ImSafe - Host Based Anomaly Detection Tool - Front Page
Imsafe logo
Immune Security Architecture
by Laurent Eschenauer

-News
-Download

-Documentation
-Development
-Screenshots
-Testing lab
-Resources

-About ImSafe

Thanks To
Hosted by:
SourceForgeLogo
Made in Glade: Glade
Graphics by: Glade
Live stats by:
Introduction
ImSafe is a host-based intrusion detection tool for Linux. It is performing anomaly detection at the process level and tries to detect various type of attacks. What is great about ImSafe is that the system doesn't know anything about the attacks and thus can detect unknown, unpublished attacks or any other form of malicious use of the monitored application.It performs quite well when monitoring usual services like a FTP server, telnet daemon,etc...
This tool was first developed as part of my graduation thesis at the University of Liege, it is now getting its first public release under an open-source license.

DISCLAIMER: Don't even think about using this product to secure a real system ! We are in ALPHA release phase, and the system itself is far from being secure !
Latest News
March 6th 2001 - Thank you for your Feedback !
Thank you for the incredble feedback that I received on this product ! Because of that I decided to stop "playing" with the Alpha release and to move immediately towards a Beta release. It means that I'm going to rewrite a large part of the code and change a lot of stuff in the architecture, based on comments and feedback I received. I'll soon post a paper highlighting those future changes and ideas, so that it can be a basis for future discussions.
If you don't hear from me, it's probably because I'm lost into my code, so my only advice is that you monitor sourceforge of freshmeat and maybe that someday you'll see a stable, beta release of ImSafe !

February 26th 2001, Back to work
After working on the web site and the public release, it's now time to go back to work ! But while I'm working on some improvements of the GUI and to the complete integration of the "sensor" mode in the product (instead of using the modified strace), I would like to start a discussion on the " Fast buffer overflow detection" mechanism. I did post a description of the idea in the discussion group, please post your feedback there or send me an e-mail.
Comments on the FBOD feature.

February 22nd 2001, We are getting public
Yeahhhh ! We are getting public today with our new web site. This site is a pure rip off of a few cool sites I found on the net... Sorry I prefer to work on the code than on the web design ! Anyway the project is now open-source and will be hosted by sourceforge.
I'm waiting for the first comments and feedback to decide if it worth to continue to invest time in this project... Please send me some comments !

Last release
imsafe-0.2.2 is the last release and the first one to be public. This is ALPHA code, it means that the product is in pure development stage and should not be used in real life situation, like on a commercial server... I also expect to have bug reports and questions in the next days.
This program is HelpWare. You can download it, install it, hack it, play with it, but you HAVE to help me by giving some feedback if you find bugs, attacks that are not detected, etc...
Current features
Current features:
  • Anomaly detection by analysing audit trails of system calls
  • Fast detection of Buffer Overflow Attacks through our call origin heuristic mecanism
  • GTK based graphical user interface
  • Created for Linux systems but works on almost every UNIX flavor
  • Monitor multiple processes of one single application at a time (it's enough for testing purposes)
  • React in real-time to an attack by executing the script of your choices

Task list
  • Move from ALPHA to BETA so it may be used in a real situation
  • Communicates with other IDS packages like DIDS
  • Monitor different application
  • Secure way to distribute profiles
  • Improved machine learning techniques to lower false positive
  • Add other mechanisms to spot specific attacks
  • Use the same engine to do users profiling