Re: IDS thoughts

From: Lance Spitzner (lance_at_honeynet.org)
Date: 05/21/03

  • Next message: Dick Li (eBits Limited): "Re: Low cost HID based IDS system"
    Date: Tue, 20 May 2003 20:48:39 -0500 (CDT)
    To: Ramani Yellapragada <ryellapr@masaka.cs.ohiou.edu>
    
    

    On Tue, 20 May 2003, Ramani Yellapragada wrote:

    > > "Anomaly detection" isn't an architecture or implementation. It's no
    > > more "rate over time, cross host cross protocol" than it is "validate
    > > against RFCs". Anomaly detection is the philosophy of design that says
    > > that we can find interesting events by looking for deviations from the
    > > norm.
    >
    > But what are the common approaches to build upon this design idea? Say if we
    > are looking at anomalies for a protocol. Then we could be looking at certain
    > standard protocols(say ssh, smtp etc), learn their norm and look for
    > deviations. But what if the anomaly is happening on another never used
    > protocol. What if we had not looked at the norm for that protocol? Doesn't
    > anomaly detection then boil down to signature-based method? Are there ways by
    > which we can study deviations on general network traffic?

    Keep in mind, there are many different approaches to anamoly detection.
    For example, honeypots are in many ways nothing more then an anamoly detection
    device. Theoretically, a honeypot should never see any traffic. Any traffic
    it does see is a deviation, by definition an anamoly. This is a very simple,
    yet very effective approach to detecting and capturing activity never seen
    before.

    lance

    -------------------------------------------------------------------------------
    INTRUSION PREVENTION: READY FOR PRIME TIME?

    IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities
    - including intrusion identification, relevancy, direction, impact and analysis
    - enabling a path to prevention.

    Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at:
    http://www.securityfocus.com/IntruVert-focus-ids2
    -------------------------------------------------------------------------------


  • Next message: Dick Li (eBits Limited): "Re: Low cost HID based IDS system"

    Relevant Pages

    • Re: NAMBLA & PELOSI...the real facts
      ... I do not believe anyone should be shunned for all deviations from the norm; ... I again say that I do not think that all abnormal behavior should be ... Are you saying that you disagree? ...
      (rec.gambling.poker)
    • Re: Helix #2
      ... personality was several deviations from the norm is not small. ... well-adjusted and socially dext people, you would have a very short reading list indeed. ...
      (rec.arts.sf.written)
    • Re: Helix #2
      ... personality was several deviations from the norm is not small. ... socially dext people, you would have a very short reading list indeed. ...
      (rec.arts.sf.written)
    • Re: Helix #2
      ... personality was several deviations from the norm is not small. ... well-adjusted and socially dext people, ...
      (rec.arts.sf.written)