checks fail (before util_memoize usually...).
However, reading stuff about anomaly based IDS (https://en.wikipedia.org/wiki/Anomaly-based_intrusion_detection_system), I got the idea that it should be very easy to add a bit more.
So I went ahead and modified db_exec in /acs-tcl/00-database-procs.tcl to keep track of the SQLs issued per user. The resulting vector (SQL name -> frequency) can easily be checked to be "reasonable" (not implemented yet).
There are multiple points now:
- @OpenACS maintainers: Would it be OK to add a callback or something similar in db_exec?
- @OpenACS maintainers: Would it be OK to add a similar callback to argument violations of ad_page_contract?
- It might also be interesting to get the number of rows returned by each query. But I'm afraid this will add too much overhead. Any ideas?
- Any ideas on how to build "honeypots" into OpenACS/]po[? Honeypots and IDS currently seem to be the only security measures that work...
There is a lot of discussion and public interest in this area. I believe that could be a great paper on some security conference etc. Maybe somebody would want to write this paper together with us?
Cheers,
Frank
