Kohlenberg, Toby wrote:
Stefano, could you expand on which part you agree with? I'm really
confused to think that you would agree that anomaly detection would
be new to IDS.
I would agree that:
- anomaly detection is needed as a complementary approach to misuse
detection because of the inherent limits of the latter
- and that anomaly detection (in particular techniques which are not
rate-based) is a relative "newcomer" in the COMMERCIAL field of
intrusion detection, where most of the products are built on a misuse
detection approach.
is zero day
Or highly polimorph attacks, yes.
Or custom-written attacks
Absolutely correct !
Really? What about apps that all tunnel over a single port?
That would be a problem even if you work at application layer ;)
Please note that Ofer was not advocating HOST-based intrusion detection
but NETWORK-based approaches working at layer 7
Are you getting the application that IANA says runs on that port or
are you getting SAP using telnet on some random port or Cisco using
HTTP on yet another random port?
That's something that the algorithm we have developed can recognize ;)
This is basic misuse detection, it does not mean you can deliver an
actionable anomaly detection result.
No, but it does give you a much better chance of finding "actionable"
(or ignorable)
Yes, but since we are discussing wether or not ANOMALY detection is
"actionable" (I'm not a native speaker but this word sounds horrible to
me :) this objection is not relevant. Or better, it says exactly what
Tom and I were saying: anomaly detection is not, and this is a
disadvantage wrt misuse detection.
Best,
Stefano
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
