RE: Anomaly Based Network IDS

From: Joshua Berry (jberry_at_PENSON.COM)
Date: 06/18/04

  • Next message: Ron Gula: "Re: ssh and ids" 
    Date: Fri, 18 Jun 2004 15:03:45 -0500
To: "Joe Dauncey" <secdistlist@dauncey.net>, <focus-ids@securityfocus.com>

    I think anomaly based engines are good when used in combination with
    other security information such as signature based events. Dragon is
    not anomaly based, it is signature based with the capability of
    detecting some protocol anomalies.

    -----Original Message-----
    From: Joe Dauncey [mailto:secdistlist@dauncey.net]
    Sent: Friday, June 18, 2004 8:09 AM
    To: focus-ids@securityfocus.com
    Subject: Anomaly Based Network IDS

    Hi,

    I am interested in views on anomaly-based Network IDS.

    A colleague has proposed that we look at using one, but I am not sure
    how advanced they are? If indeed any exist?

    I know that at least Enterasys Dragon NIDS claims to be anomaly based.

    I suppose my defintion of anomaly based is that it discovers attacks
    based on sampling and analysing the network traffic and identifying
    anomalies on the norm, rather than relying on a specific external
    signature to tell it what to look for.

    I'm thinking that this would really have to be incredibly sophisticated
    as it's going to vary for every network environemtn, and could
    potentially generate a lot of false positives.

    I'm especially interested in anything that would claim to be able to
    detect a worm attack (and even prevent it) without knowing about it
    already - i.e. through a signature.

    I know that there have been a few Host-based IDS that make this claim,
    but I'm looking for something that will look after a network
    infrastructure, rather than a subset of specific systems.

    Any thoughts or comments?

    Thanks,
    Joe 

    -- 
Joe Dauncey
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Ron Gula: "Re: ssh and ids"

    Relevant Pages

    • RE: Signature vs. Protocol Analysis
      ... It seems one of the problems protocol analysis faces is protocol ... > trend analysis because trend analysis is based on *known* ... > Signature analysis, speaks to pattern matching of known ... > scans and TCP checksums and call those 'anomalies' as well. ...
      (Focus-IDS)
    • Re: Anomaly Based Network IDS
      ... > anomalies on the norm, rather than relying on a specific external ... > signature to tell it what to look for. ... company leads the market in anomaly detection systems). ... most of the attacks he ...
      (Focus-IDS)
    • RE: Signature vs. Protocol Analysis
      ... Anomaly detection should include anomaly according to established rules (one ... of which could be RFC or some other standard, ... Signature analysis, speaks to pattern matching of known attacks. ... ISS talk about protocol anomalies, ...
      (Focus-IDS)
    • Re: anomaly vs signature
      ... categorization can be done between anomaly based vs signature based. ... web firewall to be installed on an apache server, it uses an artificial intelligence engine. ... the key is whether or non one - cares- about the anomalies one's seeing. ... Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. ...
      (Focus-IDS)
    • RE: IPS comparison
      ... >It might if your DNS server doesn't normally do this. ... and anomaly detection. ... analysis tool for network traffic, netflow, firewall logs, host logs, .etc, ... but anomaly detection is just that -- anomalies. ...
      (Focus-IDS)