RE: Anomaly Based Network IDS
From: Mike Lyman (mlyman-security_at_comcast.net)
Date: 06/19/04
- Previous message: Ron Gula: "Re: ssh and ids"
- In reply to: Joe Dauncey: "Anomaly Based Network IDS"
- Next in thread: Aaron Jordan: "Re: Anomaly Based Network IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <focus-ids@securityfocus.com> Date: Fri, 18 Jun 2004 17:18:16 -0500
> I am interested in views on anomaly-based Network IDS.
I've been out of this area for about a year so I can't talk about specific
products or how good they are today.
As one person mentioned, a profiling system could work for you. I've not done
this with network traffic but have done it with user activity and had it proved
out pretty quickly in detecting hacking and policy violations.
Another approach that I'd lump in with anomaly based IDS are policy watching
IDSes. These are useful in controlled networks where you should only be seeing
specific type network traffic. These type IDSes know that and watch for things
other than what you should be seeing. I've sat through sales presentations on at
least one product in this area but unfortunately I cannot recall its name since
it's been about two years now.
Mike Lyman
mlyman@west-point.org
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Ron Gula: "Re: ssh and ids"
- In reply to: Joe Dauncey: "Anomaly Based Network IDS"
- Next in thread: Aaron Jordan: "Re: Anomaly Based Network IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
