Applied IT Security - Technische Universität München · • Trusted Solaris ... Logging of syslog...
Transcript of Applied IT Security - Technische Universität München · • Trusted Solaris ... Logging of syslog...
![Page 1: Applied IT Security - Technische Universität München · • Trusted Solaris ... Logging of syslog messages via entry in the file /etc/syslog.conf: Program.loglevel destination ...](https://reader035.fdocuments.us/reader035/viewer/2022062909/5b14b01d7f8b9a4d7c8e438e/html5/thumbnails/1.jpg)
4 OS Security
Applied IT Security, Dr. Stephan Spitz
Dr. Stephan [email protected]
Applied IT Security
System Security
![Page 2: Applied IT Security - Technische Universität München · • Trusted Solaris ... Logging of syslog messages via entry in the file /etc/syslog.conf: Program.loglevel destination ...](https://reader035.fdocuments.us/reader035/viewer/2022062909/5b14b01d7f8b9a4d7c8e438e/html5/thumbnails/2.jpg)
4 OS Security
Applied IT Security, Dr. Stephan Spitz
• Applied Cryptography
• System Security
• Firewalls and Intrusion Detection Systems
• Authentication Protocols
• Encryption and digital Signatures in topical Applications
• Public Key Infrastructures
• Security Threats on Networks
• Overview & Basics• Network Protocols and the Internet
• Operating Systems and Applications
• The Future of IT Security
• Operating System Security
• Security Certification
• Device Security• Smart Cards, Secure µProcessors and Crypto Libraries
![Page 3: Applied IT Security - Technische Universität München · • Trusted Solaris ... Logging of syslog messages via entry in the file /etc/syslog.conf: Program.loglevel destination ...](https://reader035.fdocuments.us/reader035/viewer/2022062909/5b14b01d7f8b9a4d7c8e438e/html5/thumbnails/3.jpg)
4 OS Security
Applied IT Security, Dr. Stephan Spitz
Today• System Security
• Operating Systems and Applications
• Operating System Security
• Applied Cryptography
• Firewalls and Intrusion Detection Systems
• Authentication Protocols
• Encryption and digital Signatures in topical Applications
• Public Key Infrastructures
• Security Threats on Networks
• Overview & Basics• Network Protocols and the Internet
• The Future of IT Security
• Security Certification
• Device Security• Smart Cards, Secure µProcessors and Crypto Libraries
![Page 4: Applied IT Security - Technische Universität München · • Trusted Solaris ... Logging of syslog messages via entry in the file /etc/syslog.conf: Program.loglevel destination ...](https://reader035.fdocuments.us/reader035/viewer/2022062909/5b14b01d7f8b9a4d7c8e438e/html5/thumbnails/4.jpg)
4 OS Security
Applied IT Security, Dr. Stephan Spitz
Overview Operating System Security
• Malicious Code
• Examples
• The Java Runtime Environment
• Structure of a Virus
• Overview malicious Code
• Counter Measures
• Trusted Solaris
• Operating System Security
• General Security Design Criteria
• Risks
• Secure Configuration and Tailoring
• OS Security Requirements and Models
![Page 5: Applied IT Security - Technische Universität München · • Trusted Solaris ... Logging of syslog messages via entry in the file /etc/syslog.conf: Program.loglevel destination ...](https://reader035.fdocuments.us/reader035/viewer/2022062909/5b14b01d7f8b9a4d7c8e438e/html5/thumbnails/5.jpg)
4 OS Security
Applied IT Security, Dr. Stephan Spitz
General Security Design Criteria
Design principle of „need to know“ i.e. user or process has exact the necessary rights and not more
• Security concept: Provable and as simple as possible
•
• Closed security concept which can not be bypassed
• No „security by obscurity“ i.e. security mechanisms are public
• Security mechanisms have lowest possible impact on usability
![Page 6: Applied IT Security - Technische Universität München · • Trusted Solaris ... Logging of syslog messages via entry in the file /etc/syslog.conf: Program.loglevel destination ...](https://reader035.fdocuments.us/reader035/viewer/2022062909/5b14b01d7f8b9a4d7c8e438e/html5/thumbnails/6.jpg)
4 OS Security
Applied IT Security, Dr. Stephan Spitz
Risks
Unauthorized access on data (e.g. read on freed memorywhich is not really deleted like swap files)
•
Faked user identification (e.g. interrupt of user authenticationcan create a successfull login)
Attempts to corrupt the OS (e.g. wrong input creates an inconsistent OS state, try to create a bufferoverflow)
Security holes in applications (e.g. internet worms takeadvantage of bugs in sendmail or ftp deamons, forgotten debugcode and insufficient parameter checks in applications)
Always install the topical security patches
•
•
•
![Page 7: Applied IT Security - Technische Universität München · • Trusted Solaris ... Logging of syslog messages via entry in the file /etc/syslog.conf: Program.loglevel destination ...](https://reader035.fdocuments.us/reader035/viewer/2022062909/5b14b01d7f8b9a4d7c8e438e/html5/thumbnails/7.jpg)
4 OS Security
Applied IT Security, Dr. Stephan Spitz
Secure OS Configuration = Tailoring
Purpose driven configuration (workstation with user access, application or file server, WIN Domain Controller, etc.)
•
Strict divison of privileges between user, system (e.g. lp) and root or administrator accounts
Disable or delete unused system ressources (temporary files and shared directories)
Try to establish a hacking resistant reporting mechanism for security incidents (checksums, IDS)
•
•
•
Which default installed network services are really necessary ? (DNS, DHCP, RAS, FTP)
•
![Page 8: Applied IT Security - Technische Universität München · • Trusted Solaris ... Logging of syslog messages via entry in the file /etc/syslog.conf: Program.loglevel destination ...](https://reader035.fdocuments.us/reader035/viewer/2022062909/5b14b01d7f8b9a4d7c8e438e/html5/thumbnails/8.jpg)
4 OS Security
Applied IT Security, Dr. Stephan Spitz
Unix Tailoring Examples
Lookup of all available network adapters (from a remote machine) with ifconfig –a and disable the not necessary locally in ipchain/iptable
•
Scanning for programs with setXid (X=user/group) i.e. process is executed under the preset user:
find /\ (-perm -02000 –o –perm -04000 \) -ls
Be careful: Don´t disable necessary administration programs e.g. passwd
•
Logging of syslog messages via entry in the file /etc/syslog.conf:
Program.loglevel destination (file, pipe, logserver, user, terminal)e.g. daemon.notice /var/log/deamon.log
•
Installation of integrity checks (e.g. with the program md5sum):
md5sum /bin/ping bin/su /etc/ld/so.conf
Hacker prefer files in /etc/ to modify: inetd.conf, host.conf, ftpaccess
•
![Page 9: Applied IT Security - Technische Universität München · • Trusted Solaris ... Logging of syslog messages via entry in the file /etc/syslog.conf: Program.loglevel destination ...](https://reader035.fdocuments.us/reader035/viewer/2022062909/5b14b01d7f8b9a4d7c8e438e/html5/thumbnails/9.jpg)
4 OS Security
Applied IT Security, Dr. Stephan Spitz
Server Tailoring Examples
Apache Unix/Win HTTP server: Only the root/admin should be ownerof the Apache directory
•
BIND Unix DNS server : Remove all unnecessary informationrecords in named.conf/named.boot e.g. CNAME containing host name, SAO containing administrative information and check it with host –t txt server.com
•
Apache Unix/Win HTTP server: Disable all unnecessary preinstalledmodules like mod_cgi and mod_status and mod_info
•
Apache Unix HTTP server: Install Apache in a chroot container i.e. limit the access of Apache process httpd to a certain directory tree e.g. /usr/local/httpd
•
Anyway: If possible avoid to use Apache under WIN•
![Page 10: Applied IT Security - Technische Universität München · • Trusted Solaris ... Logging of syslog messages via entry in the file /etc/syslog.conf: Program.loglevel destination ...](https://reader035.fdocuments.us/reader035/viewer/2022062909/5b14b01d7f8b9a4d7c8e438e/html5/thumbnails/10.jpg)
4 OS Security
Applied IT Security, Dr. Stephan Spitz
OS Security Control Mechanism (1/2)
User identification and authentication i.e. the system uniquely identifies and authenticates users prior to all other user interaction.
•
Discretionary Access Control i.e. the system distinguishes and administers access rights with an object between each user, group or both (standard with file access in UNIX)
Mandatory Access Control i.e. the system provides all subjects and objects with attributes which are the basis for the rules togrant access (e.g. labeled security in Trusted Solaris)
Object and Data re-use protection i.e. all storage objectsreturned to the system are treated in such a way that the preceding content can not be reused by other subjects.
•
•
•
Role Based Access Control i.e. the system grants priviligesbased on the role of the user (sysadmin role in Trusted Solaris)
•
![Page 11: Applied IT Security - Technische Universität München · • Trusted Solaris ... Logging of syslog messages via entry in the file /etc/syslog.conf: Program.loglevel destination ...](https://reader035.fdocuments.us/reader035/viewer/2022062909/5b14b01d7f8b9a4d7c8e438e/html5/thumbnails/11.jpg)
4 OS Security
Applied IT Security, Dr. Stephan Spitz
OS Security Control Mechanism (2/2)
Principle of Least Privilege i.e. each subject in the system is granted the most restrivtive set of privileges
•
Trusted Path The system supports a trusted communicationpath between itself and a user which is logically isolated and unmistakably distinguishable from other paths
A Trusted computing base (TCB) consists of a collection of hardware, firmware, software and databases used by the software, and document and administrative procedures thatenforce the system‘s security policy.
Roles are given to authenticated and authorized entities based on strictly seperated environments.
•
•
•
![Page 12: Applied IT Security - Technische Universität München · • Trusted Solaris ... Logging of syslog messages via entry in the file /etc/syslog.conf: Program.loglevel destination ...](https://reader035.fdocuments.us/reader035/viewer/2022062909/5b14b01d7f8b9a4d7c8e438e/html5/thumbnails/12.jpg)
4 OS Security
Applied IT Security, Dr. Stephan Spitz
OS Security Mechanisms and Models
Simple Models for Access Control (ACL, Capabilitiesand XrML)
1.
Introduction to the Security Model from Bell and LaPadula
Security Mechanism in the OS Trusted Solaris and the Java Runtime Environment
2.
3.
![Page 13: Applied IT Security - Technische Universität München · • Trusted Solaris ... Logging of syslog messages via entry in the file /etc/syslog.conf: Program.loglevel destination ...](https://reader035.fdocuments.us/reader035/viewer/2022062909/5b14b01d7f8b9a4d7c8e438e/html5/thumbnails/13.jpg)
4 OS Security
Applied IT Security, Dr. Stephan Spitz
Access Control List (ACL)
Object File X File Y
Joe Read Read/Write
Jane None Execute
Subject
![Page 14: Applied IT Security - Technische Universität München · • Trusted Solaris ... Logging of syslog messages via entry in the file /etc/syslog.conf: Program.loglevel destination ...](https://reader035.fdocuments.us/reader035/viewer/2022062909/5b14b01d7f8b9a4d7c8e438e/html5/thumbnails/14.jpg)
4 OS Security
Applied IT Security, Dr. Stephan Spitz
Capabilities
Object File X File Y
Joe Read Read/Write
Jane None Execute
Subject
![Page 15: Applied IT Security - Technische Universität München · • Trusted Solaris ... Logging of syslog messages via entry in the file /etc/syslog.conf: Program.loglevel destination ...](https://reader035.fdocuments.us/reader035/viewer/2022062909/5b14b01d7f8b9a4d7c8e438e/html5/thumbnails/15.jpg)
4 OS Security
Applied IT Security, Dr. Stephan Spitz
Xtensible rights Markup Language (XrML)
• XrML 2.0 adopts a simple model consisting of four entitiesand the relationship between those entities.
• The basic relationship is defined by the XrML assertion grant
• Structurally, an XrML grant consists of the following:
The principal to whom the
grant is issued
The right that the grant specifies
The resource that is the direct object of the
.right. verb
The condition that mustbe met for the right to be exercised
![Page 16: Applied IT Security - Technische Universität München · • Trusted Solaris ... Logging of syslog messages via entry in the file /etc/syslog.conf: Program.loglevel destination ...](https://reader035.fdocuments.us/reader035/viewer/2022062909/5b14b01d7f8b9a4d7c8e438e/html5/thumbnails/16.jpg)
4 OS Security
Applied IT Security, Dr. Stephan Spitz
XrML
<license xmlns="xrml2core" xmlns:sx="xrml2sx" xmlns:dsig="xmldsig#" xmlns:xsi="XMLSchema-instance" xmlns:cx="xrml2cx" xsi:schemaLocation=xrml2cx.xsd"> <grant><keyHolder><!– keyHolder is the principal authenticated by a cryptographic key -->
<!– further tags containing public key .. --></keyHolder><cx:print /> <!– print is the right --><!– locator specifies the resource --><cx:locator><nonSecureIndirectURI="http://www.foo.com/sampleBook.spd" />
</cx:locator><validityInterval><notAfter>2001-12-24T23:59:59</notAfter> </validityInterval>
</grant></license>
![Page 17: Applied IT Security - Technische Universität München · • Trusted Solaris ... Logging of syslog messages via entry in the file /etc/syslog.conf: Program.loglevel destination ...](https://reader035.fdocuments.us/reader035/viewer/2022062909/5b14b01d7f8b9a4d7c8e438e/html5/thumbnails/17.jpg)
4 OS Security
Applied IT Security, Dr. Stephan Spitz
Bell-LaPadula Model
Elements of the Bell-LaPadula Model are Subjects, Objects, Access Attributes and Security Levels
•
ACLs containing Subjects, Objects and Access Attributes are used for Discretionary Access Control
Security Levels form the Mandatory Access Control (Top Secret, Secret, Confidential, Unclassified with NRU, NWD)
Bell-LaPadula does not address how access rights areestablished (creation/deletion of subjects and objects) and does not differentiate between executable data and code
•
•
•
![Page 18: Applied IT Security - Technische Universität München · • Trusted Solaris ... Logging of syslog messages via entry in the file /etc/syslog.conf: Program.loglevel destination ...](https://reader035.fdocuments.us/reader035/viewer/2022062909/5b14b01d7f8b9a4d7c8e438e/html5/thumbnails/18.jpg)
4 OS Security
Applied IT Security, Dr. Stephan Spitz
No Read Up (1)
Top Secret
Secret
Unclassified
Top Secret
Secret
Unclassified
Read OK
Read OKRead O
K
![Page 19: Applied IT Security - Technische Universität München · • Trusted Solaris ... Logging of syslog messages via entry in the file /etc/syslog.conf: Program.loglevel destination ...](https://reader035.fdocuments.us/reader035/viewer/2022062909/5b14b01d7f8b9a4d7c8e438e/html5/thumbnails/19.jpg)
4 OS Security
Applied IT Security, Dr. Stephan Spitz
No Read Up (2)
Top Secret
Secret
Unclassified
Top Secret
Secret
UnclassifiedRead OK
Read
Forb
idde
nRead Forbidden
![Page 20: Applied IT Security - Technische Universität München · • Trusted Solaris ... Logging of syslog messages via entry in the file /etc/syslog.conf: Program.loglevel destination ...](https://reader035.fdocuments.us/reader035/viewer/2022062909/5b14b01d7f8b9a4d7c8e438e/html5/thumbnails/20.jpg)
4 OS Security
Applied IT Security, Dr. Stephan Spitz
No Write Down (1)
Top Secret
Secret
Unclassified
Top Secret
Secret
UnclassifiedWrite OK
Write
OK
Write OK
![Page 21: Applied IT Security - Technische Universität München · • Trusted Solaris ... Logging of syslog messages via entry in the file /etc/syslog.conf: Program.loglevel destination ...](https://reader035.fdocuments.us/reader035/viewer/2022062909/5b14b01d7f8b9a4d7c8e438e/html5/thumbnails/21.jpg)
4 OS Security
Applied IT Security, Dr. Stephan Spitz
No Write Down (2)
Top Secret
Secret
Unclassified
Top Secret
Secret
Unclassified
Write OKWriteForbidden
Write Forbidden
![Page 22: Applied IT Security - Technische Universität München · • Trusted Solaris ... Logging of syslog messages via entry in the file /etc/syslog.conf: Program.loglevel destination ...](https://reader035.fdocuments.us/reader035/viewer/2022062909/5b14b01d7f8b9a4d7c8e438e/html5/thumbnails/22.jpg)
4 OS Security
Applied IT Security, Dr. Stephan Spitz
Main Characteristics of Tusted Solaris
Trusted i.e. OS that satifies a number of stringent security requirements (roles, trusted path, DAC, MAC, RSBAC, etc.)
•
MAC is based on labels i.e. all objects (files and so on) and subjects (processes) on the system are labeled.
The Principle of Least Privilege is introduced by distinct roleswhich replace the privileged superuser root of standard Unix systems i.e. admin, secadmin, oper and root
There are different purpose driven predefined configurations liketrusted desktop, trusted server, trusted database application and trusted firewall
•
•
•
RSBAC can be used to represent special groups (e.g. engineering, sales, administrator)
•
![Page 23: Applied IT Security - Technische Universität München · • Trusted Solaris ... Logging of syslog messages via entry in the file /etc/syslog.conf: Program.loglevel destination ...](https://reader035.fdocuments.us/reader035/viewer/2022062909/5b14b01d7f8b9a4d7c8e438e/html5/thumbnails/23.jpg)
4 OS Security
Applied IT Security, Dr. Stephan Spitz
The Java Sandbox Model
The Java Sandbox defines a secure execution environment for Java Virtual Machine (JVM) bytecode
•
The Java Sandbox consists of the three parts Bytecode Verifier, Class Loader and Security Manager
The Bytecode Verifier checks the compiled bytecode before it is executed (correct class format, forged references, accessrestrictions, incorrect class type information)
The Class Loader is responsible for loading and allocating newclasses i.e. name spaces (Java knows only references by name).
•
•
•
The Security Manager makes decision which resources (files, network connections, etc.) can be allocated during JVM bytecodeexecution.
•
![Page 24: Applied IT Security - Technische Universität München · • Trusted Solaris ... Logging of syslog messages via entry in the file /etc/syslog.conf: Program.loglevel destination ...](https://reader035.fdocuments.us/reader035/viewer/2022062909/5b14b01d7f8b9a4d7c8e438e/html5/thumbnails/24.jpg)
4 OS Security
Applied IT Security, Dr. Stephan Spitz
Anatomy of a Java Application
![Page 25: Applied IT Security - Technische Universität München · • Trusted Solaris ... Logging of syslog messages via entry in the file /etc/syslog.conf: Program.loglevel destination ...](https://reader035.fdocuments.us/reader035/viewer/2022062909/5b14b01d7f8b9a4d7c8e438e/html5/thumbnails/25.jpg)
4 OS Security
Applied IT Security, Dr. Stephan Spitz
The Java Security Package
• The security package (classes in the java.security package + security extensions) allows for adding security features to
applications and helps to exetend the Sandbox model
• The security package provides the basis by which Java classes may be signed.
• The security package is a complex API including:
• The security provider interface (JCA)
• Message digests
• Keys and certificates
• Digital signatures
• Encryption (through JCE and JSSE)
• Authentication (through JAAS)
![Page 26: Applied IT Security - Technische Universität München · • Trusted Solaris ... Logging of syslog messages via entry in the file /etc/syslog.conf: Program.loglevel destination ...](https://reader035.fdocuments.us/reader035/viewer/2022062909/5b14b01d7f8b9a4d7c8e438e/html5/thumbnails/26.jpg)
4 OS Security
Applied IT Security, Dr. Stephan Spitz
Structure of any Virus
Trigger
Payload
InfectionMechanism
• Search for possible targets (boot sector, exec-file, scripts)
• Establish virus code in the target
• Hide the code in the target
• Trigger starts the replication (main virus characteristic)
• Trigger starts the payload execution
• Trigger events are timer interrupt, system boot, file access
• Payload contains the malicious code
• Broad range of activities (simple message to system break down)
• Payload sequences are a good way to identify viruses
![Page 27: Applied IT Security - Technische Universität München · • Trusted Solaris ... Logging of syslog messages via entry in the file /etc/syslog.conf: Program.loglevel destination ...](https://reader035.fdocuments.us/reader035/viewer/2022062909/5b14b01d7f8b9a4d7c8e438e/html5/thumbnails/27.jpg)
4 OS Security
Applied IT Security, Dr. Stephan Spitz
Overview malicious Code
Trojan Horse: Virus to gain an account on a target system not necessarily with a replication mechanism
•
Macro Virus: Virus infecting applications (e.g. WordBasic or VBA script viruses in the Microsoft Office Suite) instead of an OS
Worm: Virus without an infection mechanism i.e. security holes in running (mainly network) processes are abused e.g. Email, FTP
Boot (Sector) Virus: Virus writes its code into the boot sector of a floppy or harddisk (mainly the master boot record)
•
•
•
Hoax: Only a rumor about a virus •
![Page 28: Applied IT Security - Technische Universität München · • Trusted Solaris ... Logging of syslog messages via entry in the file /etc/syslog.conf: Program.loglevel destination ...](https://reader035.fdocuments.us/reader035/viewer/2022062909/5b14b01d7f8b9a4d7c8e438e/html5/thumbnails/28.jpg)
4 OS Security
Applied IT Security, Dr. Stephan Spitz
Virus Example: MyDoom (11.02.04)
MyDoom is a worm: E-mail user is seduced to klick on attachment „Mail transaction failed. Partial message is available“i.e. no own infection mechanism
•
Trigger: The Windows registry is manipulated to load theMyDoom code memory resident during the system boot
•
Trojan Horse: MyDoom/Novarg establishes a backdoor on the infected system i.e. a little server on the TCP ports 3127 and 3198 allows intruders to start a Distributed Denial-of-Service (DDoS) attack from the captured system
•
Payload and Replication: The MyDoom code looks for everystored email address on the hard disk and sends a copy of itself
•
![Page 29: Applied IT Security - Technische Universität München · • Trusted Solaris ... Logging of syslog messages via entry in the file /etc/syslog.conf: Program.loglevel destination ...](https://reader035.fdocuments.us/reader035/viewer/2022062909/5b14b01d7f8b9a4d7c8e438e/html5/thumbnails/29.jpg)
4 OS Security
Applied IT Security, Dr. Stephan Spitz
Virus Example: Sasser (03.05.04)
Sasser is a worm: A bug in the WindowsXP, 2000 Local Security Authority Subsystem Service (LSASS) i.e. LSASRV.DLL (Active Directory service functions) can be used to cause a buffer overflow and to execute malicious code.
•
Trigger: The Windows registry is manipulated to load Sasser duringthe system boot via the program avserve.exe (15.872 bytes) whichexecutes simultaneously 128 attacks in the available netRegistry entry in Windows: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft …
…\Windows\CurrentVersion\Run]"avserve.exe"="%windir%\avserve.exe"
•
Payload and Replication: Sasser copies itself by FTP download to c:\windows\system32\[XXXXX]_up.exe and causes the infectedsystem to reboot
•
![Page 30: Applied IT Security - Technische Universität München · • Trusted Solaris ... Logging of syslog messages via entry in the file /etc/syslog.conf: Program.loglevel destination ...](https://reader035.fdocuments.us/reader035/viewer/2022062909/5b14b01d7f8b9a4d7c8e438e/html5/thumbnails/30.jpg)
4 OS Security
Applied IT Security, Dr. Stephan Spitz
Trojan Horse Example: Troj/DSNX-05 (09.04.05)
Troj/DSNX-05 is a trojan horse: A faked Windows securityupdate page is used to seduce user to install a malicious patch which contains Troj/DSNX-05. It has neither a infection mechanism nor an replication mechanism (social infection mechanism and replication via faked Webpage).
•
The payload of Troj/DSNX-05 contains a background server process allowing a remote attacker (using a certain client program) to gain access and control over the machine.
•
A Windows registry entry is used as trigger event:HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinDSNX = <Windows System>\<Trojan name>Before this entry is created Troj/DSNX-05 copies itself to the Windows System directory using the name of a randomly chosen DLL file and an EXE extension.
•
![Page 31: Applied IT Security - Technische Universität München · • Trusted Solaris ... Logging of syslog messages via entry in the file /etc/syslog.conf: Program.loglevel destination ...](https://reader035.fdocuments.us/reader035/viewer/2022062909/5b14b01d7f8b9a4d7c8e438e/html5/thumbnails/31.jpg)
4 OS Security
Applied IT Security, Dr. Stephan Spitz
Counter Measurements
Virus scanners try to identify viruses according to a certaincharacteristic (virus signature) stored in a database
•
Signed Code on a Trusted Operating Base prohibits the execution of not authorized code e.g. viruses on a system
Checksums and/or Encryption make it possible to detect/avoidmodifications done by a virus
Intrusion Detection Systems (IDS) monitor a system to detect processes which may be the result of a virus infection
•
•
•
Heuristic virus scanners try to identify a virus with a forecast about the runtime behaviour of code (sophisticatedapproach, but not really efficient)
•