Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Current state of Anomaly-based Intrusion Detection

from [Orit Vidas] Network Security [Permanent Link]
Subject: RE: Current state of Anomaly-based Intrusion Detection
Date: Tue, 8 Mar 2005 11:15:09 -0800 
Goran,
I would like to refer you to an interesting white paper about 'Baseline
Analysis of Security Data'. You can fine it in security docs.

In a nutshell, the approach is that anomalies should not be identified
at the raw data level, but should be searched for in the security alerts
themselves. The reason is two folded: a) the raw data is simply too much
to perform non-local analysis, and b) working with the raw data loses
all the security context of the incident (signature description, how to
and what to do advises, relevant patches, etc.).

Orit Vidas
orit@securimine.com

-----Original Message-----
From: Göran Sandahl [mailto:goran@gsandahl.net] 
Sent: Friday, February 25, 2005 4:05 PM
To: focus-ids@lists.securityfocus.com
Subject: Current state of Anomaly-based Intrusion Detection

Hi all.

I'm trying to get a picture of the current state of Anomaly-based 
network-monitoring-systems. In other words, Anomaly-based IDSs (are they

really called ADSs?). 
After following the thread "Specification-based Anomaly Detection", I've

realised that this question probably has allot of answers. However, I'd
be 
very glad if you would take the time and write a couple of lines on what
you 
think of the techniques that are used today, and whats needed for the
future. 
I'm interested in "both sides of the story", so please tense your
muscles and 
raise your voice ;)

As i figured, there are two different techniques that these systems work
upon. 
Either, they are based on specifications (for example, hardcoded 200kb/s

SMTP-traffic is normal) , or on statistic (Based on an "average". For 
example, 20 current TCP-sessions is normal). How does these techniques
really 
work? How are they implemented today? How is this statistical
information 
usually gathered? 

Also, signature-based IDSs are vulnerable to false alerts of different
kinds 
(postitive, negative etc). I can imagine that anomaly-based techniques
might 
suffer even worse to this. True?

And finally, while "reading through the lines" on some of the posts to
the 
thread mentioned above, I got a feeling that this technique isn't yet
ready 
for prime-time yet. Why is this? As I figure, the whole idea with
network 
intrusion detection is pretty new, and none of the techniques seems to
be 
without flaws.

Thanks in advance
Cheers
Göran

-- 
Göran Sandahl
mail:        goran@gsandahl.net
web:         http://gsandahl.net

------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------
--


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Session Hijacking, Angel L Rivera
Next by Date:  IDS Signature Releases, Andy Cuff [Talisker]
Previous by Thread:  RE: Current state of Anomaly-based Intrusion Detection, Gunnoe, Jason
Next by Thread:  Re: Need some information on HIDS!, SecurIT Informatique Inc.
Indexes:  [Date] [Thread] [Top] [All Lists]