Re: Current state of Anomaly-based Intrusion Detection

On Mar 1, 2005, at 2:17 PM, Gunnoe, Jason wrote:
> I have seen large ISP's implement anomaly technologies on internet 
> backbones, but typically, they are only useful for identifying large 
> scale malware disruptions before they happen.  They always give the 
> slammer example, which is what, 4 years old now...

The Slammer example is usually given because it was one of the hardest 
attacks in the last 2 years to defend against, and one of the most 
damaging.

I'm not sure whether you're trying to imply that these detection 
capabilities "weren't up to the task" of detecting Sasser. If that's 
your point, why don't you take a minute to justify it?

---
Thomas H. Ptacek // Arbor Networks
(734) 327-0000


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------