Traffic Anomaly engine works as good as definition of 'normal' profile.
So, it is necessary that system should be capable of learning and creating the
profile.
IDS/IPS systems also should be capable of manually tuning the profile to reduce
false positives.
IDS/IPS Systems would normally provide following facilities.
1. System should provide facility to create rules for learning the traffic
characterstics.
Rules can contain Server IP address, Network, Service or combination of
these.
It also should contain any application information such as HTTP URLs etc..
2. Learning System: Should be capable of intrepreting the logs generated by
Sensors for
a given period of time and generate profile with the information collected
for the
rules given to the learning system.
3. User can tune the profile and uploads these profiles onto Sensors.
4. Sensors, then onwards enforce this profile and generate anomaly
indications, if
the behaviour is outside the definition of profile. As part of
enforcement, IDS/IPS systems
also provide notification to administrator or block the traffic.
In future, I would expect more and more research going in learning system and
auto-tuning
the profile over the time.
Following is very common list, that is learnt by many of current generation
IDS/IPS products.
In future, I would expect that this list grows.
- Number of connections, Packet, bytes on per Service/Network/Server basis in
a given
period.
- The URLs/Methods which are accessed on WebServer in a given period.
I hope this helps.
Srini
Intoto Inc.
www.intoto.com
----- Original Message -----
From: <faisal99@inf.its-sby.edu>
To: <focus-ids@securityfocus.com>
Sent: Wednesday, September 01, 2004 12:31 AM
Subject: question about anomalies detection
Hai everyone,
sory if my question seems to be dummy question,
but I need several thing to know about anomalies detection for my college
assignment. Below are something to answer(if you don't mind)
1. To train the anomalies detection system, we must train the application
with the normal profile. My question is how we get the normal profile, are
they built by ourself or we try to get from our network dump data to be
set as normal profile or we use the prebuild data on the net(like the data
on the Lincoln Lab Data?)
2. Is there any paper about SPADE(Snort Plugin), I've googling for
sometimes but never found one.
thnkyou, for the attention.
regards
Nafis Faisal
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
learn more.
--------------------------------------------------------------------------
