Dragos Ruiu wrote:
With all deferences to Stefano and his recearch in the area, I haven't seen
any of the statistical anomaly methods produce any significant results yet.
And this is exactly why it's good to do research on this. Thanks for the
mention *bows* :)
Most sysadmins don't have much of an idea of what constitutes "normal"
traffic patterns on their nets and I have yet to see a formal mechanical
model that can do even less than that.
Well, actually the whole idea of an anomaly detection system is to learn
what is normal so that you don't have to define that. I don't know if
you've attended CanSecWest 04 :) but in my speech I stressed this point
a lot. An anomaly detection system which asks as an input the
description of normality is bound to fail.
That said, imho, the best statistical
anomaly detection on the market is still a human brain and a little
quality time with tcpdump :). The price is right too :-).
No discussions on this :) But a good anomaly detector would give you an
heads-up on what to monitor. That's the direction of my research, at least.
As for Adam. It's not really true that being a "for profit" company
makes it impossible for you to publish your research (ask IBM for
details). Sure, if your research is just little more than R&D then it's
obviously secret. But since "small scale R&D" is not enough to solve the
problem of anomaly detection, I have to suppose yours is some kind of
breakthrough.
Breakthroughs can be published, they've always been. As a rule, if
there's no research track behind the claims of a vendor, I tend to
highly doubt on any claim of "enormous innovation" in their marketing
brochures.
Regards,
Stefano Zanero
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
