RE: Network Behaviour Anomoly Detection

• Previous message: Martin Roesch: "Re: ssh and ids"
• Next in thread: Martin Roesch: "Re: [Snort-users] RE: Network Behaviour Anomoly Detection"
• Reply: Martin Roesch: "Re: [Snort-users] RE: Network Behaviour Anomoly Detection"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 23 Jun 2004 23:31:26 -0400
To: 'Jon Baer' <security@jonbaer.net>, focus-ids@securityfocus.com, snort-users@lists.sourceforge.net

> SPADE would be one example...

> Ntop could be used for this...

Spade + Snort is good for looking for anomolous port scans that have been
randomized.. etc.

Unfortunatly its not what I am looking for.. ntop can help track
connections/ports but not provide the AI necessary to spot anmolies in
network
behaviour over time.

I am really looking for something like Arbor Networks Peakflow X or
Q1 Labs Qradar products. Both of which are pretty pricey in these tight
budget times.

They are designed to look at network connections between systems,
what ports are used, how much traffic moves between systems, when all this
occurs, etc.. Essentially they build up a profile of normal activity on your

network over time.. and then if a something weird starts happening like a
database
starts talking to a system it never spoke to before, or a desktop starts
making connections to hundreds of production systems.. it alerts you
that something might be wrong. It's sorta like Sourcefires RNA product but
much more focused on the anomaly AI part of looking at the information and
much less focused on using network intelligence to correlate with ids
events.

Anyone interested in starting up an opensource project to build something
like this?
I think it is the perfect complement to a signature based IDS system. It can

detect traffic that looks normal to an IDS system but may actually be
malicious..
Example: a developer runs sql queries against your main production database
at 3am to steal all the credit cards from it and resell on the Internet.
An IDS system wouldn't normally say anything about this since it isnt a
defined
signature event. But a Network Behaviour Anomaly detection system would
alert
indicating that it is not normal for that developer workstation to be making
a connection to
a production Oracle server from their desktop at 3am and retrieveing such a
large amount of data.

Thanks,
Mike

---------------------------------------------------------------------------

---------------------------------------------------------------------------

• Previous message: Martin Roesch: "Re: ssh and ids"
• Next in thread: Martin Roesch: "Re: [Snort-users] RE: Network Behaviour Anomoly Detection"
• Reply: Martin Roesch: "Re: [Snort-users] RE: Network Behaviour Anomoly Detection"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]