Re: Anomaly Based Network IDS

From: Drew Simonis (
Date: 06/24/04

  • Next message: Martin Roesch: "Re: ssh and ids"
    Date: Thu, 24 Jun 2004 07:43:22 -0500

    > Barry Fitzgerald wrote:
    > I'm going to go out on a limb and state that it's far less
    > likely that a real 0-day will ever generate significantly
    > abundant anomolies in the network traffic, in particular
    > if it's designed well and if the attacker is careful about
    > how they carry out their attack.

    I wonder why volume of anomolies is a point of consideration
    here. As I have stated, I am a user of Mazu Network's Profiler
    product (and have been since early December). This product
    features the ability to compare network traffic against a
    evolving baseline, which would allow me to, for example, instantly
    detect traffic to a port on a machine that wasn't there before.

    The implications are (to me, anyway) obvious. In my experience,
    an exploited machine usually begins listening on a new port. For
    example, if I exploit a webserver, I may have a listener on a
    high port so that I may connect in and do my thing. It isn't
    likely that I'd use 80/tcp as my listener, as that would make
    detection trivial (i.e. my webserver isn't serving!).

    As soon as a connection to this listener is made, I get an alert.
    If a host starts communicating with other hosts that it traditionally
    doesn't, I can get an alert. If a server stops receiving traffic on
    a port, or traffic falls below a threshold, I can get an alert.

    The point is, while the initial attack vector may not generate
    alertable activity, in most cases the utilization of the attacked
    host would, and that is the value I see.




  • Next message: Martin Roesch: "Re: ssh and ids"