-----Original Message-----
From: Ofer Shezaf [mailto:Ofer.Shezaf@breach.com]
Sent: Thursday, January 13, 2005 6:23 PM
To: Kohlenberg, Toby; Stefano Zanero; roberto.perdisci@gmail.com
Cc: focus-ids@lists.securityfocus.com
Subject: RE: Specification-based Anomaly Detection
What exactly is your definition of "new-comer"? Seeing as anomaly
detection
has been discussed and studied for at least 15 years as far I know...
I stand corrected: only meant that commercial applications are
relatively new. Signature based IDS is here for the last decade I
believe, while I think that anomaly based techniques found their way to
products just in the last couple of years.
See other email about CMDS. Knowing about that should be basic reading
for anyone working on IDS development or research. Stefano said this
was focused on network IDS but I think the distinction is spurious.
I'm not sure I follow the argument about "perpetual zero day". It
sounds
like a problem of poor signature writing. Could you expand a little
more
on why this is a problem for signature-based approaches as opposed to
anomaly-based approaches?
It is definitely a problem of poor writing. Unfortunately
there are tons
of poorly written code out there and more to come.
That doesn't make it a problem with the technology, just the
implementation.
t
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
