Registry IDS Software

Stepping away from the concept of Windows registry software as a cleaning tool, this article looks into the practical application of using a registry focused, intrusion detection program. Traditional Windows virus scanners and security patches prove effective only when the attack is coming from a known source. They are near worthless against new types of malicious penetration. The fundamentals of signature based identification schemes leave a big hole in the malevolent program defense front. Even with frequent virus control, updates, and daily security-patch injections Windows remains vulnerable. Attacks continue. The malicious software invades; the spread is quick and destructive.

A Different Approach: Registry Anomaly Detection Software.

Intrusion detection seems an endless issue. Virus applications come up short. Security patches come in too late. Firewalls and access control list fail to perform as real-time monitors.

But what if a program could take a vital Windows data file like the registry and somehow predetermine a normal run-time pattern?

Any deviation from this base registry model could then be monitored, identified, and isolated. Intrusion detection would become real-time sensitive; the time lag that lingers between signature update events would be lessened if not eliminated.

Real-time or near real-time defense is the concept of a host-based or network based Intrusion Detection System (IDS). Network based IDS tools seek first to monitor network traffic, analyze how that traffic fits into a known signature pattern, and then respond by notifying the appropriate contacts. As a continuation of the protection procedures, a host-based IDS program incorporates an algorithm that detects system attacks by monitoring specific system files: the boot record, log files, and the Windows registry database file.

A normal registry model can be defined as a file that contains no attacks. From that point, each run-time access of a modeled file can be compared to the normal data pattern. Should a monitored Windows registry develop an abnormal behavior, the system is evaluated as under assault by malicious software. While producing a low return of false alarms, the IDS software defense system provides an effective malicious software detection tool.

Key Factors Applied to Anomalous Registry Modeling.

One model of normal Windows registry activity is founded upon a set of reoccurring features that are extracted during typical registry access. When the values of new registry inputs prove inconsistent with the normal patterns, flags are set. These features consist of five standard points:

1. Process: The name of a registry-accessing application can be compared to a list of applications that belong to the model registry. This permits quick recognition of new and unknown processes.
2. Query: The registry IDS tool looks for a pattern of defined query types. When these queries fall outside of valid parameters, the accessing program is suspected of invasive activity.
3. Key: Certain registry keys are only used once. When malicious software attempts to reuse these keys, the registry attack is exposed.
4. Response: The model of normal registry activity describes certain query outcomes. Responses that fall out of that pattern are identified as insidious software.
5. Result Value: IDS software can detect when normal values are being used to generate uncharacteristic system behavior. When registry queries produce unexpected response values, the IDS stands to alert.


IDS Registry Software: Commercial and Freeware.

This article draws attention to host-based IDS monitor software. A number of commercial and freeware packages fall under this heading. Many of these are configured around an open-source collection called Snort. If downloaded in its free version, Snort is far from an easy to apply IDS engine. In this final section, we will perform a minor zoom into the complications of this IDS open-source package.

However, before taking that leap, here follows a list commercial software names. You will likely return to them. For a comprehensive cross reference, some of the attached hyperlinks lead a company home site while others lead to support sites. The top two are network-based IDS providers. The second two are host-based IDS providers.

· Cisco Secure Intrusion Detection System (formerly NetRanger). This is a home site link.
· ISS RealSecure. Links to a PDF information file.
· Tripwire. This link brings up a product review site.
· Entercept by Entercept Security Technologies (Now McAfee). Home site link.

Snort: A No Cost Home IDS Windows Registry Software Solution.

Snort, developed by Sourcefire is an open-source intrusion prevention and detection system. This is the de facto standard in intrusion prevention software. It is also, in its cost free form, a complex and difficult program to download, install, and configure. The basic Snort download screen is cluttered with many files and few explanations (Fig. 1). Once downloaded, the encountered file types do not relate to the computer literacy range of the average user (Fig. 2). This is not for the faint of heart. Snort is no quick-install Windows registry cleaner.

As a no cost home IDS program, Snort is limited to the use of those with programmer training. However, a free web front end, Snorby, is also available. The setup is still complex and somewhat frustrating, but the end result is decent. Figure 3 shows the orginal Snort command line login screen. Figure 4 displays a Snorby replacement login screen. Figure 5 illustrates the web front Snorby dashboard.

In the final considerations, Snort is not for the general computer user. Go for a commericial IDS registry software product. The headache you save may be your own.