Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

anomaly IDS ideas ?

from [the_aok] Network Security [Permanent Link]
Subject: anomaly IDS ideas ?
Date: 1 Feb 2006 19:41:16 -0000 
hello,
im a computer science student and i have to do my graduation project 
next 
semester, i want to do it on anomaly IDS's. i have searched the 
internet and 
found little on that subject,here are my ideas on how to implement a 
network 
anomaly IDS,please correct me where im wrong or if u have any other 
references or ideas i would be happy to hear from you:
the IDS will have 2 stages;first it will study the network traffic and 
build 
some kind of a database that keeps what should be marked as 'safe' and 
after 
collecting enough information it should start running and issue alerts 
when 
anomalies happen(network data will be compared to the database built in 
the 
first stage),this is the data im going to collect:
1-information about each hostname,IP address,and MAC address.(i think 
this 
should stop ARP Poisoning attacks by comparing later traffic to the 
database 
of MAC addresses associated with IP addresses)
2-ports open on each host and ports that each host connects to.the IDS 
should issue an alert if the host opens a port which wasnt open before 
or 
tries to connect to a new port; with this i think that exploits that 
use 
bind or connectback shellcode should be stopped.
3-times each host uses the network and which usernames it uses to 
connect to 
network resources; this should enable the IDS to detect if someone else 
is 
using the computer or using a different username.

this is it :) i know that this is not near enough and that is why im 
sending 
this email, for example if someone uses an upload/exec shellcode in an 
exploit i dont think that the IDS will detect it, or if a trojan 
connects to 
a common port(for example port 80) the IDS won't notice it.
another thing i want is to minimize false positives,which is an 
important 
thing.the main aim of the IDS will be to stop 0day attacks from 
happening, 
so if anyone has any ideas or any references i would really appreciate 
it.
thank you,


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Next by Date:  Re: Real world experience with HIDS, Pukhraj Singh
Next by Thread:  Re: anomaly IDS ideas ?, Simon Biles
Indexes:  [Date] [Thread] [Top] [All Lists]