Re: Signature vs Anomaly- again (wasRe: IDS Players?)

From: Greg Shipley (gshipley@neohapsis.com)
Date: 06/18/02 

Date: Tue, 18 Jun 2002 16:40:52 -0500 (CDT)
From: Greg Shipley <gshipley@neohapsis.com>
To: Vitaly Osipov <witt@iol.ie>

On Tue, 18 Jun 2002, Vitaly Osipov wrote:

> I guess the differences between these two were discussed many times -
> but does anybody know of any commercial system (and the one what is used
> by more than a couple of people :) ), which is based on anomaly
> detection rather than on signature matching? I recently heard that ISS
> started to use some neural net features in its sensors (in syn flood or
> scans detection perhaps) - is it true?

You might want specify what you mean by "anomaly." Are you talking
protocol anomaly (i.e. "this HTTP packet looks funny"), traffic anomaly
(i.e. "Hey, why did our UDP traffic spike to 30%?"), or ....?

There was a huge thread about this that started here:
http://archives.neohapsis.com/archives/sf/ids/2002-q1/0234.html

And some of my examples here:
http://archives.neohapsis.com/archives/sf/ids/2002-q1/0239.html

...and further discussions on this area are in that thread. It might be
worth a quick read.

With that said, a lot of the products out there are combining
protocol-based anomaly detection *AND* signature-based detection. For
example, I know Intrusion's SNP and ISS' RealSecure do this, Cisco's
product *I believe* has some of this functionality, and I've heard
Intruvert's new product does this as well. I'm sure there are others.
You also have to take into account what level this is being performed at
(TCP vs. HTTP, for example).

Unfortunately, it's not a simple question to answer without more
questions...

-Greg