Re: Specification-based Anomaly Detection

A bunch of products do this. Their vendors listen on the list and 
they'll  chime in shortly.

However, ask yourself whether this is really a good idea.

What makes you think that information about supposed RFC violations on 
your network will be actionable? Most people don't find information 
about supposed malicious traffic to be genuinely actionable. I'm not 
aware of any evidence, not even anecdotal, of new vulnerabilities being 
discovered by anomaly detection systems of any stripe.

And I'm saying this while associated with the industry leader in 
anomaly detection.

There are things anomaly techniques are very well suited for. Worms, 
policy violations, DoS attacks, and in particular attack mitigation. 
Replacing signature IDS is not one of those things.

On Jan 3, 2005, at 12:59 PM, Roberto Perdisci wrote:

> some techniques, e.g. Finite State Automaton, to find out anomalies
> during a client-server command/respose session (e.g. FTP, HTTP, SMTP,
> etc...). The FSA, or conceptually equivalent models, should be
> implemented following the protocol specifications (RFC) and it would
---
Thomas H. Ptacek // Product Manager, Arbor Networks
(734) 327-0000


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------