Joseph Hamm wrote:
IMHO comparing pure play behavior detection to IPS is like comparing
apples and oranges.
I couldn't agree more. I spoke up because Stefano brought up the topic
of anomaly detection.
I didn't, actually - it was brought up by other, I only felt right to
chime in on my specific area of research :)
One thing that does bother me is how IPS has been
painted as a "magic bullet" by vendors (and even the press).
It's a painful scene we have seen for most other technologies... you
remember the PKI-fits-all dance, until 3-4 years ago, don't you ? :)
(purchase and maintain) a box everywhere you want coverage. Many folks
don't even know what NetFlow or sFlow is or how it can be used to
provide them much needed security information (and save them money).
This for sure. I wouldn't, however, limit research on anomaly detection
to statistical flow analysis. There is a lot more to it (automatic
correlation of events, unsupervised learning on protocol behavior, etc)
This allows the NADS to find the piece of network infrastructure closest
to the threat (router, switch, firewall, etc.) and take blocking action
there in order to quarantine the attack.
Brrrr. I'm not sure I would like that without a human filter.
Best,
Stefano
Ph.D. Student
Politecnico di Milano - Dip. Elettronica e Informazione
www.elet.polimi.it/upload/zanero
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
