Anomaly Based Network IDS

• Previous message: NTL World - Chris Standard: "RE: IDS Opinions"
• Next in thread: Drew Simonis: "Re: Anomaly Based Network IDS"
• Maybe reply: Drew Simonis: "Re: Anomaly Based Network IDS"
• Maybe reply: Joshua Berry: "RE: Anomaly Based Network IDS"
• Reply: Mike Lyman: "RE: Anomaly Based Network IDS"
• Maybe reply: Aaron Jordan: "Re: Anomaly Based Network IDS"
• Maybe reply: Shafi, Shahid: "RE: Anomaly Based Network IDS"
• Maybe reply: Drew Copley: "RE: Anomaly Based Network IDS"
• Maybe reply: David J. Meltzer: "RE: Anomaly Based Network IDS"
• Maybe reply: crayola_at_optonline.net: "RE: Anomaly Based Network IDS"
• Maybe reply: Drew Copley: "RE: Anomaly Based Network IDS"
• Maybe reply: Wozny, Scott (US - New York): "RE: Anomaly Based Network IDS"
• Maybe reply: Drew Copley: "RE: Anomaly Based Network IDS"
• Maybe reply: Drew Copley: "RE: Anomaly Based Network IDS"
• Reply: Sasha Romanosky: "RE: Anomaly Based Network IDS"
• Maybe reply: Drew Simonis: "Re: Anomaly Based Network IDS"
• Maybe reply: Drew Copley: "RE: Anomaly Based Network IDS"
• Maybe reply: Bharat Bhushan: "Re: Anomaly Based Network IDS"
• Reply: Thomas Ptacek: "Re: Anomaly Based Network IDS"
• Maybe reply: Bharat Bhushan: "RE: Anomaly Based Network IDS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 18 Jun 2004 14:09:08 +0100
To: focus-ids@securityfocus.com

Hi,

I am interested in views on anomaly-based Network IDS.

A colleague has proposed that we look at using one, but I am not sure how advanced they are? If indeed any exist?

I know that at least Enterasys Dragon NIDS claims to be anomaly based.

I suppose my defintion of anomaly based is that it discovers attacks based on sampling and analysing the network traffic and identifying anomalies on the norm, rather than relying on a specific external signature to tell it what to look for.

I'm thinking that this would really have to be incredibly sophisticated as it's going to vary for every network environemtn, and could potentially generate a lot of false positives.

I'm especially interested in anything that would claim to be able to detect a worm attack (and even prevent it) without knowing about it already - i.e. through a signature.

I know that there have been a few Host-based IDS that make this claim, but I'm looking for something that will look after a network infrastructure, rather than a subset of specific systems.

Any thoughts or comments?

Thanks,
Joe

-- 
Joe Dauncey
---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: NTL World - Chris Standard: "RE: IDS Opinions"
• Next in thread: Drew Simonis: "Re: Anomaly Based Network IDS"
• Maybe reply: Drew Simonis: "Re: Anomaly Based Network IDS"
• Maybe reply: Joshua Berry: "RE: Anomaly Based Network IDS"
• Reply: Mike Lyman: "RE: Anomaly Based Network IDS"
• Maybe reply: Aaron Jordan: "Re: Anomaly Based Network IDS"
• Maybe reply: Shafi, Shahid: "RE: Anomaly Based Network IDS"
• Maybe reply: Drew Copley: "RE: Anomaly Based Network IDS"
• Maybe reply: David J. Meltzer: "RE: Anomaly Based Network IDS"
• Maybe reply: crayola_at_optonline.net: "RE: Anomaly Based Network IDS"
• Maybe reply: Drew Copley: "RE: Anomaly Based Network IDS"
• Maybe reply: Wozny, Scott (US - New York): "RE: Anomaly Based Network IDS"
• Maybe reply: Drew Copley: "RE: Anomaly Based Network IDS"
• Maybe reply: Drew Copley: "RE: Anomaly Based Network IDS"
• Reply: Sasha Romanosky: "RE: Anomaly Based Network IDS"
• Maybe reply: Drew Simonis: "Re: Anomaly Based Network IDS"
• Maybe reply: Drew Copley: "RE: Anomaly Based Network IDS"
• Maybe reply: Bharat Bhushan: "Re: Anomaly Based Network IDS"
• Reply: Thomas Ptacek: "Re: Anomaly Based Network IDS"
• Maybe reply: Bharat Bhushan: "RE: Anomaly Based Network IDS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]