From the source: pH is a Linux kernel extension which detects and exponentially slows down unusual program behavior. It detects such behavior by automatically creating profiles of the pattern of system calls made by different programs. It takes some time for pH to capture a stable profile of a given program's behavior; once it has done so, though, pH will automatically respond to unusual behavior through exponential delays.
2008/08/04: Added the Publications section to this document.
2008/07/22: pH 0.30.1 has been released. It corrects the attribution of an NFS patch added until it hits the tree.
2008/07/20: pH 0.30 has been released. It works on the 2.6.26 kernel.
The pH package is composed of two files:
This is the Works on my my machine edition of pH. It comes with NO WARRANTY whatsoever. In particular, pH reads and writes files from within the kernel. Please make a backup, or work within a virtualized environment.
The upstream git tree is Linus' kernel tree. You can apply the patches directly to the git tree by typing git apply pH-0.30.1.diff.
This adds a configuration option, CONFIG_SECURITY_PH. Setting it to Y will probably be a good idea. A basic configuration file that I use during development with Qemu is config.pH. It provides a minimal kernel, with no modules, that can be used as a PXE-boot kernel with Qemu.
Untarring the pH-utils package will give you the tools necessary to start pH. A quick outline is:
H. Inoue and A. Somayaji, "Lookahead Pairs and Full Sequences: A Tale of Two Anomaly Detection Methods." 2nd Annual Symposium on Information Assurance (academic track of the 10th NYS Cyber Security Conference), Albany, NY. June 2007. Best Paper Award. [PDF]
S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff, "A sense of self for Unix processes." Proceedings of the 1996 IEEE Symposium on Security and Privacy, IEEE Computer Society Press, Los Alamitos, CA, pp. 120-128 (1996). [PS] [PDF]