Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: IPS comparison

from [Sanjay Rawat] Network Security [Permanent Link]
Subject: Re: IPS comparison
Date: Mon, 12 Sep 2005 11:16:15 +0530
At 11:18 PM 9/9/2005, Frank Knobbe wrote: 
On Thu, 2005-09-08 at 11:06 +0530, Sanjay Rawat wrote:
> the points which you raised are correct, but this is the underline
> assumption that you have CLEAN attack-free data to train your anomaly IDS.
> in the example, which you put, you need to ensure that your new host
is not
> compromised.

Well of course. I would hope that you can control your environment
enough so that you have an attack-free "window" where you can define, or
let it learn, the profile of "known good" traffic.

> Also, from time to time, you need to update the learning by
> putting your  IDS in learning/training mode. In fact, such things are main
> barriers in deploying anomaly based IDS.

I disagree with that. If you retrain your anomaly based IDS on a
periodic bases, you will pollute your "known good" profile. Instead, I'd
suggest you retrain it whenever you made infrastructure changes and have
expected traffic present that deviate from the "normal" profile. Then
the IDS will adjust to the "new normal" traffic flow.

If you don't make any changes to the environment, I would not retrain
the IDS. So your "from time to time" action should be trigger by known
events (known host/traffic changes) and not blindly on a periodic
basis.

I agreed on this. Actually, may be I could not put it properly, but I meant the same. Whenever one observes the changes or many false alarms (false positive), one should think of retraining the IDS. also, if you are using some "incremental learning algorithm", you need not to worry about loosing (polluting) known learning. you need not to train you IDS on old+new data. only new data is sufficient. however, this is valid only when there is no change in the old behavior and some new behavior has been introduced.

regards
Sanjay


Cheers,
Frank




--
Ciscogate: Shame on Cisco. Double-Shame on ISS.


Sanjay Rawat
Senior Software Engineer
INTOTO Software (India) Private Limited
Uma Plaza, Above HSBC Bank, Nagarjuna Hills
PunjaGutta,Hyderabad 500082 | India
Office: + 91 40 23358927/28 Extn 422
Website : www.intoto.com
  Homepage: http://sanjay-rawat.tripod.com






------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: IPS comparison, Frank Knobbe
Next by Date:  Auto-sensing for IPS devices, ferg
Previous by Thread:  Re: IPS comparison, Frank Knobbe
Next by Thread:  MIT Darpa Dataset,, Wilmar SULAIMAN
Indexes:  [Date] [Thread] [Top] [All Lists]