RE: Anomaly Based Network IDS

From: Shafi, Shahid (sshafi_at_qualcomm.com)
Date: 06/19/04

  • Next message: Jason: "Re: ssh and ids" 
    Date: Fri, 18 Jun 2004 23:53:35 -0700
To: "Drew Simonis" <simonis@myself.com>, "Joe Dauncey" <secdistlist@dauncey.net>, <focus-ids@securityfocus.com>

    Hi Drew,

    I am myself evaluating Mazu's profiler. Don't you think they should do
    more when it comes to packet inspection . I mean deep inspection and
    atleast alarm if something is not following published RFCs etc.

    Shahid

    -----Original Message-----
    From: Drew Simonis [mailto:simonis@myself.com]
    Sent: Friday, June 18, 2004 10:35 AM
    To: Joe Dauncey; focus-ids@securityfocus.com
    Subject: Re: Anomaly Based Network IDS

    ----- Original Message -----
    From: Joe Dauncey
    Date: Fri, 18 Jun 2004 14:09:08 +0100
    To: focus-ids@securityfocus.com
    Subject: Anomaly Based Network IDS

    > Hi,
    >
    > I am interested in views on anomaly-based Network IDS.
    >
    > ...
    >
    > I suppose my defintion of anomaly based is that it discovers attacks
    based on sampling and analysing
    > the network traffic and identifying anomalies on the norm, rather than
    relying on a specific external
    > signature to tell it what to look for.
    >
    > I'm thinking that this would really have to be incredibly
    sophisticated as it's going to vary for every
    > network environemtn, and could potentially generate a lot of false
    positives.
    >
    > I'm especially interested in anything that would claim to be able to
    detect a worm attack (and even
    > prevent it) without knowing about it already - i.e. through a
    signature.
    >

    You'll want to look at a couple of things. First, there are protocol
    anomaly IDS, such as Symantec
    Manhunt. These detect deviations from published RFCs and report on
    that. They can detect attacks
    absent a signature, but are prone to false positives. They take some
    tuning and decently skilled
    analysts.

    Second, (and I think what you seem to want) you'll want to look at
    profiling systems. My favorite is
    the aptly named "Profiler" by Mazu Networks. It can, as you ask, detect
    worm activity absent any
    information, and (a set apart feature from the others in this space,
    IMO) has a dynamic baseline.
    I use it, and I like it.

    -Ds

    ------------------------------------------------------------------------ 

    ---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Jason: "Re: ssh and ids"