Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: anomaly vs signature

from [Michael Vergoz] Network Security [Permanent Link]
Subject: Re: anomaly vs signature
Date: Fri, 4 Aug 2006 09:33:32 +0200
Indeed, categorization can be done between anomaly based vs signature based. that's a traditional approach, a complementary one is white list (everything not recognized is not allowed) or black list (i only stop what i know to be suspicious -signature, protocol anomaly, ...-, the rest is accepted). This second approach is from our point of view less efficient and much more resource consuming. I would like to suggest you test (and give your feedback !) on our beta test product : http://www.binarysec.com which is a web firewall to be installed on an apache server (with linux), it uses an artificial intelligence engine. everything is software (1 Apache module + 1 server).

Michael Vergoz

----- Original Message ----- From: "Roland Dobbins" <rdobbins@cisco.com>
To: <focus-ids@securityfocus.com>
Sent: Wednesday, August 02, 2006 5:53 PM
Subject: Re: anomaly vs signature



On Jul 31, 2006, at 8:58 PM, SanjayR wrote:

Please read the first line as "Yes...its true that there are more misuse based ID systems than the anomaly based. "
thanks
At 11:02 AM 7/28/2006, SanjayR wrote:
Yes...its true that there are more anomaly based ID systems than the misuse based. One possible reason may be the rate of FPs for anomaly based systems. If you look at the research perspective, there is a big gap between the research and commercial ID systems. Reason may be research is focusing on Machine learning, data mining

I can't agree with this statement - properly-implemented AD systems don't exhibit false positives at all, the key is whether or non one - cares- about the anomalies one's seeing (and that's where tuning comes in). My operational experience with commercial anomaly- detection systems on production networks over the last 5 years is that they're extremely useful for SP and large enterprise opesec teams in terms of detecting/classifying/tracing back DoS attacks, worm outbreaks, and other forms of network behaviors which may not be deemed security risks in and of themselves, but which are interesting or of possible forensic value (i.e., user kicks off large ftp transfer to a server he's never accessed before, etc.), and I've never seen a false positive during that time.

There are several commercial AD systems (both statistical and behavioral) which are quite good; there's also an open-source project called Panoptis, but it's been inactive for a while.

----------------------------------------------------------------------
Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice

     Everything has been said.  But nobody listens.

                   -- Roger Shattuck




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  tcpreplay 3.0.beta10 released, Aaron Turner
Next by Date:  Re: detecting network crowd surges, rgula@tenablesecurity.com
Previous by Thread:  Re: anomaly vs signature, Roland Dobbins
Next by Thread:  Re: anomaly vs signature, Rodrigo Blanco
Indexes:  [Date] [Thread] [Top] [All Lists]