-----Original Message-----
From: Stefano Zanero [mailto:zanero@elet.polimi.it]
Sent: Tuesday, January 11, 2005 1:29 AM
To: Kohlenberg, Toby
Cc: Ofer Shezaf; focus-ids@lists.securityfocus.com
Subject: Re: Specification-based Anomaly Detection
Kohlenberg, Toby wrote:
Stefano, could you expand on which part you agree with? I'm really
confused to think that you would agree that anomaly detection would
be new to IDS.
I would agree that:
- anomaly detection is needed as a complementary approach to misuse
detection because of the inherent limits of the latter
Okay, that makes sense and I think most would agree with it.
- and that anomaly detection (in particular techniques which are not
rate-based) is a relative "newcomer" in the COMMERCIAL field of
intrusion detection, where most of the products are built on a misuse
detection approach.
Really? What would you call CMDS? Which was a commercial system that
used anomaly detection by building user profiles and was available from
ODS in the mid-90s?
Here's the announcement of the 4.0 release from 1999-
http://www.intrusion.com/about/news/releases/1999/011999.pdf
As I recall, it was originally developed by SAIC in the early 90s I'd
say
it's been around for quite a while.
Really? What about apps that all tunnel over a single port?
That would be a problem even if you work at application layer ;)
Why?
Please note that Ofer was not advocating HOST-based intrusion
detection but NETWORK-based approaches working at layer 7
Right, I got that. But so long as you aren't encrypting the traffic, I
can dissect it. I won't always get the fragmentation right but I can
probably figure out the application if I look.
Are you getting the application that IANA says runs on that port or
are you getting SAP using telnet on some random port or Cisco using
HTTP on yet another random port?
That's something that the algorithm we have developed can recognize ;)
Yes, but not by looking at IP/port pairs. You'll need more detail than
that.
No, but it does give you a much better chance of finding "actionable"
(or ignorable)
Yes, but since we are discussing wether or not ANOMALY detection is
"actionable" (I'm not a native speaker but this word sounds
horrible to
me :) this objection is not relevant. Or better, it says exactly what
Tom and I were saying: anomaly detection is not, and this is a
disadvantage wrt misuse detection.
(you're right that word is horrible, but I've seen native speakers do
worse.
I have to work with some of them... :) )
Actually, I'd say that anomaly detection is completely actionable in
limited
situations where the existance of an anomaly is enough of an issue that
it
raises a concern.
Don't throw the baby out with the bathwater. Anomaly detection has real
issues
but it is just as useful for taking action as misuse detection when you
use
it wisely.
t
Best,
Stefano
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
