Re: Specification-based Anomaly Detection

Ofer Shezaf wrote:

> Stefano writes that a host and a port define a listening application and

Well, it's not me, it's the RFC definition of what a socket is :)

"A socket is defined to be the unique identification to or from which
information is transmitted in the network. The socket is specified as a 32
bit number... A socket is also identified by the host in which the 
sending or receiving processer is located."

1971 vintage ;)

> then you carry on about detecting an application automatically. 

Something countless papers have been written on.

> In some ways this is more similar to HIDS than to NIDS 

I would be tempted to define it as an host-based IDS in fact

> more commonly used in IDS that we learn the protocol. As the protocol is
> defined by the specific programmer at the organization building the web
> site, learning it and validating that users are in conformance provides
> a layer of security that I'm not sure should be called abnormal behavior
> detection in the common IDS terminology.  

That's exactly what anomaly detection is :-)

There's an interesting paper by Vigna and Kruegel on the specific theme 
of web application anomaly detection that you might find worth a read.

Stefano

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------