Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: IPS comparison

from [Frank Knobbe] Network Security [Permanent Link]
Subject: Re: IPS comparison
Date: Fri, 09 Sep 2005 12:48:39 -0500 
On Thu, 2005-09-08 at 11:06 +0530, Sanjay Rawat wrote:

the points which you raised are correct, but this is the underline 
assumption that you have CLEAN attack-free data to train your anomaly IDS. 
in the example, which you put, you need to ensure that your new host

is not 

compromised. 


Well of course. I would hope that you can control your environment
enough so that you have an attack-free "window" where you can define, or
let it learn, the profile of "known good" traffic.


Also, from time to time, you need to update the learning by 
putting your  IDS in learning/training mode. In fact, such things are main 
barriers in deploying anomaly based IDS.


I disagree with that. If you retrain your anomaly based IDS on a
periodic bases, you will pollute your "known good" profile. Instead, I'd
suggest you retrain it whenever you made infrastructure changes and have
expected traffic present that deviate from the "normal" profile. Then
the IDS will adjust to the "new normal" traffic flow. 

If you don't make any changes to the environment, I would not retrain
the IDS. So your "from time to time" action should be trigger by known
events (known host/traffic changes) and not blindly on a periodic
basis. 

Cheers,
Frank




-- 
Ciscogate: Shame on Cisco. Double-Shame on ISS.

Attachment: signature.asc
Description: This is a digitally signed message part

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Cisco IDS - RDEP client - Export data?, Billy Dodson
Next by Date:  Re: IPS comparison, Sanjay Rawat
Previous by Thread:  Re: IPS comparison, Sanjay Rawat
Next by Thread:  Re: IPS comparison, Sanjay Rawat
Indexes:  [Date] [Thread] [Top] [All Lists]