the_aok@yahoo.com wrote:
found little on that subject
There are hundreds of paper on that topic, I kindly advise that you
search the usual engines a bit better :)
What you are describing is a general and vague concept of a learning
algorithm which tries to find outliers on network traffic. A nice
concept, but you really should work out the details a bit more :)
anomalies happen(network data will be compared to the database built in
the first stage),
How ? this is one of the deepest questions in unsupervised learning :)
1-information about each hostname,IP address,and MAC address.
This is something any tool for arpspoofing detection already does...
2-ports open on each host and ports that each host connects to.the IDS
should issue an alert if the host opens a port which wasnt open before
or tries to connect to a new port;
You should check Marcus Ranum ideas on this subject, and also the Arbor
Networks products follow similar patterns.
But this is really "old news" in research terms.
3-times each host uses the network and which usernames it uses to
connect to
network resources; this should enable the IDS to detect if someone else
is
using the computer or using a different username.
This is not an indication of an attack, actually.
Best regards and good luck,
Stefano Zanero
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
