Re: Neural Net based Host/Application Anomaly detection systems
From: Jeff Nathan (jeff@wwti.com)Date: 02/26/02
- Previous message: Jensenne Roculan: "Vacation Troller, Please Ignore."
- In reply to: Reidy, Patrick: "RE: Neural Net based Host/Application Anomaly detection systems"
- Next in thread: Derek Walker: "Re: Neural Net based Host/Application Anomaly detection systems"
- Next in thread: Andrew Plato: "Re: Neural Net based Host/Application Anomaly detection systems"
- Reply: Derek Walker: "Re: Neural Net based Host/Application Anomaly detection systems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 26 Feb 2002 11:45:11 -0800 From: Jeff Nathan <jeff@wwti.com> To: "Reidy, Patrick" <Patrick.Reidy@veritect.com>
"Reidy, Patrick" wrote:
>
> Based on my experience with enterprise wide anomaly and trend analysis I
> think the big problem of more advanced anomaly intrusion detection systems
> is the ability of the user to create a large enough data set on which to
> base the anomaly detection. Meaning that most enterprises do not have the
> time, money or inclination to launch hundreds of attacks to evaluate their
> behavior on their given network. Simply providing the user with a "generic"
> base data set is one way to solve the problem. The problem with that, of
> course, is the more granular the anomaly detection becomes, the less generic
> the anomaly detection "scripts" become (i.e. trying to mine out protocol
> anomalies on one network would be completely different that another). Of
> course, the more granular, the more effective the system. Basically it is a
> big pain in the neck and other body parts of note. That is why I am
> skeptical of any product or tool that claims to be "anomaly based" right out
> of the box. If you can solve the data set problem, I think you would really
> have something their.
>
Great response (I agree).
If networks were to remain static anomaly detection wouldn't present
such a large problem. However, networks change. The larger the network
the more likely change is occurring somewhere on the network. If
anomaly detection is to remain accurate and complete it must continually
be able to learn and as we've mentioned time and time again it is this
learning process that is the Achilles heel of anomaly detection.
A small data set will be incomplete. A large data set will be
inaccurate once change occurs. A neural system that continues to learn
based upon new data exposes itself to learning that attacks are not
anomalous. Is this surmountable in a controlled environment? Sure. In
an enterprise data center? I'm not so sure.
-Jeff
-- http://jeff.wwti.com (pgp key available) "Common sense is the collection of prejudices acquired by age eighteen." - Albert Einstein
- Previous message: Jensenne Roculan: "Vacation Troller, Please Ignore."
- In reply to: Reidy, Patrick: "RE: Neural Net based Host/Application Anomaly detection systems"
- Next in thread: Derek Walker: "Re: Neural Net based Host/Application Anomaly detection systems"
- Next in thread: Andrew Plato: "Re: Neural Net based Host/Application Anomaly detection systems"
- Reply: Derek Walker: "Re: Neural Net based Host/Application Anomaly detection systems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
