Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: question about anomalies detection

from [Rob Shein] Network Security [Permanent Link]
Subject: RE: question about anomalies detection
Date: Thu, 16 Sep 2004 21:24:11 -0400 
Actually, this is just signature-based IDS, where you're rolling your own
sigs.  If you were to do anomaly-based IDS, you'd more likely be doing the
logical inverse of this, where you would ignore the hostile traffic you
generated and defined the rest of it as "normal," and therefore you'd define
everything else as "suspicious."  The whole appeal of anomaly-based
detection is that it can theoretically notice attacks that nobody has ever
heard of before, simply because it differs from what is "normal."  And
therefore, it doesn't matter what attacks you generate, since it learns the
definition of "normal" rather than the definition of "hostile."


-----Original Message-----
From: Raj Malhotra [mailto:ral.mal@gmail.com] 
Sent: Friday, September 03, 2004 2:13 AM
To: faisal99@inf.its-sby.edu
Cc: focus-ids@securityfocus.com
Subject: Re: question about anomalies detection


Hi


1. To train the anomalies detection system, we must train the 
application with the normal profile. My question is how we get the 
normal profile, are they built by ourself or we try to get from our 
network dump data to be set as normal profile or we use the 

prebuild 

data on the net(like the data on the Lincoln Lab Data?)


You can do all the three. But i would like to do it as follows:
1) assume that traffic on my LAN is clean.
2) set-up a machine running tcpdump with "-w" option to keep logging
    what ever goes on the LAN.
3) use a linux box and run nmap with os finger printing 
option on some target machines
    on the same LAN.
4) the tcpdump will have a mixture of normal traffic and 
scans for OS finger printing

look for features that are unique to OS fingerprinting (read how nmap
works) and try to use
 k-nearest neighbour for classification.


2. Is there any paper about SPADE(Snort Plugin), I've googling for 
sometimes but never found one.


--------------------------------------------------------------
------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world 
attacks from CORE IMPACT. Go to 
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_04

0708 to learn more.
--------------------------------------------------------------------------




--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE 
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to 
learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: What is false alarm rate and false positive rate?, Rob Shein
Next by Date:  Re: Linux SuSe host base IDS., Volker Kindermann
Previous by Thread:  Re: question about anomalies detection, Raj Malhotra
Next by Thread:  Re: question about anomalies detection, Jose Maria Lopez
Indexes:  [Date] [Thread] [Top] [All Lists]