Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Current state of Anomaly-based Intrusion Detection

from [Frank Knobbe] Network Security [Permanent Link]
Subject: RE: Current state of Anomaly-based Intrusion Detection
Date: Tue, 01 Mar 2005 22:14:54 -0600 
On Mon, 2005-02-28 at 08:56 -0800, Andrew Plato wrote:

This all depends on your definition of an "anomaly" detection engine.
I would say that anything that establishes "norms" for protocols or
traffic is, in essence, an anomaly detection system. 


Howdy Andrew,

yeah, an anomaly is the difference between the detected traffic and what
is considered "norm". Norm can be any of those that Jose listed:
Statistical, spec based, relational, or behavioral. (I'm replying to
your email because it summed it up so nicely ;)

However, I think a fifth one should be added. When alerting on an
"anomaly" that differs from "norm", I prefer to alert on "Knowledge" or
"Expectation". That is simply, observing traffic and comparing it to
what the administrator/operator of the network knows and expects. Any
deviation can be considered an anomaly and is worth reporting.

Realistically, that is probably a mix of described relation and
described behavior. I say "described" to make clear that it is not
"learned" by the IDS itself. It is described by the administrator. As
such, it is the admins expectation of data flows that is described to
the IDS. The IDS will watch traffic and alert on deviations -- those
things that the admin didn't expect.


Perhaps profiling it in this light may appear silly to some, but I think
it highlights one important fact -- we've been giving the IDS too much
authority, especially in self-learning IDSes. The IDS by itself does not
know if certain traffic patterns should be there or not, are valid or
not, or are hostile or not. I think we have delegated certain decisions
away from the admin and to the IDS. This is fine and good for "known
bad", but not for "abnormal".

If traffic can be classified as "known bad" and "known good", certainly
there is also "unknown". It seems that most signature and protocol based
IDSes only watch for "known bad". The "unknown" part is detected by most
anomaly based systems. But unknown to who? The IDS or the admin?

I think leaving the IDS to make assumptions about "unknown" is bad
practice. Any "unknown" should be alerted to the admin so that he can
follow up and investigate that, and by doing so converts it from
"unknown" to "known", either "good" or "bad".

That can only be done if the admin defines "normal", not the IDS.

Cheers,
Frank

(not authoritatively or scientifically speaking, but musing about
anomaly detection on the couch...)

Attachment: signature.asc
Description: This is a digitally signed message part

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: IDS data sets, Roberto Perdisci
Next by Date:  Re: Need some information on HIDS!, Frank Knobbe
Previous by Thread:  RE: Current state of Anomaly-based Intrusion Detection, Andrew Plato
Next by Thread:  RE: Current state of Anomaly-based Intrusion Detection, SecurIT Informatique Inc.
Indexes:  [Date] [Thread] [Top] [All Lists]