HIDS 3.1 Sizing and Tuning Primer

1.0 INTRODUCTION

1.1 Product Identification

Product Name: HP-UX HIDS

Product Number: HPUX-HIDS

Product Version/Release: 3.1

1.2 Purpose of Document

This document provides basic sizing and tuning guidelines for HP-UX Host Intrusion Detection

System (HIDS). The sizing guidelines are generated using a purely artificial load-generating

environment that generates a constant stream of system call audit records that HIDS processes (see

Appendix A for details). Testing for these guidelines was performed on dedicated HP-UX servers. No

other system activity was occurring during the tests. However, when deploying HIDS into production

environments, be careful to assess system load generated by other applications, and factor the HIDS

throughput requirements accordingly.

1.2 Intended Audience

The data provided in this document is intended to help customers effectively size and tune their

systems running HIDS and to help the HP field force effectively size and tune customer configurations

for deployment of HIDS.

1.3 Glossary

The following are definitions and acronyms used within this document.

Definitions

• Agent - The HIDS sensor that detects intrusions.

• Event - Any piece of information that is being analyzed by HIDS for intrusions. For example,

system call audit records and login records are all delivered to HIDS as events.

• Surveillance Group – A collection of one or more template instances where each instance is of a

unique template type.

• Surveillance Schedule – A collection of one or more surveillance groups where each group has

its own set of template instances.

• Template or Circuit – Intrusion detection logic that analyzes events. Detects the use of basic

attack “building blocks” or patterns.

• Template Instance – An instance of a template. For example, there can be several instances of

the Modification of Files/Directories template, each of which monitors for the modification of

different critical files or directories.

• Template Type – Specifies which template logic a template instance implements (e.g.,

Modification of Files/Directories).

• Template Properties – Configuration {name,value} tuples that are used to parameterize a

template instance and change a template instance’s behavior at run time. Two template

instances of the same template type have the same property names but with potentially different

property values. If properties are modified for a surveillance schedule that is running, the

schedule must be restarted for the new property values to take effect.

Acronyms

• CPU Central Processing Unit

• HIDS Host Intrusion Detection System – Refers to the HP-UX Host IDS product.

• HP-UX HP’s flavor of Unix

• IDDS Intrusion Detection Data Source - A kernel auditing subsystem on 11.11

and 11.23 specifically designed to provide a source of rich, on-line kernel

audit data for HIDS.

HP Company Internal Page 4 of 20