Re: How do behavioral/anomaly detection systems learn?

From: Stefano Zanero (stefano.zanero_at_ieee.org)
Date: 02/08/04

Next message: Ravi: "Re: How do behavioral/anomaly detection systems learn?"

Previous message: Stefano Zanero: "Re: How do behavioral/anomaly detection systems learn?"
In reply to: Sasha Romanosky: "RE: How do behavioral/anomaly detection systems learn?"
Next in thread: Jason Anderson: "Re: How do behavioral/anomaly detection systems learn?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 08 Feb 2004 19:46:03 +0100
To: focus-ids@securityfocus.com

Sasha Romanosky wrote:

> You raise a very interesting attack against these systems, that of some
> one "teaching" the system bad habits. Any idea what sort of conditions
> might exist to facilitate this, or how one might go about it?

It's quite simple, actually. There is no need to retrain the IDS
on-line. Once trained under controlled conditions, most of these
systems drift very slowly under normal operations.

The concept is known as "semantic drift issue" in the Anomaly Detection
literature

Stefano

---------------------------------------------------------------------------
---------------------------------------------------------------------------

Next message: Ravi: "Re: How do behavioral/anomaly detection systems learn?"

Previous message: Stefano Zanero: "Re: How do behavioral/anomaly detection systems learn?"
In reply to: Sasha Romanosky: "RE: How do behavioral/anomaly detection systems learn?"
Next in thread: Jason Anderson: "Re: How do behavioral/anomaly detection systems learn?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]