Re: Anomaly Based Network IDS

From: Drew Simonis (simonis_at_myself.com)
Date: 06/18/04

  • Next message: Runion Mark A FGA DOIM WEBMASTER(ctr): "ssh and ids" 
    To: "Joe Dauncey" <secdistlist@dauncey.net>, focus-ids@securityfocus.com
Date: Fri, 18 Jun 2004 12:35:20 -0500

    ----- Original Message -----
    From: Joe Dauncey
    Date: Fri, 18 Jun 2004 14:09:08 +0100
    To: focus-ids@securityfocus.com
    Subject: Anomaly Based Network IDS

    > Hi,
    >
    > I am interested in views on anomaly-based Network IDS.
    >
    > ...
    >
    > I suppose my defintion of anomaly based is that it discovers attacks based on sampling and analysing
    > the network traffic and identifying anomalies on the norm, rather than relying on a specific external
    > signature to tell it what to look for.
    >
    > I'm thinking that this would really have to be incredibly sophisticated as it's going to vary for every
    > network environemtn, and could potentially generate a lot of false positives.
    >
    > I'm especially interested in anything that would claim to be able to detect a worm attack (and even
    > prevent it) without knowing about it already - i.e. through a signature.
    >

    You'll want to look at a couple of things. First, there are protocol anomaly IDS, such as Symantec
    Manhunt. These detect deviations from published RFCs and report on that. They can detect attacks
    absent a signature, but are prone to false positives. They take some tuning and decently skilled
    analysts.

    Second, (and I think what you seem to want) you'll want to look at profiling systems. My favorite is
    the aptly named "Profiler" by Mazu Networks. It can, as you ask, detect worm activity absent any
    information, and (a set apart feature from the others in this space, IMO) has a dynamic baseline.
    I use it, and I like it.

    -Ds

    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------

  • Next message: Runion Mark A FGA DOIM WEBMASTER(ctr): "ssh and ids"

    Relevant Pages

    • RE: IPS comparison
      ... >It might if your DNS server doesn't normally do this. ... and anomaly detection. ... analysis tool for network traffic, netflow, firewall logs, host logs, .etc, ... but anomaly detection is just that -- anomalies. ...
      (Focus-IDS)
    • RE: IPS comparison
      ... >- maybe one day, the hard drive crashes, and all the network starts ... > doing DNS requests to the backup DNS server which looks like some ... >traffic, netflow, firewall logs, host logs, .etc, but anomaly detection ... That's why having a NADS to prioritize these anomalies could save you ...
      (Focus-IDS)
    • RE: Neural Net based Host/Application Anomaly detection systems
      ... Interesting enough however, anomaly detection is ... >> behavior on their given network. ... >> base data set is one way to solve the problem. ... >> anomalies on one network would be completely ...
      (Focus-IDS)
    • RE: Anomaly Based Network IDS
      ... > attacks based on sampling and analysing the network traffic ... > and identifying anomalies on the norm, ... of anomaly-based detection systems: ...
      (Focus-IDS)
    • Anomaly Based Network IDS
      ... I am interested in views on anomaly-based Network IDS. ... I know that at least Enterasys Dragon NIDS claims to be anomaly based. ... I suppose my defintion of anomaly based is that it discovers attacks based on sampling and analysing the network traffic and identifying anomalies on the norm, rather than relying on a specific external signature to tell it what to look for. ...
      (Focus-IDS)
    • Quantcast