Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Stateful Anomaly Detection Molding

from [Drew Simonis] Network Security [Permanent Link]
Subject: Re: Stateful Anomaly Detection Molding
Date: Thu, 14 Oct 2004 08:38:03 -0500 



I want to get the groups opinion on the viability of Stateful Anomaly
Detection Molding.



I've not heard the term "Stateful Anomaly Detection" before, but I presume
you are speaking of what I commonly call network profiling, or, more 
precisely, behavior based anomaly detection.  That said...


With regards to IDS/IDP products which use S.A.D. as a detection engine,
how easy/difficult is it to train the engine to allow malicious traffic.
The idea is that these detection engines monitor traffic over a period
of time and develop rule sets based on the given flow of traffic.


This question seems founded on the notion that there is One Way to do this
sort of monitoring, and I don't think that is a true premise.  Most of the
research and actual implementations I've seen simply model a static view
of the network and compare with that over time.  This could not easily be 
"trained" to accept naughty behavior.  Some do use a moving baseline of the 
network, and this could indeed, at least conceptually, be trained.  The
rapidity and effectiveness of the training would likely, however, be based 
on the statistical methods used to construct that baseline, and this is 
not likely to be by one common means.


What can the Blackhats of the world due to perpetuate rule set molding
of Stateful Anomaly Detection engines to allow malicious traffic through
without being detected?  How reliable are S.A.D. engines in detecting
unwanted traffic?


Two big questions.  One would presume that an effective profiling system
would detect even the smallest deviations from the norm, and an alert 
analyst would take action.  So, unless there was some deviation allowance
threshold, the attacker would have little room to maneuver.  Thats really
the whole point of profiling, isn't it?  As to the reliability, this is 
too product specific to discuss generally, I suspect.

-ds

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE 
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to 
learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Fortinet IDS, Don Draper
Next by Date:  RE: IDS/IPS testing methodology, Leandro Reox
Previous by Thread:  Re: Stateful Anomaly Detection Molding, Thomas Ptacek
Next by Thread:  Re: Fortinet IDS, Don Draper
Indexes:  [Date] [Thread] [Top] [All Lists]