Home > Articles > Security > General Security and Privacy

  • Print
  • + Share This
Like this article? We recommend

Orchids

Orchids is an intrusion prevention system (IPS) that looks for patterns among events instead of the traditional technique of detecting signatures of known attacks.

The basic concept of Orchids is to detect entire classes of 0-day (previously unknown) attacks by looking for similar sequences of events. For example, elevation of a user’s identity to root without following a normal mechanism should reliably identify a successful exploit.

Orchids also calculates entropy (a measure of disorder). This can flag, for example, an attack that exploits an SSL (secure sockets layer) server. This type of server normally creates encrypted transmissions between a browser and a webserver, and encryption is designed to create high entropy communications. However, if an attack program causes an SSL server to transmit shellcode (malware inserted directly into memory), this no longer appears random. Entropy falls and Orchids sends an alert to the administrator.

  • + Share This
  • 🔖 Save To Your Account