RE: Specification-based Anomaly Detection

I don't see it as being fussy, I see it as being a clear and
serious gap in the awareness of the history of intrusion detection.
Whenever I talk to vendors or researchers (on any topic) I expect
them to know at least as much about their product space as I do
(I'm a generalist, if I know it, a specialist damn well better).

I don't know about anyone else, but I'm sick of seeing ideas that
have been around for 20 years touted as "ground breaking!" or 
"revolutionary!".

t 

> -----Original Message-----
> From: (infor) urko zurutuza [mailto:uzurutuza@eps.mondragon.edu] 
> Sent: Monday, January 17, 2005 7:47 AM
> To: Stefano Zanero; Kohlenberg, Toby
> Cc: Ofer Shezaf; focus-ids@lists.securityfocus.com
> Subject: RE: Specification-based Anomaly Detection
>
> Don't be so fussy! I agree with Stefano, the big IDS 
> trademarks as Cisco, ISS, NFR, Intrusion or Dragon have just 
> started offering a little bit of real anomaly detection (using 
> AI instead of signatures!), even if we know that network 
> anomaly detection is almost 15 years old in the research 
> comunity (I think the first was NADIR (Network Anomaly 
> Detector and Intrusion Reporter, of Los Alamos National 
> Laboratory in 1990).
>
> __________________________________________________
> MONDRAGON UNIBERTSITATEA
> Urko Zurutuza
> Dpto. Informática
> Loramendi 4 - Aptdo.23
> 20500 Arrasate-Modragon
> Tel. +34 943 739636 // +34 943 794700 Ext.297
> www.eps.mondragon.edu
> uzurutuza@eps.mondragon.edu
>
>
>
> > -----Mensaje original-----
> > De: Stefano Zanero [mailto:zanero@elet.polimi.it] 
> > Enviado el: jueves, 13 de enero de 2005 21:14
> > Para: Kohlenberg, Toby
> > CC: Ofer Shezaf; focus-ids@lists.securityfocus.com
> > Asunto: Re: Specification-based Anomaly Detection
> >
> > Kohlenberg, Toby wrote:
> >
> > > > - and that anomaly detection (in particular techniques 
> which are not
> > > > rate-based) is a relative "newcomer" in the COMMERCIAL field of 
> > > > intrusion detection, where most of the products are built 
> > on a misuse 
> > > > detection approach.
> > >
> > > Really? What would you call CMDS? Which was a commercial 
> > system that 
> > > used anomaly detection by building user profiles and was available 
> > > from ODS in the mid-90s?
> >
> > My omission here: I meant NETWORK intrusion detection, as we 
> > were talking about NIDS in those posts. Commercial anomaly 
> > detection systems exist.
> >
> > --
> > Cordiali saluti,
> > Stefano Zanero
> > Dottorando di Ricerca / Ph.D. Student
> >
> > Politecnico di Milano - Dip. Elettronica e Informazione Via 
> > Ponzio, 34/5 I-20133 Milano - ITALY
> > Tel.    +39 02 2399-3660
> > Fax.    +39 02 2399-3411
> > E-mail: zanero@elet.polimi.it
> > Web:    www.elet.polimi.it/upload/zanero
> >
> > --------------------------------------------------------------
> > ------------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with real-world 
> > attacks from CORE IMPACT.
> > Go to 
> > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> > to learn more.
> > --------------------------------------------------------------
> > ------------
>
> ---------------------------------------------------------------
> -----------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from 
> CORE IMPACT.
> Go to 
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
> to learn more.
> ---------------------------------------------------------------
> -----------

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------